Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.kameleoon.com/llms.txt

Use this file to discover all available pages before exploring further.

Kameleoon regularly updates this list with common questions from customers.
If your website restricts the loading of resources (scripts, images, media, CSS) via the standard Content-Security-Policy (CSP) HTTP header, update your site’s CSP to allow Kameleoon resources to load.

Easy setup (with wildcards)

script-src always trumps default-src. Do not use this setup if you already use the complete setup in your CSP.
Add the following content to your CSP header configuration:
default-src https://*.kameleoon.com https://*.kameleoon.io https://*.kameleoon.eu https://*.kameleoon.net https://*.experimentation.dev;

Complete setup (fully detailed)

Kameleoon regularly adds new features to the product, which could result in additional URLs. List all possible hosts and resource types (script, image, etc.) explicitly in the CSP header.
Replace [your-site-code] with your Kameleoon site code in each line where it appears and add this to your configuration:
script-src https://[your-site-code].kameleoon.xx https://static.kameleoon.com https://graphical-editor.kameleoon.com https://simulation.kameleoon.com https://client-config.kameleoon.com https://sdk-config.kameleoon.eu https://electra.kameleoon.com https://aibuilder.kameleoon.com https://static.experimentation.dev 'unsafe-eval';
style-src https://static.kameleoon.com https://static.products.kameleoon.com https://graphical-editor.kameleoon.com https://simulation.kameleoon.com https://electra.kameleoon.com https://aibuilder.kameleoon.com https://static.experimentation.dev 'unsafe-inline'; 
connect-src https://[your-site-code].kameleoon.xx https://static.kameleoon.com https://eu-data.kameleoon.io https://eu-data.kameleoon.eu https://na-data.kameleoon.io https://na-data.kameleoon.eu https://editor.kameleoon.com https://graphical-editor.kameleoon.com https://simulation.kameleoon.com https://api.kameleoon.com https://customers.kameleoon.com https://logger.kameleoon.io https://client-config.kameleoon.com https://sdk-config.kameleoon.eu https://api.products.kameleoon.com https://static.experimentation.dev https://sdk-config.experimentation.dev https://eu-data.experimentation.dev;
img-src https://[your-site-code].kameleoon.xx https://storage.kameleoon.eu https://storage.kameleoon.io https://graphical-editor.kameleoon.com https://simulation.kameleoon.com https://static.kameleoon.com https://images.products.kameleoon.com https://static.experimentation.dev;
frame-src 'self' https://graphical-editor.kameleoon.com https://static.experimentation.dev;
Each URL in the CSP policy serves a specific purpose:
Web Experimentation
  • https://[your-site-code].kameleoon.xx: Loads the Kameleoon Web Experimentation Application Script, engine.js (previously named kameleoon.js).
  • https://(eu|na)-data.kameleoon.(eu|io): Used for tracking.
  • https://logger.kameleoon.io: Sends tracking data for logging.
  • https://data.kameleoon.net: Required if you use the Kameleoon Simulation tool to QA experiments across multiple subdomains.
Feature Experimentation (Client-side SDKs)
  • https://client-config.kameleoon.com: Required for SDK versions < 2.1.0.
  • https://sdk-config.kameleoon.eu: Required for SDK versions >= 2.1.0.
  • https://(eu|na)-data.kameleoon.(eu|io): Used for tracking.
  • https://logger.kameleoon.io: Sends tracking data for logging.
Graphic Editors
  • https://static.kameleoon.com: (deprecated) Loads static resources for the old graphic editor.
  • https://editor.kameleoon.com: (deprecated) Used by the old graphic editor.
  • https://graphical-editor.kameleoon.com: Used by the new graphic editor.
  • https://storage.kameleoon.(eu|io): Loads images used in experiments created with the graphic editors.
Prompt-Based Experimentation (PBX)
  • https://aibuilder.kameleoon.com: Used by the prompt-based editor.
  • https://electra.kameleoon.com: Used by the prompt-based editor.
  • https://storage.kameleoon.(eu|io): Loads images in the prompt-based editor.
  • https://api.kameleoon.com: Loads account-related information.
  • https://sdk-config.kameleoon.eu: Controls Kameleoon feature flags activated in the prompt-based editor.
Simulation
  • https://api.kameleoon.com: Used by the old simulation.
  • https://simulation.kameleoon.com: Used by the new simulation.
Product Recommendation
  • https://static.products.kameleoon.com: Loads resources for the Product Recommendation module.
  • https://api.products.kameleoon.com: API used by the Product Recommendation module.
  • https://images.products.kameleoon.com: Loads product images for recommendations.
APIs & Integrations
  • https://api.kameleoon.com: Required if you intend to use the Automation API for testing directly from the browser.
  • https://customers.kameleoon.com: Required if you use the SDK API or a custom integration developed by Kameleoon.
Internal Resources
By default, engine.js does not include simulation paths or application-specific information to minimize script size. To provide these details, load the full script kameleoonFull.js, which supplies engine.js with necessary data on internal resources and loading instructions.
  • https://static.kameleoon.com: Loads internal resources.
  • https://static.experimentation.dev: Loads internal resources.
  • https://sdk-config.experimentation.dev: Controls Kameleoon feature flags activated in the Kameleoon product.
  • https://eu-data.experimentation.dev: Sends tracking data for logging purposes.
The domain for your Kameleoon scripts https://[your-site-code].kameleoon.xx may vary from one project to another. Projects use either kameleoon.eu or kameleoon.io depending on their creation date. Use the domain displayed in the Kameleoon App for your project.
No. Kameleoon’s script uses cutting-edge technology to run asynchronously (when using the async installation snippet) and remains fully cached by the browser for 90 minutes. It never blocks page loading, even during rare CDN incidents (99.99% uptime). On average, the script loads in under 70ms over a 4G connection or faster network conditions.Kameleoon further minimizes impact through advanced compression techniques, combining TypeScript and Brotli, resulting in a base script size of just 28.4 KB.

