User consents for third-party rich media

Iframely gives you an option to request user consent before exposing them to third-party rich media embeds. Though we do not see it as required for GDPR you might want it to be on the safe side or for its intrinsic privacy value.

If you activate the feature, all rich media will be wrapped into iFrame hosted on our domain or your own CDN. If the user previously provided consent, we’ll show rich media without delay. Otherwise, the consent form will wait for user input before loading third-party resources.

We do not set cookies in the process. We rely on users’ local storage and handle everything solely in their browser.

Set up your form

You can activate the consent form in your design settings or with the consent=1 API parameter. You may also change the design of the form in your settings.

Action buttons

Action buttons

The form may have one or two buttons. The scope of the consents for the buttons can be one of the following:

  • Per media — “Only this media”. Users will consent once for that specific rich media embed.

  • Per provider — “Always for {provider}”. Users will scope the entire provider. For example, “YouTube”, “Twitter”, “Facebook”, etc. We will put the provider name instead of the {provider} string. Once the user allows any of YouTube videos, all other YouTube videos will also be allowed.

  • Per page — “Everything on this page”. When users allow one media on a page, all other media on that page are also allowed.

  • Per site — “Allow all media”. Once the user allows media on your site, all media is allowed.

“Page” and “site” buttons may require some technical configuration of your web application.

If you configure the same button for both primary and secondary action, the form will have only one button.



You can change all text on the consent form to your language or your liking. Please make sure your text fits into the available space. We’ll use our default (English) texts if you leave the text fields empty.

Please keep {provider} if you want us to include a provider name into the button or anywhere in other texts.

User settings page

Because a user may need to undo the granted consents, we host a simple page for that purpose.

  • Settings page gives the user access to consents in his local storage and needs to be on the same domain as your widgets.
  • The page is hosted at /consents by default of the widgets domain. It is either by default, or the same on your custom CDN host, if use it.
  • The page is accessible via the “Settings” link on the consent form itself.
  • You can link to that page from your web app’s user documentation.
  • color — the hex code of accent colour of actions on the page to match your branding (please, no # to keep URL valid);
  • site — your domain name (we’ll add “allow all” control for that domain name);
  • theme — dark or light, if you want a specific theme. By default, adjusts to user’s browser preferences.

Technical configuration

If you want “Site” or “Page” scope for one of your consent buttons, the widget will need to have access to the Origin and Referer header (s).

The corresponding consent button will not show if the request headers are not present. You need to check your site’s referrer policy and your CDN settings.


Iframely needs a unique Referer header for our iFrames as an identifier of your page. When users allow “all widgets on a page”, we check against that as an identifier.

If your website works over HTTPs, it is the default user browser behaviour for cross-origin requests to send only the host value as the Referer header. A full path may have undesirable consequences for user security and privacy.

Therefore, Referer is the same for all your pages by default, and single consent will apply to your entire website.

To avoid that problem, please change your Referer-Policy:

Referrer-Policy: unsafe-url

If the risk of a potential leak of private information is a concern, please consider against the use of the “Page” consent scope.


If you want “Site” or “Page” consent buttons and use your own CDN, you need to allow it to forward Referer and Origin headers to Iframely.

Additionally, please ensure that your CDN set up listens and allows the referer and origin values as the cache-control vary field set by Iframely widgets.