I see that some Shopify stores return a different configuration in the HTTP csp header.
In my test store, it is:
content-security-policy: block-all-mixed-content; frame-ancestors 'none'; ...
but in other stores, like https://www.bluebella.com - it is:
content-security-policy: block-all-mixed-content; frame-ancestors *; ...
I would like to change the csp of my store, so that it would be: frame-ancestors *;
or at least: frame-ancestors 'self'
Does anyone know how can I configure this header?
By default, Shopify prevents stores from being rendered in an iframe, which mitigates the possibility of clickjacking attacks. This includes setting the CSP header to
none, and setting X-Frame-Options to
DENY. To have this disabled, the account owner can contact our support team and ask them to disable clickjacking protection.
JB | Developer Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Click Accept as Solution