Important considerations

Script size may increase depending on the number of experiments you run and their content (CSS/JavaScript).For experiments or personalization campaigns that do not need to load immediately, use the “DELAYED” tag. This delays loading non-essential experiments until after the first page load. Kameleoon intelligently manages these: it only downloads configuration after 10 seconds of idle time or when a visitor is targeted and allocated a variation other than the control. This approach ensures minimal impact on load performance while still delivering full functionality for prioritized experiments.
The Kameleoon JavaScript engine requires the eval() function to add custom code to Kameleoon, such as custom data and custom JavaScript, when implementing variations of a page. The eval() function allows Kameleoon to dynamically execute this custom code at runtime.If you use a Content Security Policy (CSP) directive that prevents the use of the eval() function, implement the following JavaScript snippet before the Kameleoon installation tag:
<script>
window.kameleoonQueue = window.kameleoonQueue || [];

function excludeKameleoonEval() {
	Kameleoon.Utils.runProtectedScript = function (code, fileName) {
		const script = document.createElement("script");

		const wrappedCode = "(function () {\n" + code + "\n})();";
		script.innerHTML = wrappedCode;

		if (fileName) {
			script.innerHTML += "\n//# sourceURL=" + fileName;
		}

		document.head.appendChild(script);
	};
}

kameleoonQueue.push({
	level: "IMMEDIATE",
	command: excludeKameleoonEval
}); 
</script>

