Some Background
Toybox uses an iframe with your site url so we can control the dimensions of the viewport and show you a nice sidebar without covering up anything on your beautiful site. 

If you are reading this doc, it's likely that you have set your servers configuration to prevent iframes of any kind. In order for Toybox to work we need this configuration to be relaxed slightly to 'SAMEORIGIN'

We understand that there is a reason for your security settings and we respect that. We find that our users can get a ton of value out of the product even if they only use it on a staging url. For teams that don't feel comfortable updating their production settings we advise them to relax only the staging configuration.

A little more background on this setting.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.


(If you have a different type of server running the instructions should be very similar)

  • Go to where Nginx is installed and then conf folder
  • Take a backup before modifying
  • Add the following parameter in nginx.conf under server section
add_header X-Frame-Options "SAMEORIGIN";
  • Restart Nginx web server

If you have any questions at all please do not hesitate to reach out!

- Jono

Did this answer your question?