Skip to main content


This list is regularly updated with recent and common questions we regularly receive from our customers.

What are the Kameleoon domains that I need to whitelist?

If your website restricts the loading of resources (scripts, images, media, CSS) via the standard Content-Security-Policy HTTP header, you'll need to update your site's Content Security Policies (CSP) to allow Kameleoon ressources to load.

Easy setup (with wildcards)

This is the recommended setup. Below is the additional content for the CSP header. Add it to your own configuration.

default-src https://* https://[your-site-code] https://*;

Complete setup (fully detailed)

This is the fully detailed setup, with every host used and their ressource type (script, image, etc). Below is the additional content for the CSP header. Add it to your own configuration.

script-src https://[your-site-code] 'unsafe-eval';
style-src 'unsafe-inline';
img-src https://[your-site-code];

Why does the Kameleoon engine (kameleoon.js application file) use the eval() function?

The Kameleoon JavaScript engine uses the eval() function for experimentation purposes. This is because we allow our users to add custom code from various parts of our product, such as custom data and custom JavaScript, to implement variations of a page. Using the eval() function allows us to dynamically execute this custom code at runtime.

However, if you use a Content Security Policy (CSP) directive to prevent the use of the eval() function, you can implement the following JS snippet before our installation tag:

<script type="text/javascript">
window.kameleoonQueue = window.kameleoonQueue || [];

function excludeKameleoonEval() {
Kameleoon.Utils.runProtectedScript = function (code, fileName) {

let script = document.createElement("script");
script.innerHTML = code + "\n;";
if (fileName) {
script.innerHTML += "//# sourceURL=" + fileName;

level: "IMMEDIATE",
command: excludeKameleoonEval

//Add the Kameleoon Installation tag here. Refer to this documentation:
<script type="text/javascript" src="//" async="true"></script>

Some features of Kameleoon will not be available if the eval() function is blocked with a CSP directive. These include:

  • Targeting segment with a custom JavaScript condition
  • Custom Data with a custom JavaScript code
  • Acquisition channel with a custom JavaScript code

Does Kameleoon offer “on premise” tracking request URLs?

Yes, Kameleoon does offer "on premise" tracking request URLs as a premium option. This feature is particularly useful if a significant portion of your website users have an adblocker, as some adblockers can block Kameleoon's script and tracking URLs.

Here's how it works: on your server, you would need to forward any HTTP requests received to [na-] For example, if you chose as your tracking domain, a tracking request would be a POST to "". Your server listening on this domain should then forward the request, along with all the necessary data and parameters, to the [na-] host.

By activating "on premise" tracking request URLs, you can ensure that Kameleoon's tracking works seamlessly, even if some of your users have adblockers enabled.


When forwarding the requests to [na-], you need to make sure the URL of the request is also rewritten to [na-] It's NOT enough to just forward your request to our server while keeping the original Host: HTTP header set to your domain ( Host: header must be set to [na-]

Can I use Subresource Integrity (SRI) with the Kameleoon application file (script or iframe)?

Unfortunately no. While we like SRI's idea, and believe it is a good security feature in modern browsers, our application file changes over time. If it did not, we would not be able to provide most of the features Kameleoon is useful for. Eg, we would lose the ability to start and stop experiments instantly, without requiring a redeployment of the customer's web platform. Since the contents of our file changes, so does the hash of this ressource and thus SRI cannot be used (it would block our ressource as soon as it changes on our servers).

With Kameleoon, on Firefox only, my website now loads with a huge flash/flicker effect. Why?

It's an known bug on Firefox. Until it's fixed properly by the Firefox team, there is a workaround: your linked CSS ressource should be followed by a <script> tag (even an almost empty one). Example:

<link href="" media="all" rel="stylesheet" type="text/css" />

This will remove the flashing effect entirely.

Can I use minified versions of the installation tags?

You can, but these scripts are already very short and using a minified version won't affect at all the loading time of your web pages (remember that this code should already be compressed using Brotli or Gzip compression). Thus we do not recommend the use of minified versions. If you still want to use them, you can find them below.

