Bot Arena
Selector resistance · Level 4 View on report ↗

Iframe-embedded form

Real form, but in a child frame. Page-scoped selectors do not see into it.

What's measured on this page
- The login form lives inside an <iframe>. Its document is a separate browsing context. - Playwright's page-scoped locators (page.getByLabel, page.getByRole) only query the main frame. They do not descend into child frames. To reach the form a test must call page.frameLocator('iframe').getByLabel(...) explicitly. - Most test suites are not written iframe-aware. A standard page.getByLabel('Email') times out with "no element matched", and the failure is exactly the same shape as if the form did not exist at all. - This pattern is everywhere in production: Stripe Elements, Auth0 Universal Login, embedded support chats, social-login widgets, Cloudflare Turnstile itself. - A vision-based automation tool sees the form as part of the rendered page — frame boundaries don't show up in the screenshot.

The form is in a separate document loaded via <iframe srcdoc="...">. Playwright needs an explicit page.frameLocator('iframe') to reach it.

Production apps using this technique

  • Stripe Elements (payment fields) Card number, expiry, and CVC are each in their own cross-origin iframe served from js.stripe.com. PCI-mandated isolation; cross-origin so no Playwright access at all.
    Market ~17% of online payment processing (largest gateway) Users 4M+ businesses; processes $1T+ payment volume / year
  • Auth0 Universal Login (embedded mode) Auth0's embeddable login dialog runs in an iframe. The "Lock" widget API is the supported interaction surface; raw selectors do not work.
    Market Okta-Auth0 ~5–8% of IAM / CIAM market Users 16K+ customers; billions of monthly authentications
  • Cloudflare Turnstile and reCAPTCHA CAPTCHA challenges always render as cross-origin iframes for security. Test harnesses use test-mode keys or paid solver services.
    Market reCAPTCHA ~60% of CAPTCHA market; Turnstile growing fast Users reCAPTCHA on 13M+ websites; Cloudflare fronts ~20% of internet traffic
  • Intercom, Drift, Zendesk, HubSpot Chat Embedded support and chat widgets render inside iframes. Tests that want to interact with them must use vendor-specific automation APIs.
    Market Zendesk ~7% CX/CRM; HubSpot ~5% CRM Users Zendesk 130K+ customers; HubSpot 215K+; Intercom 25K+; Drift 5K+
  • Sign-in with Google / Apple / Facebook One-tap sign-in buttons and One Tap prompts are iframes from the identity provider. Cross-origin; selector-based testing falls back to manual auth fixtures.
    Market Google Sign-in ~70% of social login market Users Embedded on millions of sites; ~1.8B Gmail accounts + 1B+ Apple ID + 3B Facebook accounts addressable
  • Sentry user-feedback dialog and many SaaS embed widgets Anything labelled "embeddable widget" — Calendly, Typeform inline, Cal.com, HelloSign — almost always ships as an iframe.
    Market Calendly leads scheduling SaaS; Sentry leads error monitoring Users Sentry 100K+ orgs / 4M devs; Calendly 20M+ users; Typeform 150K+ customers
  • Embedded ad slots and analytics consent banners GAM ad slots, Google Tag Manager preview, OneTrust/TrustArc consent banners — most run inside iframes for security and CSP isolation.
    Market GAM ~30%+ programmatic ads; OneTrust ~50% consent management Users GTM on 36M+ websites; OneTrust used across most Fortune 500

Figures are approximate / company-disclosed (~2024–2025). Sources: company filings, industry reports (Gartner, IDC, BuiltWith, npm stats), and public DAU disclosures.