Question: I'm seeing this error when I open up my browsers developers tools:
Refused to display 'https://xxfilenamexx/dispatchapi.html' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
**Please note the actual file name has been changed for this article**
The problem is that (by necessity) dispatch packages must be able to load dispatchapi.html from the remote host (the 3rd party LMS, in this case) in a frame with the cloud.scorm.com origin. This doesn't work currently because the 3rd party LMS sets X-Frame-Options to SAMEORIGIN for SCORM content. We don't see many LMSes with this behavior, but dispatches are unfortunately simply not compatible with those LMSes.
This problem can only be resolved by the third party LMS. There are two possible paths forward:
- They can whitelist cloud.scorm.com in their X-Frame-Options header for their course content files.
- They can simply not use X-Frame-Options for the course content files
Note, in both cases, the security impact is limited if the 3rd party LMS only applies these changes to the course content files. SCORM Cloud (and anyone else building a dispatch-like solution) will not need to be able to embed the rest of the 3rd party LMS UI and/or API pages in external frames.
If you have any questions please send us a message at email@example.com