Embed Code block — paste third-party widgets onto a page
The Embed Code block lets you drop a snippet of HTML, an iframe, or a JavaScript widget from another platform onto any Builder page. It's the right block when the thing you want to show isn't a Turtini module — a Calendly inline scheduler, a Tally form, a Stripe Pricing Table, a Substack subscribe widget, a Google Calendar, a Twitter timeline, or your own custom HTML.
Adding the block:
1. Open your site in Builder and go to the page you want to edit.
2. Click "+ Add block" → Embed Code.
3. The block lands on the page with a placeholder ("Paste embed code from another platform").
Pasting your code:
1. Click the block to open the right-side editor.
2. From the third-party tool, copy the embed snippet they give you (usually labeled "Embed code", "Inline embed", "Copy HTML", or similar).
3. Paste it into the "Embed code" field. Most snippets include both an <iframe> or container <div> and a <script> tag — paste the whole thing as-is.
4. Adjust the height select to roughly match what the widget needs (200, 400, 600, 800, or 1000 px). Embeds use a fixed height because most third-party widgets don't tell their parent page how tall they are.
5. Set the width — Narrow (max 768px) for forms, Contained (max 1024px) for most embeds, Wide (max 1280px) for dashboards, or Full bleed.
Sandbox modes — picking the right one:
The block always renders inside a sandboxed iframe so a misbehaving third-party script can't read your site's cookies, change other elements on the page, or break out into your DOM. Three modes trade isolation for compatibility:
• Standard (recommended) — scripts run, forms work, popups allowed. Same-origin is OFF, which means the embed can't read its own domain's cookies. Works for: Tally, most Calendly setups, Substack, Twitter timeline, Google Calendar (public), simple HTML widgets.
• Permissive — scripts run AND the embed sees its own origin. Some widgets need this to talk to their own backend or remember a user's session. Use only when Standard mode shows the widget but it doesn't fully work. Works for: Stripe Pricing Table (needs same-origin to fetch prices), full Calendly with prefill, embedded login flows, anything that complains "blocked by sandbox" in the browser console.
• Strict — scripts disabled entirely. Use when you only need static HTML or a simple iframe to render and you want belt-and-suspenders isolation. Works for: a plain <iframe src="..."> to a static page, or a chunk of styled HTML with no JavaScript.
Common services and which mode to pick:
• Calendly inline — Standard usually works; switch to Permissive if prefill doesn't populate
• Stripe Pricing Table — Permissive
• Tally form — Standard
• Google Calendar (public iframe) — Standard
• Substack subscribe widget — Standard
• Twitter / X timeline embed — Standard
• YouTube playlist (use the Video block instead — it has YouTube auto-detection)
• Mapbox / Google Maps embed — Standard
• Custom HTML you wrote yourself — Strict (no scripts) or Standard (scripts)
Caption:
Optional — appears centered below the embed in muted text. Useful for "Powered by Calendly" attributions or short context.
GitHub export:
The Embed block exports cleanly when you push your site to GitHub. The same sandboxed-iframe markup goes into the static HTML, so embedded widgets continue to work on your custom domain.
Limits:
• One block = one embed. To stack multiple widgets, add multiple Embed Code blocks.
• Embeds can't talk to your Turtini data (forms, accounts, etc.) — they run in their own sandbox. To collect data into Turtini, use the Form block instead.
• Auto-resize is not supported — the iframe stays at the height you set. Pick a height with a bit of headroom; oversized embeds clip, undersized embeds get an internal scrollbar.
Troubleshooting:
• Embed shows but is blank — open the browser's DevTools console; if you see "Blocked by sandbox", switch to Permissive mode.
• Widget needs a key or origin allowlist — register the published site URL (and any custom domain) in the third-party tool's allowed-origins setting.
• Site looks fine on the live published URL but blank on the Builder preview — the third-party may block embedding from the preview hostname; publish and test on the real domain.