//Add the Kameleoon Installation tag here. Refer to this documentation: https://developers.kameleoon.com/developer-docs/web-experimentation/implementation-and-deployment/standard-implementation.mdx
<script src="//SITE_CODE.kameleoon.eu/engine.js" fetchpriority="high" async></script>
If your CSP blocks eval(), implementing the code snippet will not remove these restrictions. To ensure full functionality, adjust the relevant CSP directive to allow eval() or similar functions. Otherwise, certain advanced targeting or customization features in Kameleoon remain inaccessible due to browser security enforcement.
The Kameleoon Graphic Editor (including the simulation panel) also requires the eval() function. However, you can work around this requirement by installing the Kameleoon Chrome Extension and enabling the Dev Tools > Tag injection > Bypass policies setting to override the policies locally. You must also provide your sitecode. Enabling the Bypass policies setting allows you to use the Graphic editor in a Chrome browser.
Bypass policies setting in the Chrome extension
Some features of Kameleoon are not available if a CSP directive blocks the eval() function. These limitations apply even if you use any code snippet or workaround mentioned in the FAQ. The following features will remain unavailable unless your CSP explicitly allows eval():
  • Targeting a segment with a custom JavaScript condition (only supported when the condition runs asynchronously).
Targeting condition async setting
  • Using custom data with custom JavaScript code.
  • Using acquisition channels with custom JavaScript code.
Yes, Kameleoon offers this advanced option. Forward all HTTP requests received on your server to (eu|na)-data.kameleoon.(eu|io). For example, if you choose tracking.yourdomain.com as your tracking domain, a tracking request would be a POST to tracking.yourdomain.com. Your server should then forward the request, along with all necessary data and parameters, to the (eu|na)-data.kameleoon.(eu|io) host. To enable this option, contact your Customer Success Manager.
When forwarding requests to (eu|na)-data.kameleoon.(eu|io), ensure you rewrite the request URL to (eu|na)-data.kameleoon.(eu|io). It is not enough to forward the request while keeping the original Host: HTTP header set to your domain. Set the Host: header to (eu|na)-data.kameleoon.(eu|io).
Unfortunately, no. While SRI provides a useful security feature, the Kameleoon application file changes over time. If it did not, features like starting and stopping experiments instantly without a redeployment would be impossible. Since the file contents change, the resource hash also changes, meaning SRI cannot be used. Otherwise, the browser would block the resource as soon as it updates on the servers.
This is a known bug on Firefox. Until the Firefox team fixes it, follow this workaround: ensure your linked CSS resource is followed by a <script> tag (even an almost empty one).Example:
<link href="https://www.example.com/web/style.css" media="all" rel="stylesheet" type="text/css" />
<script>/**/</script>
This removes the flashing effect entirely.
Kameleoon scripts are already short, and using a minified version does not meaningfully affect page load time because the code is already compressed using Brotli or Gzip. Kameleoon does not recommend minified versions, but if required, they are available below.

Asynchronous loading with anti-flicker

<script>
  var a=750;window.kameleoonQueue=window.kameleoonQueue||[];window.kameleoonStartLoadTime=Date.now();if(!document.getElementById("kameleoonLoadingStyleSheet")&&!window.kameleoonDisplayPageTimeOut){var b=document.getElementsByTagName("script")[0];var c="html::after { content: ''; position: fixed; inset: 0; background: #fff; z-index: 2147483647; }";var d=document.createElement("style");d.type="text/css";d.id="kameleoonLoadingStyleSheet";if(d.styleSheet){d.styleSheet.cssText=c}else{d.appendChild(document.createTextNode(c))}b.parentNode.insertBefore(d,b);window.kameleoonDisplayPage=function(e){if(!e){window.kameleoonTimeout=true}if(d.parentNode){d.parentNode.removeChild(d)}};window.kameleoonDisplayPageTimeOut=window.setTimeout(window.kameleoonDisplayPage,a)};
</script>
<script src="//SITE_CODE.kameleoon.eu/engine.js" fetchpriority="high" async></script>

