Customize csp. content-security-policy: frame-ancestors 'none'

Highlighted
Shopify Partner
1 0 0

Hi,

I see that some Shopify stores return a different configuration in the HTTP csp header.

In my test store, it is:

content-security-policy: block-all-mixed-content; frame-ancestors 'none'; ...
but in other stores, like https://www.bluebella.com - it is:
content-security-policy: block-all-mixed-content; frame-ancestors *; ...

I would like to change the csp of my store, so that it would be: frame-ancestors *;
or at least: frame-ancestors 'self'
Does anyone know how can I configure this header?

Thanks,
EyalS

0 Likes
Highlighted
Shopify Staff
Shopify Staff
582 70 127

Hey @EyalS,

By default, Shopify prevents stores from being rendered in an iframe, which mitigates the possibility of clickjacking attacks. This includes setting the CSP header to none, and setting X-Frame-Options to DENY. To have this disabled, the account owner can contact our support team and ask them to disable clickjacking protection.

JB | Developer Support @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Click Accept as Solution 

0 Likes