Bot Arena
Selector resistance · Level 7 View on report ↗

Cross-origin iframe

Same form, loaded from a different origin. Browser security blocks all DOM access from the parent.

What's measured on this page
- The form lives in an <iframe src="data:...">. The data: URI scheme has an opaque origin — the iframe is treated as cross-origin to its parent page. - Browser security policy forbids the parent page (and Playwright running against the parent) from reading or scripting cross-origin frame content. This is the same restriction that applies to Stripe Elements, Auth0 hosted login dialogs, and the live Cloudflare Turnstile widget — all of which load their forms from a different origin than the host site. - page.getByLabel('Email') queries only the main frame. page.frameLocator(...) can see the iframe but cannot pierce a cross-origin one — Playwright explicitly refuses cross-origin frame interaction in many cases. - A vision-based automation tool sees the form as pixels in the rendered page. Cross-origin boundaries do not exist in the rendered image.

The form is in a data: URI iframe with an opaque origin — cross-origin to this page. Even page.frameLocator hits a brick wall, just like with real Stripe / Auth0 / Turnstile widgets.

Production apps using this technique

  • Stripe Elements Card number, expiry, and CVC each load from js.stripe.com as separate cross-origin iframes. PCI-mandated isolation; no automated DOM access possible from the host page.
    Market ~17% of online payment processing (largest gateway) Users 4M+ businesses; processes $1T+ payment volume / year
  • Cloudflare Turnstile + reCAPTCHA + hCaptcha Every modern bot-detection widget renders cross-origin. The widget code, the challenge UI, and the verdict token live in a frame from the vendor.
    Market reCAPTCHA ~60% of CAPTCHA market; Turnstile + hCaptcha growing fast Users reCAPTCHA on 13M+ websites; hCaptcha on 250K+ sites; Turnstile on 7M+
  • Auth0 / Okta / Clerk embedded login The "embedded" version of hosted login pages is iframe-based, cross-origin to the SaaS host. Customers integrate via vendor SDKs because direct DOM access is forbidden.
    Market Okta+Auth0 ~9% of IAM/CIAM market; Clerk leads dev-first auth Users Auth0 16K+ customers; Okta 18K+; Clerk 15K+ — billions of monthly authentications
  • Sign in with Google / Apple, One Tap prompts Identity providers render their consent UIs in iframes from their own origin. Selectors cannot pierce them.
    Market Google ~70% of social login button market Users Available across ~1.8B Gmail accounts, 1B+ Apple IDs, 3B Facebook accounts
  • Embedded analytics consent banners OneTrust, TrustArc, Cookiebot consent dialogs ship as cross-origin iframes so they can be governed centrally and so site code cannot tamper with consent state.
    Market OneTrust ~50% of consent management; Cookiebot ~15% Users OneTrust used across most Fortune 500; Cookiebot deployed on 1M+ sites

Figures are approximate / company-disclosed (~2024–2025). Sources: company filings, industry reports (Gartner, IDC, BuiltWith, npm stats), and public DAU disclosures.