Unify session data across subdomains

If you use the unified session data tag to unify session data across subdomains with either the synchronous tag or the asynchronous tag without anti-flicker:
<script>
  window.kameleoonIframeURL="https://www.customerdomain.com/path/to/kameleoon-iframe.html";var f=document.createElement("a");window.kameleoonLightIframe=false;f.href=window.kameleoonIframeURL;window.kameleoonIframeOrigin=f.origin||(f.protocol+"//"+f.hostname);if(location.href.indexOf(window.kameleoonIframeOrigin)!=0){window.kameleoonLightIframe=true;var g=function(event){if(window.kameleoonIframeOrigin==event.origin&&event.data.slice&&event.data.slice(0,9)=="Kameleoon"){window.removeEventListener("message",g);window.kameleoonExternalIFrameLoaded=true;if(window.Kameleoon){Kameleoon.Utils.runProtectedScript(event.data);Kameleoon.Analyst.load()}else{window.kameleoonExternalIFrameLoadedData=event.data}}};if(window.addEventListener){window.addEventListener("message",g,false)}var h=document.createElement("iframe");h.src=kameleoonIframeURL;h.id="kameleoonExternalIframe";h.style="float: left !important; opacity: 0.0 !important; width: 0px !important; height: 0px !important;";document.head.appendChild(h)};
</script>
If you use the unified session data tag and the asynchronous tag with anti-flicker, add the three script tags in the following order:
  1. Asynchronous tag with anti-flicker.
  2. Unified session data tag.
  3. Kameleoon installation tag.
<script>
  var a=750;window.kameleoonQueue=window.kameleoonQueue||[];window.kameleoonStartLoadTime=Date.now();if(!document.getElementById("kameleoonLoadingStyleSheet")&&!window.kameleoonDisplayPageTimeOut){var b=document.getElementsByTagName("script")[0];var c="html::after { content: ''; position: fixed; inset: 0; background: #fff; z-index: 2147483647; }";var d=document.createElement("style");d.type="text/css";d.id="kameleoonLoadingStyleSheet";if(d.styleSheet){d.styleSheet.cssText=c}else{d.appendChild(document.createTextNode(c))}b.parentNode.insertBefore(d,b);window.kameleoonDisplayPage=function(e){if(!e){window.kameleoonTimeout=true}if(d.parentNode){d.parentNode.removeChild(d)}};window.kameleoonDisplayPageTimeOut=window.setTimeout(window.kameleoonDisplayPage,a)};
</script>
<script>
  window.kameleoonIframeURL="https://www.customerdomain.com/path/to/kameleoon-iframe.html";var f=document.createElement("a");window.kameleoonLightIframe=false;f.href=window.kameleoonIframeURL;window.kameleoonIframeOrigin=f.origin||(f.protocol+"//"+f.hostname);if(location.href.indexOf(window.kameleoonIframeOrigin)!=0){window.kameleoonLightIframe=true;var g=function(event){if(window.kameleoonIframeOrigin==event.origin&&event.data.slice&&event.data.slice(0,9)=="Kameleoon"){window.removeEventListener("message",g);window.kameleoonExternalIFrameLoaded=true;if(window.Kameleoon){Kameleoon.Utils.runProtectedScript(event.data);Kameleoon.Analyst.load()}else{window.kameleoonExternalIFrameLoadedData=event.data}}};if(window.addEventListener){window.addEventListener("message",g,false)}var h=document.createElement("iframe");h.src=kameleoonIframeURL;h.id="kameleoonExternalIframe";h.style="float: left !important; opacity: 0.0 !important; width: 0px !important; height: 0px !important;";document.head.appendChild(h)};
</script>
<script src="//SITE_CODE.kameleoon.eu/engine.js" fetchpriority="high" async></script>
Do not modify installation tags. Their code is extensively tested and optimized. Modifying them can result in a non-working setup. If an installation tag requires modification, contact your Kameleoon Account Manager to coordinate with developers. Do not attempt independent modifications.
Do not include any installation tag in its own separate, external script. For example, never do this:
<script src="resources/scripts/kameloon-loader.js" fetchpriority="high" async></script>
While this may technically work, it significantly affects Kameleoon performance and introduces a noticeable flicker effect. This setup creates the problems of using a tag manager without any associated benefits.
Yes, partitions where data is stored can be encrypted. This option requires an additional setup cost. Contact your Customer Success Manager for more information.
Yes, you can delay non-essential experiments until after the first page load. To delay an experiment, add the DELAYED tag to the experiments you want to defer. For more information, see the managing tags documentation.Kameleoon intelligently manages experiments tagged as “DELAYED.” It only downloads configuration after 10 seconds of idle time or when the visitor is targeted and allocated a variation other than the control. Focus on delivering the best user experience by deferring resource-intensive tests.
Kameleoon’s platform provides high scalability and elasticity, ensuring optimal performance as data volumes grow. The platform handles a mean load of 20,000 queries per second with peaks up to 100,000 queries. Key factors include:
  • Scalable architecture: Distributed and modular architecture allows for horizontal scaling.
  • Auto-scaling infrastructure: Cloud-based infrastructure automatically scales computational resources.
  • Load Balancing: Advanced techniques distribute traffic evenly across servers.
  • Data ingestion and processing: Robust APIs and a data broker manage large volumes of data efficiently.
  • Testing for scalability: Regular load and stress testing ensure the system handles extreme conditions.
  • Elastic data storage: Multi-tiered storage allows for rapid data access and long-term scalability.
Kameleoon uses the following NoSQL databases and technologies in the data flow architecture:
  • Hadoop File System (along with Spark)
  • Cassandra
  • ClickHouse
  • Kafka
The Kameleoon engine initiates several network requests to ensure seamless functionality:

