Zum Inhalt

Block Iframes

Use this feature to prevent external resources embedded in an iframe-container from loading. This prevents unwanted cookies from being set automatically. The user can consent to the content loading via the dialog that appears instead.

clipboard_2026-04-10_15-32.png

Enable Iframe-Blocking

Use the toggle to enable or disable iframe blocking.

If this checkbox is selected, CCM19 remembers for which iframes from which page consent has already been given. For example, once a YouTube-video has been confirmed via consent, all subsequent YouTube-videos will be displayed without further consent, since the user has already agreed to the use of this external source.

It is currently impossible to say whether this is GDPR-compliant-; we currently assess it positively, but the decision is, of course, yours.

Display Iframe-Thumbnail

When enabled, thumbnails are displayed in the iframe. (Currently supported only for Facebook Video, OpenStreetMap, PeerTube, SlideShare, Stream 24, Vimeo, and YouTube)

If this option is enabled, all other iframes of this type (e.g., YouTube or Google Maps) on the page will be enabled and loaded. The user therefore only needs to consent once.

Add a toggle to iframes to enable and dis- e content

This option places a toggle next to iframes that loads or blocks the content. For example, if you apply this option to an absolutely positioned iframe (i.e., the element is outside the regular flow of the page layout), you may need to adjust the switch’s positioning using custom CSS.

Settings for Iframe-Blocking

Control Iframe-Blocking

Using the filters you set here, you can control which iframes are blocked. For example, you can specify that all iframes except those from YouTube should be blocked. There are basically two options:

Allowlist/-e Mode

If you select this option, all iframes that do not match an expression in the filter list will be blocked. If you enter YouTube there, for example, only the YouTube iframe will not be blocked, but all others will be (however, we do not recommend this approach specifically for YouTube!).

Blocklist-Mode

In this option, no iframes are blocked unless they are listed here. If you enter YouTube there, only YouTube iframes will be blocked, but not all others. This method is particularly recommended if, for example, you use iframes in the checkout of your online store to display website functions. In some shop-systems, for instance, the selection of payment methods takes place within an iframe.

Filter

To block or unblock an iframe, simply enter a short string from the URL. For example, enter "YouTube" to block all YouTube-iframes. If in doubt, test it briefly. Enter one entry per line.

Thumbnails

When embedding videos from major video portals like YouTube or Vimeo, screenshots of the videos are displayed as placeholder images on the page so that it’s easier to see exactly what’s happening in the video. The screenshot provided by the portal is used for this.

The images are cached on the page so they don’t have to be reloaded every time the page is viewed. The cache expires after 8 days. If you want to clear the cache sooner, simply click the “-r Clear Cache” button.

Linking to Embedments

To ensure that iframes can also be enabled directly via the "-" cookie banner, you must enter a corresponding expression in the "Block iframes containing the following text" field under "Embedments & Cookies" for the respective embedment.

iframe-embedding.png

If, for example, consent is given for the "YouTube" integration via the CCM19-banner, all YouTube-videos on the page would already be enabled. If the visitor declines, the blocking overlay is displayed above each video, through which the iframe can be enabled subsequently.

Preventing premature loading of resources

Alternatively, you can mark up iframes with the attributes data-ccm-loader-src and data-ccm-loader-group of the Script-Loader—the src-attribute is replaced in this process. This prevents resources from being loaded prematurely. Use the same group name that you defined in the "Group for the Script-Loader" field of an integration to bind iframes to that integration.

As an example, we want to block the following iframe:

<iframe src="https://some.domain/widget.html"></iframe>

First, we replace the src attribute with data-ccm-loader-src:

<iframe data-ccm-loader-src="https://some.domain/widget.html"></iframe>```

Optionally, you can link the iframe to an integration by specifying the script-and loader-group defined in the integration:

```html
<iframe data-ccm-loader-src="https://some.domain/widget.html"
        data-ccm-loader-group="example-group"></iframe>

Note on UnsafeAllow3F for self-hosted CCM19 on Apache-servers

If iframes with parameters are embedded on the website, the blocking dialogs in CCM19 contain a question mark encoded as %3F. On Apache-servers, this may prevent the blocked iframes from being displayed, resulting only in the "Permission Denied" error message.\ We have the following rule for rewriting URLs in public/.htaccess:

RewriteRule ^(.*)$ index.php?_path=$1 [L,QSA]

To resolve the issue, this rule would need to be modified as follows:

RewriteRule ^(.*)$ index.php?_path=$1 [L,QSA,UnsafeAllow3F]