We strongly recommend using the frame-ancestors directive from the official Content Security Policy (CSP) Level 2 specification instead of using the unofficial X-FRAME-OPTIONS header.
If switching to CSP is not an option, you can still use the Pendo in-app designer one of two ways:
Since X-FRAME-OPTIONS is not an official standard, there are various implementations which may not support this value. We tested this on Firefox 43.
You must specify the app.pendo.io URI. Note you can only include one URI per ALLOW-FROM separated by semi-colon.
X-Frame-Options: ALLOW-FROM https://app.pendo.io