💡 Introw tip: A blank embed is almost never an Introw problem — it's the embedded site telling the browser "don't display me inside another site." The fix lives on that site's server, and you (or its owner) can make it in a few minutes.
What's happening
When you add an Embed link section and paste a URL, Introw loads that page inside the partner portal in an <iframe>. Most content works out of the box — Google docs, Loom, Calendly, Notion, and similar providers all allow this.
Some websites, though, tell the browser they refuse to be displayed inside any other site. When that happens the browser blocks the page and Introw shows an empty section. Introw is doing its job; the browser is enforcing the rule the embedded site set.
You can confirm this is the cause. Open the portal in Chrome, right-click the blank section, choose Inspect, and look at the Console tab. You'll see a message like:
Refused to display 'https://yoursite.com/' in a frame because it set 'X-Frame-Options' to 'deny'.Refused to display '…' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors …".
Either message means the website is blocking the frame.
Why the website blocks it
Websites control framing with two HTTP response headers:
X-Frame-Options— an older header.DENYblocks all framing;SAMEORIGINallows framing only by pages on the same domain. It can't allow-list another site like Introw.Content-Security-Policy: frame-ancestors— the modern replacement. It lists exactly which domains are allowed to frame the page, and browsers give it priority overX-Frame-Options.
Sites often turn these on for security (to prevent clickjacking) without realizing it also blocks intentional embeds like the partner portal.
How to fix it
The change is made on the embedded website's server, not in Introw — so this is for the person who manages that site (often your web or IT team, or the tool's support if it's a third-party product).
They need to allow the domain your portal is served on. Check that domain in your browser's address bar while viewing the portal — it's your custom domain if you've set one up, otherwise your Introw portal address.
The recommended fix is to set a frame-ancestors directive that includes Introw:
Content-Security-Policy: frame-ancestors 'self' https://app.introw.io https://your-portal-domain.com;
Replace https://your-portal-domain.com with your actual portal domain, and keep 'self' so the site still works normally on its own.
If the site also sends X-Frame-Options: DENY or SAMEORIGIN, that header must be removed or updated too — modern browsers honor frame-ancestors, but a leftover X-Frame-Options: DENY can still block the frame in some cases. X-Frame-Options has no reliable way to allow a specific external domain, which is why frame-ancestors is the right tool.
Once the header change is live, refresh the portal and the embed will render.
When you can't change the headers
If the website is a third-party tool you don't control and its owner won't allow framing, that page can't be embedded — the browser will always block it. In that case:
Link out to it from a portal section instead of embedding it, or
Embed an equivalent that does support framing (for example, a published Notion page, a Google Doc, or a hosted PDF).
