Cross-origin tracking

Enable cross-origin tracking

Only collaborators with the role of Administrator can make changes in the Account Settings. 

1. Go to Account Settings > Security and Privacy > Cross-Origin Tracking.

2. Un-check the box for Use Automatically Discovered URLs.
   

3. Enter the URLs where events should be tracked and use the Match Type dropdown to target specific origins or groups of origins.
   
   Unlike URL Targeting, the value matched with the pattern is specifically the origin portion of the URL, not the whole URL. There are several ways to specify origin patterns:

   • http://example.com (exact match)

   • https://shop.example.com (exact match)

   • example.com (suffix match)

     This includes origins like http://example.com and https://shop.example.com but no other top-level domains. Data may be shared with other second-level domains.

   • https://(.*\.)example.com$ (RegEx match)
     This includes all of example.com when accessed via the secure https protocol. If you do not terminate the regular expression by placing the $ character after your domain, your data may be shared with other top-level and second-level domains.

4. Use the URL Match Validator to check that your targeting matches the URLs you expect. You can check full URLs, including path, query string, and hash, but those portions of the URL are ignored by the match pattern.

5. Click Save.

Allowed, blocked, and auto-generated origins

When you enable cross-origin tracking, you define a set of allowed and blocked origins. The origins you want to share visitor data with are the allowed origins. The origins you want to exclude from sharing are the blocked origins. 

Optimizely Web Experimentation can also set the cross-origin tracking allowed origins for you. When you enable auto-generated origins, Optimizely Web Experimentation automatically sets your allowed origins based on the URLs you use in the pages, URL targeting, and redirect experiments you create. You can manually move an origin from allowed to blocked if needed.

When you create a page, set URL targeting, or create a redirect variation, Optimizely Web Experimentation resolves the URL you provide down to the URL's top-level origin. The result mimics the scope of a cookie set on the base origin with a leading period. Visitor data is shared across all of the URL's subdomains and protocols.

Blocked origins take precedent, so a URL on your blocked origins list cannot access events from other origins even if you also set it as an allowed origin.

Cross-origin tracking is an account-level setting. Allowed, blocked, and auto-generated origins are aggregated across all projects in your account. 

When not to use cross-origin tracking

If you use performance monitoring tools like Catchpoint, you see a synthetic increase in page performance and latency metrics. This change in performance is an artifact of the methods these tools use to track performance. It does not affect the actual performance of your page.

Optimizely Web Experimentation uses an iframe to seamlessly sync all events across those origins. This is done asynchronously and does not affect your visitors’ experience. However, you see the persistence of this iframe recorded in your performance monitoring tools as an increase in various page load metrics. These monitoring tools push out those measurements while waiting for the iframe to be added.

If you have a customer journey that does not cross origins, you may decide not to set cross-origin tracking at all. For example, if you run experiments exclusively on the domain https://shop.example.com and do not track events from a different subdomain (https://blog.example.com) or a different security protocol (http://shop.example.com), you may not need cross-origin tracking. 

If you do not track any events across origins, you can decide not to set it up. However, if you do not set cross-origin tracking and need to track events across origins, you risk losing event data.

Troubleshoot cross-origin tracking

Cross-origin tracking does not work if any of these are true:

• The origin setting in your optimizely.com account is set incorrectly.

• The visitor's browser blocks all iframes or iframes specifically from *.cdn.optimizely.com.

• The browser’s privacy settings prevent setting or retrieving localStorage keys from iframe origins.

Some browsers block cross-origin iframe localStorage if third-party cookies are disabled, and Optimizely Web Experimentation's iframe does not function when a visitor is on your website. In this situation, the Optimizely Web Experimentation iframe is from a third-party origin.

Cross-domain targeting

Events can be targeted across origins only for the current Optimizely Web Experimentation User ID, which is stored in the optimizelyEndUserId cookie. Browsers prevent sharing cookies across domains (for example,https://www.example.com and https://www.anotherexample.com) and across top-level domains (for example, https://www.example.com and https://www.example.net).

This means Optimizely Web Experimentation is unable to set consistent user IDs across such domains. For cross-domain targeting to work, you must manually sync the optimizelyEndUserId cookie across domains using other means. Optimizely recommends using the waitForOriginSyncfunction, as long as two snippets (projects) are linked and use the same localStorage namespace. (Using the same snippet across two domains is not necessarily required.)

For example, the following code would be implemented in the head tags before the Optimizely Web Experimentation Snippet, or in Project Javascript:

// ensures the optimizely object is defined globally
window.optimizely = window.optimizely || [];

// set the waitForOriginSync API call
// place your own domains in the canonicalOrigins array
window.optimizely.push({
  "type": "waitForOriginSync",
  "canonicalOrigins": ["optimizely.com", "developers.optimizely.com"]
});