Threekit for Salesforce CPQ is not working at all

I’ve installed three packages in my scratch org to run the demo of Threekit:

  1. TKCPQ
  2. CPQ package
  3. threekit_mfg - demo kit

I do followed all the steps mention in here: but the configurator is not working as intended. Additionally, I check the following settings:

  1. Enable clickjack protection for customer Visualforce pages with headers disabled - set to false
  2. Enable XSS protection - set to true
  3. Generated public token on admin.threekit side and link it in the package configuration

The error on the configurator is:
The web page at **** might be temporarily down or it may have moved permanently to a new web address.

Can you point me to the docs where I can find the whole step by step configuration?

Additionally, I am receiving the following error in the browser console:
Refused to display '<URL>' in a frame because it set 'X-Frame-Options' to 'deny'.

@Szymon_Halik_CC - Are you using chrome? Would you be able to test this is a second browser type? I suspect this might be a new chrome security feature. I want to make sure.

I am using chrome as my default browser. I did some tests in Firefox and Safari also - the outcome is the same :neutral_face:
Firefox error:
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src").
Safari error:
Failed to load resource: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “”, which could put your confidential information at risk.

Thanks. One more question. Are you doing this through a community?

Also - you may need to add a remote site setting for if that is where your connection point is.

I am not using communities, yet. The domain is added with the demo package

Hi Szymon -

I believe the issue is that your token is not scoped correctly. In the future you can find the domain that is expected in the console error message.

Access to XMLHttpRequest at “THREEKIT RESOURCE” from origin ‘DOMAIN’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Summing up, the issue was straightforward. The public token should be scoped to the domain in the format of visualforce- not lightning(custom configurator is a VF page). This official salesforce documentation will help with figuring out the proper url format for all url types.

The second problem, that I encountered was related to my browser usage of WebGL library. Chrome has a setting Use hardware acceleration when available which was disabled in my case. Enabling this feature will trigger WebGL 2.0 for rendering interactive 2D and 3D graphics, necessary for Threekit player