Hotjar's Heatmaps will report both clicks and mouse movements which happen within same-origin iframes, relative to the iframe element, not the page inside.
When it comes to cross-origin iframes, such as iframes loading a YouTube video, Hotjar will only report clicks. These clicks will be centered on the iframe element.
Difference between same-origin and cross-origin
Same-origin means that the page loaded within the iframe is loaded from the same exact protocol and subdomain as the parent window.
Cross-origin policy applies when the page loaded within an iframe DOES NOT match the exact protocol and subdomain as the parent window.
For example, if the iframe is on a page at http://www.example.com. Same-origin will only apply if the page loaded within the iframe is also loaded from exactly http://www.example.com. If it's not, cross-origin policy applies since the iframe is loading a page not hosted on the same 'origin' as the parent window.
To create a Heatmap for a page within an iframe
Install the tracking code on the source page of the iframe
Create a new Heatmap snapshot for that iframe URL
This is the URL of iframe page itself, not the page the iframe element is present on.
Due to current technological limitations, if you'd like to get a Recording of interactions happening inside of an iFrame, only put the Hotjar Tracking Code on the iframe and not on the parent page. Having the Hotjar Tracking Code on both the parent page and the iFrame can cause Recordings of the page to fail and data collection to be skewed.