I’m trying to embed a social listening widget from our third-party provider into Zoho CRM cloud (2021 version) using an iframe. The widget works perfectly when accessed directly via its URL, but when embedded in Zoho CRM’s custom tab, it fails to load and I’m seeing CORS errors in the browser console:
Access to XMLHttpRequest blocked by CORS policy
No 'Access-Control-Allow-Origin' header present
Refused to display in a frame because it set 'X-Frame-Options' to 'DENY'
The widget is supposed to show real-time social media mentions and sentiment analysis for our accounts. I’ve configured the iframe in Zoho’s Canvas view with the widget provider’s URL, but all I get is a blank frame. The CORS header configuration seems to be the issue, but I’m not sure if this needs to be fixed on Zoho’s side, the widget provider’s side, or both.
Our marketing team desperately needs this social listening data visible within CRM for context during customer interactions. Has anyone successfully integrated external widgets via iframe in Zoho cloud and dealt with these CORS and X-Frame-Options restrictions?
Check if your widget provider offers a JavaScript SDK instead of iframe embedding. Many modern widgets support both methods. The SDK approach loads the widget code directly into your Zoho page context, which completely avoids CORS and frame restrictions. You’d include their JS library in a custom HTML widget within Zoho and initialize it with your API credentials.
I’ve integrated third-party widgets before. One workaround if the provider won’t modify their headers is to use Zoho’s custom functions with a server-side proxy approach. Create a Deluge function that fetches the widget data via API, then render it in a custom Zoho page instead of trying to iframe the external widget directly. Not ideal but it bypasses CORS entirely.
CORS is definitely a two-way street here. Your widget provider needs to add Zoho CRM’s domain to their Access-Control-Allow-Origin headers. But there’s also the question of whether you’re making cross-origin requests from within the iframe. If the widget itself tries to fetch data from other domains after loading, those domains also need proper CORS headers. Check with your provider if they have a specific iframe embed URL that’s configured differently from their main app URL - many SaaS providers have separate endpoints for embedded scenarios.