Stanford
Stanford Sites User Guide

Embeddable Content Policy

Adding features to your website using 3rd party or custom javascript or iFrame content can be an appealing way to integrate with a 3rd party service.

However, this can introduce risk to:

  • Site security. If you are unsure if your 3rd party source should be trusted, you can request an ISO Consultation.

  • Site stability. 3rd party services can choose to change what is injected onto your site, go offline, or introduce other features that might cause the page on your site to not load or appear in unexpected ways.

  • Accessibility and usability. Many 3rd party platforms have not been evaluated for accessibility and may not meet Stanford’s minimum standards. If you are unsure about the accessibility of the service, please contact SODA.

  • Performance of a site. Loading assets and scripts from external sources can increase page load time.

  • Maintainability. Inclusion of 3rd party code can increase the support burden on your site.

This policy covers any component or feature that can be made available through a content management system that allows for:

  • Addition of raw 3rd party javascript or custom javascript

  • Raw HTML (i.e. allows for HTML that does not get stripped or sanitized by the CMS or during a build process.)

  • Addition of iFrame content from a 3rd party or external Stanford source

  • Inline CSS

  • Deployment of a Google Tag Manager container

Sites maintained by Stanford Web Services typically provide support for a number of common 3rd party scripts and embeddable content from trusted sources, for example, YouTube, Vimeo and Google Analytics. This policy does not include these common use cases.

Site managers and editors wishing to add an HTML or javascript snippet can elect to have their code vetted by SWS and added to the site or can request special access to add these materials themselves.

For Stanford Sites, trusted sources and the process for requesting special embeddable media in your media library can be found here: Adding Embeddable Media.

The ability for a site manager or editor to add javascript and/or raw HTML (such as iFrames) from other sources onto a production site requires special access on sites maintained by Stanford Web Services. Access to components of this kind are not granted as part of other site roles (site editor, site manager, etc.) SWS will provide access to a component or feature on a case-by-case basis.

Requirements for receiving access

The person being granted access must be a site manager, or a site editor approved by a site manager or site owner

The person being granted access must have demonstrated technical skill, which includes the ability recognize well-formed HTML, Javascript, and CSS.

To receive access, please contact the project manager for your custom site or support contract, or file a ServiceNow ticket.

Important Note: Stanford does not support single sign-on (SSO) through an iFrame. This is University-wide policy meant to limit cross-site scripting and cross-site request forgery vulnerabilities. To provide website users with a path to content that is protected by Stanford SSO, the best practice is to get users to the desired content by linking directly to the secured page.