Hotjar's Recordings will report both clicks and mouse movements which happen within same-origin iframes, relative to the iframe element, not the page inside. When the Hotjar script encounters an iframe on a web page, the actual interactions inside that iframe won't be recorded. Instead, the URL of the iframe will be saved and reloaded inside the Recording when it's being played back.
When it comes to cross-origin iframes, such as iframes loading a YouTube video, Hotjar will only report clicks. These clicks will be centered on the iframe element.
Difference between same-origin and cross-origin
Same-origin means that the page loaded within the iframe is loaded from the same exact protocol and subdomain as the parent window.
Cross-origin policy applies when the page loaded within an iframe DOES NOT match the exact protocol and subdomain as the parent window.
For example, if the iframe is on a page at http://www.example.com. Same-origin will only apply if the page loaded within the iframe is also loaded from exactly http://www.example.com. If it's not, cross-origin policy applies since the iframe is loading a page not hosted on the same 'origin' as the parent window.
Due to current technological limitations, if you'd like to get a Recording of interactions happening inside of an iframe, only put the Hotjar Tracking Code on the iframe and not on the parent page. Having the Hotjar Tracking Code on both the parent page and the iframe can cause Recordings of the page to fail and data collection to be skewed.