Hotjar's Recordings will report both clicks and mouse movements which happen within same-origin iframes, relative to the iframe element, not the page inside. When the Hotjar script encounters an iframe on a web page, the actual interactions inside that iframe won't be recorded. Instead, the URL of the iframe will be saved and reloaded inside the Recording when it's being played back if we have access to the assets.
When it comes to cross-origin iframes, such as iframes loading a YouTube video, Hotjar will not be able to collect data and will show an error message:
Difference between same-origin and cross-origin
Same-origin means that the page loaded within the iframe is loaded from the same exact protocol and subdomain as the parent window.
Cross-origin policy applies when the page loaded within an iframe DOES NOT match the exact protocol and subdomain as the parent window.
For example, if the iframe is on a page at http://www.example.com. Same-origin will only apply if the page loaded within the iframe is also loaded from exactly http://www.example.com. If it's not, cross-origin policy applies since the iframe is loading a page not hosted on the same 'origin' as the parent window.
The url that the iFrame points to is stored on our servers and reloaded every time a recording is played. This means that if the URL triggers some additional behavior on the server that the url points to, other than just serving the iFrame content, this could cause unexpected and adverse results.
Due to current technological limitations, if you'd like to get a Recording of interactions happening inside of an iFrame, only put the Hotjar Tracking Code on the iframe and not on the parent page. Having the Hotjar Tracking Code on both the parent page and the iFrame can cause Recordings of the page to fail and data collection to be skewed.