Firefox Private Browser Hiding ALL Marketo Embed Forms

What's helping you there is the CNAME, not the IFRAME. The IFRAME is not necessary and the private/incognito tbrowser will block content in a frame as much as in the main document.

Using the cname **within the iframe** is key because we use multiple domains, per my original post.

I don't understand the connection.  You can have a CNAME for each domain. 

I'm at the point I might just switch to Salesforce.com Web to Lead forms, dump people into SF campaigns and use those to trigger our Marketo campaigns.

You're biting off something much bigger than you probably realize by doing that, since you will have to then go through new processes to associate leads.

This is all because of people using Private/InPrivate/Incognito browsing and filling out a form?  What's the actual percentage of visitors who want to do this? I'm not saying it's a negligible percentage but surely it's a small enough percentage that dropping Marketo forms (instead of using the CNAME workaround) is a disproportionate response.

If it is true that I can use multiple cnames for my use case, I was misinformed. I asked this question to support just today. I am probably not communicating the situation well, so please forgive me. I do appreciate the additional info.

They probably didn't get the whole scenario.  Long as you create the CNAMEs in Marketo and DNS, you'll be fine vis-a-vis Private Browsing and embedded forms.*

As for any problems you're having related to validation and not to Private Browsing, I don't know the particulars, but if you open a new thread here you'll get a wider variety of good answers (including from me, of course).

At first, you would think this number would be negligible. We use them with paid advertising programs and are hosting the forms on external html pages, not on Marketo landing pages in this case. Once you consider both the cost per lead that is sunk, plus the lost potential revenue from the lost leads, it adds up very quickly.

I definitely agree that any problems submitting forms (in regular, non-Private windows) significantly impact costs + revenue and must be solved.

My point was that leads using Private Browsing are not likely to be a large part of your frustrated audience.

Really appreciate your thoughtful answers. I will follow up again with Marketo support and see if cname per domain is in fact possible in my use case or whether the first answer made sense for my use case and we have to take another route.

If you restate that use case in detail in another thread I'll tell you the answer.

* "Fine" meaning you have evaded detection to the fullest degree possible while still using a CNAME that resolves to a hostname under marketo.com....

Glad to help, but --

The issue includes Munchkin.js, Forms.js, and any other remote src=’….’ Resource and is not exclusive to Marketo. If the location in any src=’someURL.com’ does not match the domain you are on, that is getting blocked.

-- this is not correct.  Same-domain policy doesn't stop you from loading remote scripts.  If it did, billion-dollar CDNs would be out of business.

Rather, this is specific to known tracking domains.  Any information you got to the contrary is wrong.

It's easy to get confused, but I want to make sure there isn't any more misinfo on this as it makes the solution harder to locate.

Note 1: I wasn't quite sure at first but I entered it without the http: just "//go.domain.com"

That's a protocol-relative URL.  It's not so much "without the http" as "adaptive to http or https"  It will inherit the protocol of the calling document.  Thus on http://www.example.com it will load the script from http://go.domain.com, while on https://www.example.com it will load from https://go.domain.com.

This format is critical because https:// URLs must load https:// resources to avoid warnings and, in modern browsers, additional failures.

It will work cross-domain if you have multiple domains. I.e. CNAME a will work on domain b. (but do you REALLY want to do that in the long-term? Will future updates catch this? Probably safer to use the matching CNAME, which leads to: There doesn't appear to be a (published or openly known) limit on CNAMES, as long as they point to the same DNS. Sanford Whiteman - thank you for causing me to question this further! You saved me a ton of work and time!

1. There's no reason to not use a single CNAME for this, unless it's to separate parts of a company that aren't expected to appear in each other's HTML source.  Tracking protection doesn't care what CNAME you're loading from as long as it doesn't see it as suspicious.  What you could worry about more is when tracking protection starts checking to see what your CNAME points to: it's not like you're really hiding marketo.com.  The only reason they don't check this now is that it could take a lot of resources on your computer (imagine a chain of CNAME --> CNAME --> CNAME --> marketo.com).
2. In Marketo, there may be a limit.  In DNS in general you need not be concerned.

The reason for multiple domains is simple and not usual for many brands - microsites for various campaigns. But, the multiple CNAMES solution is intended to solve for (and only necessary if) the CNAME matching the page URL (vs avoiding a KNOWN TRACKING DOMAIN) is the root of the blocking issue.

Right, I wasn't talking about multiple domains that the user sees in the location bar but about multiple domains for loading scripts.  Since the latter would only be seen by somebody inspecting the page source/network traffic they don't usually pose a branding concern unless there's some company name you're trying to obscure, etc..

We again have a conflict with what I was told by support. Given that I'm able to do cross-domain CNAME embedding and it works, I think you're correct.

I'm sure I am... there are few, if any, people who spend as much time as I do analyzing browser behavior wrt Marketo.  If someone has any social or family life, let alone other job responsibilities, it's unlikely that they could keep up with me.