Live websites are displayed in a secure iframe environment and most display without issue.  If your live website proof does not load correctly, it's usually due to one of a few common issues.

Use HTTPS 

The Ziflow Proof Viewer is hosted over HTTPS. Websites served over HTTP must be loaded through a secure proxy, which can introduce limitations.

To ensure reliable loading:

• Host your website over HTTPS

• Avoid linking directly to non-secure resources

• Use relative paths instead of absolute URLs where possible

If your site must remain on HTTP, you can enable URL rewriting in Ziflow:

1. Log in as a Ziflow administrator.

2. Select your user avatar and choose Settings > Proofing Settings > Proof Viewer.

3. Go to Settings > Proofing settings > Proof Viewer > Live websites and rich media

4. Under Live websites and Rich Media, enable Live websites: URL rewriting

For advanced configurations, you can also adjust proxy behavior or configure allow lists. See Configure how Ziflow loads live websites.

Review iframe attributes

Live website proofs are rendered inside an iframe. Due to our security policy, Ziflow blocks live website or Rich Media proofs if they include iframes using any of the attributes listed below. 

Before creating a proof, remove the following attributes from any iframes in your content:

• allow-modals

• allow-orientation-lock

• allow-pointer-lock

• allow-popups

• allow-popups-to-escape-sandbox

• allow-presentation

• allow-same-origin

• allow-top-navigation

• allow-top-navigation-by-user-activation

Make scripts compatible with iframe rendering

If a live proof displays correctly on your website but fails to render properly inside the Proof Viewer, this may be caused by how the website code interacts with the iframe environment used by the Proof Viewer.

• The proof does not load or render as expected in the Proof Viewer.
• When checking the browser’s Developer Tools console, you may see an error such as:
  Uncaught SecurityError: Blocked a frame with origin "https://example.io" from accessing a cross-origin frame.
• The page works normally when accessed directly outside the Proof Viewer.
   

The Proof Viewer displays your website inside an iframe. Many websites include scripts that reference the parent frame (for example, by calling parent.document or window.parent).

• If the iframe and parent are on the same domain, this code works as expected.
• If the iframe and parent are on different domains (for example, ziflow.io displaying example.io), browsers block this cross-domain access due to the same-origin policy. 

When blocked, the script may throw an error (SecurityError, DOMException) or silently fail, which can prevent your site from working properly inside the Proof Viewer.

If you are not the developer of the website, please share this with the person responsible for maintaining the site so they can make the necessary adjustments.

Prepare your scripts by:

• Removing direct references to parent.document, window.parent, or top

• Avoiding assumptions about shared domains

• Wrapping unavoidable parent access in error handling

Example:

try {
  var parentUrl = window.parent.location.href;
  console.log("Parent URL:", parentUrl);
} catch (e) {
  console.warn("Unable to access parent frame:", e);
}

Test your site inside an iframe hosted on a different domain before uploading it to Ziflow.

Configure Google reCaptcha

If your website uses Google reCaptcha v3, you must allow Ziflow’s proxy domain to ensure protected pages load correctly.

To prepare reCaptcha:

1. Go to https://www.google.com/recaptcha/admin/create

2. Open the settings for your reCaptcha v3 API key

3. Add the following domain to the allowed domains list:
   proof-proxy.ziflow.net

Related articles

Configure how Ziflow loads live websites

Create a snapshot or live website proof review