Asynchronous Loading with Anti-Flicker

<script type="text/javascript">
var a=1000;window.kameleoonQueue=window.kameleoonQueue||[];window.kameleoonStartLoadTime=new Date().getTime();if(!document.getElementById("kameleoonLoadingStyleSheet")&&!window.kameleoonDisplayPageTimeOut){var b=document.getElementsByTagName("script")[0];var c="* { visibility: hidden !important; background-image: none !important; }";var d=document.createElement("style");d.type="text/css";"kameleoonLoadingStyleSheet";if(d.styleSheet){d.styleSheet.cssText=c}else{d.appendChild(document.createTextNode(c))}b.parentNode.insertBefore(d,b);window.kameleoonDisplayPage=function(e){if(!e){window.kameleoonTimeout=true}if(d.parentNode){d.parentNode.removeChild(d)}};window.kameleoonDisplayPageTimeOut=window.setTimeout(window.kameleoonDisplayPage,a)};
<script type="text/javascript" src="//" async="true"></script>

Cross-Domain Tracking

<script type="text/javascript">
window.kameleoonIframeURL="";var f=document.createElement("a");window.kameleoonLightIframe=false;f.href=window.kameleoonIframeURL;window.kameleoonIframeOrigin=f.origin||(f.protocol+"//"+f.hostname);if(location.href.indexOf(window.kameleoonIframeOrigin)!=0){window.kameleoonLightIframe=true;var g=function(event){if(window.kameleoonIframeOrigin==event.origin&&,9)=="Kameleoon"){window.removeEventListener("message",g);window.kameleoonExternalIFrameLoaded=true;if(window.Kameleoon){eval(;Kameleoon.Analyst.load()}else{}}};if(window.addEventListener){window.addEventListener("message",g,false)}var h=document.createElement("iframe");h.src=kameleoonIframeURL;"kameleoonExternalIframe";"float: left !important; opacity: 0.0 !important; width: 0px !important; height: 0px !important;";document.head.appendChild(h)};

Can I modify the installation tag Kameleoon provides?

You should not modify the installation tags we provide. Their code has been extensively tested and optimized. Many customers modified them only to end up with a non-working setup. If for any reason you think you need to modify your installation tag, please contact your Kameleoon Account Manager who will put you in relation with our developers to carry out this task. It is strongly recommended NOT to attempt to achieve this on your own.

Can I add the installation tag in a separate external script?

You should not include any installation tag in its own separate, external script. Eg, never do this:

<script type="text/javascript" src="resources/scripts/kameloon-loader.js"></script>

while the kameloon-loader.js script contains for instance the following installation code:

// Duration in milliseconds to wait while the Kameleoon application file is loaded
var kameleoonLoadingTimeout = 1000;

window.kameleoonQueue = window.kameleoonQueue || [];
window.kameleoonStartLoadTime = new Date().getTime();

if (!document.getElementById("kameleoonLoadingStyleSheet") && !window.kameleoonDisplayPageTimeOut) {
var kameleoonS = document.getElementsByTagName("script")[0];
var kameleoonCc = "\* { visibility: hidden !important; background-image: none !important; }";
var kameleoonStn = document.createElement("style");
kameleoonStn.type = "text/css"; = "kameleoonLoadingStyleSheet";

if (kameleoonStn.styleSheet) {
kameleoonStn.styleSheet.cssText = kameleoonCc;
} else {

kameleoonS.parentNode.insertBefore(kameleoonStn, kameleoonS);
window.kameleoonDisplayPage = function(fromEngine) {
if (!fromEngine) {
window.kameleoonTimeout = true;

if (kameleoonStn.parentNode) {

window.kameleoonDisplayPageTimeOut = window.setTimeout(window.kameleoonDisplayPage, kameleoonLoadingTimeout);

var scriptNode = document.createElement("script");
scriptNode.src = "//";
scriptNode.type = "text/javascript";
scriptNode.async = true;

While this may technically work, this is an extremely bad practice. It will literally kill the performance of Kameleoon and introduce a huge flicker effect. In fact, you're kind of implementing your own tag manager by doing that: you will suffer all the problems of using a tag manager without any of the associated benefits. Please, really, don't do it.

Is it possible to encrypt data in case of dedicated data-storage clusters (on-premises setup)?

Yes, we can encrypt the partitions where the data will be stored. This option implies an additional setup cost.

What databases and frameworks Kameleoon does use

Currently, we use the following NoSQL databases and technologies on our data flow architecture:

  • Hadoop File System (along with Spark);
  • Cassandra;
  • ClickHouse;
  • Kafka.