In certain cases, you may want to IFRAME-embed your Webflow-hosted site inside of another site.
In general, you can IFRAME-embed your Webflow site in another website, once it’s on a paid plan and published to a custom domain name. However;
All of this is governed by Webflow's servers by specifying the Content Security Policy (CSP) in each of these cases.
Modern browsers determine whether certain actions like IFRAME-embedding are safe and appropriate by checking the Content Security Policy (CSP) that is presented by the hosting server.
CSP stands for Content Security Policy. It's a security feature that helps prevent a variety of attacks, including Cross-Site Scripting (XSS) and data injection attacks. CSP works by specifying rules for the types of content that are allowed to be loaded and executed on a webpage.
These rules are defined by the server and sent to the client in the HTTP response headers. The client's web browser then enforces these rules.
Here's an example of what that header looks like;
Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com
When your site is Webflow-hosted, Webflow controls this and changes it depending on your site's situation.
So far I've seen these variations;
When the site is in a "protected" state, Webflow issues a CSP header that restricts where the site can be hosted, like this;
content-security-policy: frame-ancestors 'self' https://*.webflow.com http://*.webflow.com http://*.webflow.io http://webflow.com https://webflow.com
When the site is "unprotected", that header does not exist.
https://discourse.webflow.com/t/can-i-have-a-webflow-page-in-a-generated-iframe/215443/6