Skip to main content Skip to secondary navigation

5. Embeddable Content

Main content start
Stanford Web Services
Last Updated
Effective Date

Adding features to your website using 3rd party or custom JavaScript or iFrame content can be an appealing way to integrate with an external service.

However, this practice introduces risks to:

  • Site security. If you are unsure if your 3rd party source should be trusted, you can request an ISO consultation.
  • Site stability. 3rd party services can choose to change what is injected into your site, go offline, or introduce other features that might cause a page on your site to fail to load or appear in unexpected ways.
  • Accessibility and usability. Many 3rd party platforms have not been evaluated for accessibility and may not meet Stanford’s online accessibility policy. If you are unsure about the accessibility of the service, please contact the Office of Digital Accessibility.
  • Site performance. Loading assets and scripts from external sources increases page load time.
  • Maintainability. Inclusion of 3rd party code can increase the support burden on your site.

This policy covers any component or feature that can be made available through a content management system that allows for:

  • Addition of raw 3rd party or custom JavaScript
  • Embedded HTML (i.e., allows for HTML that does not get stripped or sanitized by the CMS or during a build process)
  • Addition of iFrame content from an external source
  • Inline CSS
  • Deployment of a Google Tag Manager container

How to add and manage 3rd party embedded content

Sites maintained by Stanford Web Services (SWS) provide support for several common 3rd party scripts and embeddable content from trusted sources, including YouTube, Vimeo, and Google Analytics. This policy does not include these common use cases.

In cases where a site owner wishes to add a new trusted source, the process for requesting special embeddable media can be found in the following guide: Adding Embeddable Media.

Site managers and editors wishing to add an HTML or JavaScript snippet can elect to have their code vetted by SWS and added to the site. 

Alternatively, the ability for a site manager or editor to add JavaScript and/or HTML (such as iFrames) from other sources onto a production site requires special permissions and is not granted as part of other site roles (site editor, site manager, etc.) Upon request, SWS may provide access to a component or feature on a case-by-case basis.

Embedding secured content is different

Important note: Stanford does not support single sign-on (SSO) through an iFrame. This is a University-wide policy meant to limit cross-site scripting and cross-site request forgery vulnerabilities. To provide site visitors with a path to content protected by Stanford SSO, the best practice is to avoid iFrames and instead guide users to the desired content by linking directly to the secured page in its own browser window.

Responsibility for embedded resources

Site managers are responsible for the content embedded in their site, including its accessibility. 

For example, embedded media from YouTube is supported, and a site manager or editor must take the additional step of adding captions to the video to be compliant with Stanford's online accessibility policy.

Requirements for receiving access

Some sites managed by SWS have a role with permission to add embedded media. The person being granted access must be a site manager or a site editor approved by a site manager or site owner. The person being granted access must have demonstrated technical skill, which includes the ability to recognize well-formed HTML, JavaScript, and CSS.

To receive access, please contact your assigned SWS project manager or file a ServiceNow ticket.