Segments Request

  • Purpose: Collects events for targeted segments by the visitor.
  • Endpoint: https://${SITECODE}.kameleoon.io/audiences/segments.js
  • Method: GET
  • Note: The browser caches the file for 90 minutes.

Live-update Experiments Configuration Request

  • Purpose: Retrieves LIVE-UPDATE tagged experiments configuration.
  • Endpoint: https://${SITECODE}.kameleoon.io/live-experiments/config.js
  • Method: GET
  • Note: The browser caches the file for 2 minutes.

Deferred Experiment Variation Request

  • Purpose: Loads variation data for DELAYED tagged experiments.
  • Endpoint: https://${SITECODE}.kameleoon.io/experiments/${action.id}/variations/${variationId}.js
  • Method: GET
  • Note: The browser caches the file for 30 days.

Deferred Personalization Variation Request

  • Purpose: Loads variation data for DELAYED tagged personalizations.
  • Endpoint: https://${SITECODE}.kameleoon.io/personalizations/${action.id}/variations/${variationId}.js
  • Method: GET
  • Note: The browser caches the file for 30 days.

Previous Visits Request

Tracking Events Request

  • Purpose: Records events during visits.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/visit/events
  • Method: POST
Kameleoon sends an event every 15 seconds when a scroll or click occurs. This ensures correct session length tracking. If the engine detects no activity, it makes no additional tracking call.

IP address Request

  • Purpose: Enables exclusion/inclusion of visitors based on IP address.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/ip
  • Method: GET
  • Note: Kameleoon never stores IPs in databases. The visitor’s browser employs the IP solely for comparison purposes.

Geolocation Request

  • Purpose: Obtains geolocation data for targeting and analytics.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/geolocation
  • Method: GET

Current Weather Request

  • Purpose: Returns current weather conditions.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/weather/weather
  • Method: GET

Weather Forecast Request

  • Purpose: Returns a 5-day weather forecast.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/weather/forecast
  • Method: GET

Kameleoon Script Detection Request

  • Purpose: Detects the implementation status of the Kameleoon Script.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/active-script/event
  • Method: POST

Products Request

  • Purpose: Gathers product events for targeting and recommendations.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/product/events
  • Method: POST

Kameleoon Conversion Scores Request

  • Purpose: Retrieves predictive scores for targeting.
  • Endpoint: https://(eu|na)-data.kameleoon.(eu|io)/predict/latestPredictionScoreHistograms
  • Method: GET