I see that some Shopify stores return a different configuration in the HTTP csp header.
In my test store, it is:
content-security-policy: block-all-mixed-content; frame-ancestors 'none'; ...
but in other stores, like https://www.bluebella.com - it is:
content-security-policy: block-all-mixed-content; frame-ancestors *; ...
I would like to change the csp of my store, so that it would be: frame-ancestors *;
or at least: frame-ancestors 'self'
Does anyone know how can I configure this header?
By default, Shopify prevents stores from being rendered in an iframe, which mitigates the possibility of clickjacking attacks. This includes setting the CSP header to
none, and setting X-Frame-Options to
DENY. To have this disabled, the account owner can contact our support team and ask them to disable clickjacking protection.
@_JB it is only possible to turn on/off clickjacking protection? If setting up CSP header to SELF it is possible to clickjacking? because right now we have