Embedded Frame Detected
iframes embed content that Google typically does not associate with the parent page, are harder to make accessible, and can be slower to render.
Why it matters
iframes embed content that Google typically does not associate with the parent page, are harder to make accessible, and can be slower to render.
Address when convenient — notices usually mark a polish opportunity rather than a defect. Estimated SEO impact: low — small marginal improvement, but cheap to fix.
How to fix
- Prefer server-side inclusion or a component over an iframe
- If iframe is necessary, add a descriptive title attribute
- Use sandbox and
loading="lazy"for performance + security
Common causes
If the rule is firing across many pages, the root cause is almost always one of these:
- Mixed-content sub-resources from before HTTPS migration that escaped the rewrite.
- CDN or upstream proxy strips a security header that was set at the origin.
- Legacy redirects send HTTPS traffic through HTTP first.
- Test/staging hostnames leak into production HTML via hard-coded URLs.
Anti-patterns to avoid
Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:
- Mixed HTTP/HTTPS resources after migration.
- Self-signed or expired certificates on production.
- Long-lived secrets in client-rendered HTML or JS bundles.
How atlookup detects this
Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for embedded frame detected are flagged on the report.
If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.
Tools to verify the fix
Once you've applied the fix, double-check with these external validators:
- SSL Labs — Grades certificate + protocol configuration.
- securityheaders.com — Audits response headers against best practice.
Frequently asked questions
Why does Embedded Frame Detected matter for SEO?
iframes embed content that Google typically does not associate with the parent page, are harder to make accessible, and can be slower to render.
How do I fix embedded frame detected?
Prefer server-side inclusion or a component over an iframe If iframe is necessary, add a descriptive title attribute Use sandbox and loading="lazy" for performance + security
Is this a critical SEO issue?
Address when convenient — notices usually mark a polish opportunity rather than a defect. Estimated SEO impact: low — small marginal improvement, but cheap to fix.
How does atlookup detect embedded frame detected?
Our crawler renders each page with a real headless browser, then inspects HTTPS state, response headers, mixed content, and certificate validity. Pages where the rule fires for embedded frame detected are flagged on the report.
How long does it take to fix?
5–15 minutes per page. Most teams batch similar issues across templates so the per-page time goes down at scale.
Related issues
FRAME_TAG_PRESENT
Deprecated frame/frameset Tag Present
<frame> and <frameset> are removed from HTML5 — not supported in modern browsers, bad for SEO, and catastrophic for accessibility.
FLASH_OBJECT_PRESENT
Flash Object on Page
Adobe Flash has been end-of-life since December 2020 — no browser runs it.
FORM_INSECURE_ACTION
Form Action Uses HTTP on HTTPS Page
A form that POSTs to an HTTP endpoint on an HTTPS page sends user data in the clear — a serious security and privacy failure.
MIXED_CONTENT_IFRAME
Mixed Content: HTTP iframe on HTTPS Page
HTTP iframes on HTTPS pages are blocked by modern browsers entirely — the embedded content simply does not render, breaking the user experience.