User security is paramount. By default, Zapier denies any embedding of our product unless you provide us with a list of domains that you expect to embed Zapier in.

This protects the user from malicious activities like Clickjacking. :

If you were to attempt to embed Zapier and the embedding domain was not registered, we would present an error

If you were to attempt to embed Zapier and the embedding domain was not registered, we would present an error.

The App Directory and Zap Template Elements are exempt from this as users are required to log in to their Zapier account after clicking on a Zap Template link.

Provide a list of domains

If you’ve already embedded our Product, this would have already been captured and your product domains are permitted.

  • To add domains, navigate to the Embed tab of your integration‚Äôs¬†Platform UI, and add the missing domains under the¬†Full Zapier Experience¬†tab within¬†Manage Domains¬†section.

Adding Domains within the Zapier Developer Platform.

These specific domains are then permitted to embed Zapier. The domains provided by you should be registered with your company with a public registrar. That is to say a randomcnamedomain.com is not valid for the same reason that a user or bad actor could register that domain.

Troubleshooting

  • localhost,¬†yourcomp.local¬†and¬†127.0.0.1¬†are not valid supported domains. An option during your embed development would be to use a tunnel service like¬†ngrok¬†and to register that ngrok tunnel with us. Be advised, that we will ask for a static domain from ngrok.com or similar tunneling service.

  • If the domain you‚Äôre embedding on is added to the allowlist within¬†Manage Domains, but you‚Äôre seeing the¬†This embed is blocked¬†error, the¬†CSP¬†may be too restrictive/overly strict. You‚Äôll want to check Console/Network for the appropriate request to see the¬†referrer-policy¬†header. Using¬†strict-origin-when-cross-origin¬†as the referrer-policy is recommended.

  • For local development, use¬†ngrok¬†to make¬†https¬†test URLs when needed, as using¬†http¬†would be blocked, even if the domain has been added to the allowlist.