Way to whitelist Optimizely (AB Testing) for IFrame / X-Frame-Options


I am trying to run A/B tests using Optimizely. The page I want to test is the view cart page. To set this up, I need to allow Optimizely to see the cart in an IFrame on their site. This currently cannot be done because according to Optimizely support, “X-Frame-Options” in CS Cart is set to “sameorigin”.

They are saying

[indent=1]“Optimizely.com needs to be whitelisted so we can load your page correctly in the (Optimizely) editor, currently it is being loaded via proxy which doesn’t have the session info.” [/indent]

Because the session info cannot be loaded, it is not possible to add anything to the cart in the Optimizely editor and therefore, the Proceed to Checkout button does not show.

This is a bit beyond my abilities. Is what they are saying possible and if so, can you give instructions on how to do it?


Hey Novista,

Not sure if you've given up on this or not, but we experienced the same issue when trying to access the in-page data collected by Google Analytics.

X-Frame is actually your friend and the overriding recommendation is to keep the setting at “sameorigin” in the prepare.php file. There is an option to “ALLOW-FROM uri”, but you might want to talk to your analytics vendor about their recommendations for this if there isn't a means (like there is in GA) to view the heat map and data on the live site instead of the analytics vendor's frame.

Not knowing how much research you've done independently, here's a blog post from last September that might help you understand the implications of removing or changing the settings for the x-frame - [url=“Clickjacking Google (x-frame-options) » we got style”]http://blog.wirhabenstil.de/2012/09/14/clickjacking-google-x-frame-options/[/url].

Again, the best thing your analytics provider can give you is a means of viewing the in-page data on the live site as opposed to inside a frame in their analytics dashboard.


Yes, I was able to get past it by changing the 'x-frame' settings. The good news is that I only needed to make that change during the set up of my test which only took a few minutes. Once the test was running I was able to set it back to 'sameorigin'.