Cloudflare blocks iframe javascript event


In our code we have an iFrame with the following settings:

The iFrame is set on a page in sub domain and gets a javascript event from the page

This all works fine with no DNS proxy, but when DNS proxy is enabled no events are passing through.
One more input is that the iFrame page is using php and is calling for data from different domain external to

Any suggestions on how to fix this?

Thanks, Ziv

The iframe code is:

id=“changeCredit” class=“report_results” scrolling=“no” style=“display:none;”
iframe id=“creditIframe” sandbox=“allow-same-origin allow-scripts allow-top-navigation” th:src="‘’ + ${storeKey}" /iframe

May I ask what error do you get in the Developer Console (F12) of your Web browser? :thinking:

Or maybe some Cloudflare error inside the iFrame? :thinking: (as like Error 1020 or some 5xx errors as the events don’t pass …)

Hm, without knowing the bahaviour of how iFrame is being created and manipulated, if Cloudflare does it, you could try to:

  1. Disable the Auto Minify - JavaScript option
  2. Disable RocketLoader option
  3. Disable the Page Shield option
  4. Check SSL settings, if related?

Otherwise, does your origin host/server for that URL return some of the security HTTP headers like?: :thinking:

  • Content-Security-Policy (CSP)
  • CORS
  • X-Frame-Options

Nevertheless, it knows to happen that it doesn’t even come from origin host/server, rather some app frameworks are producing them.

Maybe that external domain is using some HTTP headers which don’t allow to use it’s content as iFrame.

You could try a simple Worker script to fetch the content from it, if possible, then display it, but not as iFrame on your website … just an idea, haven’t tried to combine this.
Furthermore, there were some ideas to “misuse” the Worker for/and iFrame … which I’d rather not try at all cost due to possible villation of the ToS, if so.

Despite iFrame HTML tag and it’s attributes, it might be you are using some of them which might be in some kind of a conflict with the “window”?


Thank you for your help. Disable RocketLoader did solve the problem.
Can you explain why optimizing java scripts can cause such behavior.

Thanks again,

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.