This article is also available in:
It is possible to add any chosen URL to your Course as an iframe element. Check out this article to see how that can be done. Is your embedded Course element not working? Browsers are implementing stricter rules, which might cause your embedded URL not to work. This article will explain why browsers have strict rules and what you can do to get around them.

Check the browser's error message

First, let's see whether this article applies to your problem by checking the errors that the browser is throwing to learn more about what is going wrong.

Go to your Course and select Preview. Press Start and take the Course as though you are a participant (this might require you to log in with an email and password). When you get to the Course slide with the embedded URL, press Ctrl + Shift + J (or Cmd + Option + J for Macs). The browser will open a console window where it gives error messages in red. If you see the following error, this article applies to you:

Access to [item] at '[url]' from origin 'null' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

What does this error mean?

Modern browsers will try to protect you from cyber attacks. For this reason, it is not possible to run a script on someone else's website uncontrolled. As you might agree, this is a good thing. Their standards are getting stricter with every update. When your browser updates, it can implement more stringent rules, which prevents your embedded URL from running. It is also why you might suddenly encounter this error after it had been working. Although it is annoying when these errors suddenly show up and your embed code stops working, it is important to remember that it protects us from being hacked.

If you want to know more about the CORS policy and how this works, please read the official Cross-Origin Resource Sharing (CORS) documentation by Mozilla.

How can I fix my embedded URL?

We allow you to embed websites in a Course. The website that you embed on your Course also has to give Easy LMS permission to be embedded. The browser security works in both directions. There are a couple ways to get around this issue, which we will detail below.

These solutions are quite technical so we advise you to forward this document to your technical team.

One way is to add the Access-Control-Allow-Origin header to the embedded website. This header indicates whether the embedded site can be shared with the site requesting code from the given origin, which is Easy LMS in this circumstance. To learn how to change the header, please read the official Access-Control-Allow-Origin documentation by Mozilla.

You could also say that the website is safe to be embedded somewhere else in an iframe (any website, or one in specific). You can do this by setting an ALLOW-FROM directive in the X-Frame-Options. To learn how to add this setting, please read the official X-Frame-Options documentation by Mozilla.

Browsers are experimenting with these standards daily and are adding new functionality with every update. We can't guarantee the solutions mentioned above are future-proof.

I've added the correct headers, but I still see errors and the CORS policy blocking my embedded content. How do I fix them?

If you are still getting errors at this point, you might need to consider if the scripts you want to execute from your embedded URL are safe from a security standpoint. If your website is setting cookies with Javascript, for instance, your browser will block it. Setting cookies in a browser from another domain is not considered secure. This is not a problem that anyone can easily fix, since browsers don't allow for this behavior anymore.

The website I'm trying to embed is not mine. What do I do now?

Suppose your embed URL is from a third-party website and is throwing these errors. In that case, you could request that website to set the Access-Control-Allow-Origin or the X-frame-Options, as mentioned above. Unfortunately, this is the only thing you can do at this point.
Was this article helpful?
Thank you!