Issue: “Refused to display in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN'”

Advanced Experiment Personalization Technical Troubleshooting

You may encounter this issue if you have installed our snippet with the option “Cross-Domain tracking” which needs the hosting of a static resource (an iFrame) on your main domain.

How does the Kameleoon iframe work?

The Kameleoon iframe is used to ensure continuity and consistency of data (exposures, conversions, custom data, etc…) when moving from one subdomain to another, this is accomplished by delegating the iframe the task of reading and writing the information in localStorage (in the domain where the iframe is deployed).

As the local storage is specific to a single domain, the iframe allows us to read from all your subdomains the kameleoon data we store in the local storage of your main domain to keep track of a same visitor without impacting the performance of your website, by making extra server calls.

More detailed documentation on this subject

In order to secure our iframe, we have implemented the following 3 measures:

  • Restriction of access to identified domains : only the domains specified in the allowedDomains variable (in the iframe code) are authorised to request the iframe. the Kameleoon iframe can only load and execute code on the allowed list of domains you explicitly set in the iframe file, so there is no way the iframe could load and execute outside your own domains.
  • Restricting access to identified sitecodes : only a Kameleoon engine with the specified sitecode (in the iframe code) is allowed to request the iframe.
  • Prefixed Local Storage : the iframe (and Kameleoon at large) is only allowed to read/write entries prefixed with “kameleoon”.  No other data can be read/written.

The data collected by Kameleoon is of a non-personal nature in accordance with current regulations. Please read the exhaustive list of this data

Kameleoon offers consent management that can be adapted to all needs & ecosystems via a dedicated API and adjustable behaviour in case of unknown consent. More documentation on this subject

How to fix this issue?

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

For more details please follow Mozilla developers documentation.

To enable cross-domain tracking, the Kameleoon iFrame must load on all your domains, so you must not set an X-Frame-Options response header.

Please also note that you can secure the iFrame by providing a restricted list of domains (e.g., your own domains and subdomains) that are able to call the iFrame. This list must be provided inside the static iFrame file that will be hosted on your side.