As part of the ongoing effort to provide a secure and a reliable environment for our customers, LivePerson prevents clickJacking attacks on chat windows.
This was achieved by preventing the chat window from being embedded within an iframe.

In order to implement it:

  • LivePerson added an X-frame header with the "Deny" value to each server response. (This was done to support next generation browsers.)
  • LivePerson added the following "frame bussting" JavaScript code to the chat window. (This was done to support old generation browsers.)

    html { visibility:hidden; }
    <script language="JavaScript" type="text/javascript">
    if (self == top) { = 'visible';
    } else {
    top.location = self.location;

NOTE: LivePerson can enable embedding the chat window within the iframe per customer request. However, this will expose your visitors to potential clickJacking attacks.We strongly recommend to consult with a security expert prior to requesting this change.