Zum Inhalt

Block Iframes

Use this feature to prevent external resources embedded in an iframe-container from loading. This prevents unwanted cookies from being set automatically. The user can consent to the content loading via the dialog that is displayed instead.

clipboard_2026-04-10_15-32.png

Enable Iframe-Blocking

Use the toggle to enable or disable iframe blocking.

If this checkbox is selected, CCM19 will remember for which iframes from which pages consent has already been granted. For example, once a YouTube-video has been confirmed via consent, all subsequent YouTube-videos will be displayed without requiring further consent, since the user has already consented to the use of this external source.

It is currently impossible to say whether this is GDPR---compliant; we currently view it positively, but the decision is, of course, up to you.

Display Iframe-Thumbnails

When enabled, thumbnails are displayed in the iframe. (Currently supported only for Facebook Video, OpenStreetMap, PeerTube, SlideShare, Stream 24, Vimeo, and YouTube)

If this option is enabled, all other iframes of this type (e.g., YouTube or Google Maps) on the page will be enabled and loaded. This means the user only needs to give consent once.

Add a toggle to iframes to enable or dis- e external content

This option places a toggle next to iframes that loads or blocks the content. For example, if you apply this option to an absolutely positioned iframe (i.e., the element is outside the normal flow of the page layout), you may need to adjust the button’s positioning using custom CSS.

Settings for Iframe-Blocking

Control Iframe-Blocking

Using the filters you set here, you can control which iframes are blocked. For example, you can specify that all iframes except those from YouTube should be blocked. There are basically two options:

Allowlist “-” Mode

If you select this option, all iframes that do not match an expression in the filter list will be blocked. If, for example, you enter “YouTube” there, only the YouTube iframe will not be blocked, but all others will be (however, we do not recommend this approach specifically for YouTube!).

Blocklist-Mode

In this option, no iframes are blocked unless they are listed here. If you enter “YouTube” there, only YouTube iframes will be blocked, but not all others. This method is particularly recommended if, for example, you use iframes in the checkout process of your online store to display website functions. In some shop-systems, for instance, the payment method selection takes place within an iframe.

Filter

To block or unblock an iframe, simply enter a short string from the URL. For example, “YouTube” for all YouTube-iframes. If in doubt, test it briefly. Enter one entry per line.

Thumbnails

When embedding videos from major video portals like YouTube or Vimeo, screenshots of the videos are displayed as thumbnails on the page so it’s easier to see exactly what’s happening in the video. The screenshot provided by the portal is used for this.

The images are cached on the page so they don’t have to be reloaded every time the page is viewed. The cache expires after 8 days. If you want to clear the cache sooner, simply click the “-” button to clear the cache.

Linking to Embeddings

To ensure that iframes can also be enabled directly via the "-" banner, you must enter an appropriate expression in the "Block iframes containing the following text" field under "Embeddings & Cookies" for the respective embedding.

iframe-embedding.png

If, for example, consent is given for the “YouTube” integration via the CCM19-banner, all YouTube-videos on the page would already be enabled. If the visitor declines, the blocking overlay is displayed above each video, through which the iframe can be enabled retroactively.

Preventing Premature Loading of Resources

Alternatively, you can mark up iframes with the attributes data-ccm-loader-src and data-ccm-loader-group from the Script-Loader—the src-attribute is replaced in this process. This prevents resources from being loaded prematurely. Use the same group name that you defined in the "Group for the Script-Loader" field of an integration to bind iframes to that integration.

As an example, we want to block the following iframe:

<iframe src="https://some.domain/widget.html"></iframe>

First, we replace the src attribute with data-ccm-loader-src:

<iframe data-ccm-loader-src="https://some.domain/widget.html"></iframe>

Optionally, you can link the iframe to an integration by specifying the script-, loader-, and group defined in the integration:

<iframe data-ccm-loader-src="https://some.domain/widget.html"
        data-ccm-loader-group="example-group"></iframe>

Note on UnsafeAllow3F for self-hosted CCM19 on Apache-servers

If iframes with parameters are embedded on the website, the CCM19 blocking dialogs contain a question mark encoded as %3F. On Apache-servers, this may prevent the blocked iframes from being displayed, resulting in only the "Permission Denied" error message appearing.\ We have the following rule for rewriting URLs in the public/.htaccess file:

RewriteRule ^(.*)$ index.php?_path=$1 [L,QSA]

To resolve the issue, this rule would need to be modified as follows:

RewriteRule ^(.*)$ index.php?_path=$1 [L,QSA,UnsafeAllow3F]