Hey, I learned something new. Very interesting.
YES you will be able to IFRAME-embed your Webflow site in another website, once it’s on a paid plan and published to a custom domain name. However you cannot IFRAME embed content from the *.webflow.io staging domain to another domain.
To test this, try embedding these two sites into your playcode.io page;
- https://www.sygnal.com - should work fine
- https://sygnal.webflow.io - will probably be blocked
Both of these are the same site. The first one is the live site on a custom domain, and the second is the staging site on webflow.io.
This happens because web requests made to *.webflow.io return an HTTP header that specifies a content-security-policy restricting where that content can be IFRAME-hosted.
Specifically, it looks like this;
content-security-policy: frame-ancestors 'self' https://*.webflow.com http://*.webflow.com http://*.webflow.io http://webflow.com https://webflow.com
Webflow sites published to custom domains do not have that policy header.
Here’s a codepen demonstrating it as well.