Shopify x Hubspot Content Security Policy

Solved
SarahT2
New Member
2 0 0

While embedding HubSpot forms into my Shopify site I am running into some issues with Content Security Policies.

Shopify's Content Security Policy includes: frame-ancestors 'none' while HubSpot's includes: frame-ancestors 'self'.

These seem to be incompatible, leading to console warnings. Is there any way to remedy this? Can Shopify set the CSP for my site to allow HubSpot?

0 Likes
_JB
Shopify Staff
Shopify Staff
750 86 163

This is an accepted solution.

Hey @SarahT2,

By default, Shopify enables security features on the storefront to prevent "clickjacking" attacks. This includes setting X-FRAME-OPTIONS to 'none' (which prevents your store from being rendered in an iframe), and setting the Content Security Policy (CSP) header to 'self' (which prevents embedding content from other domains on your store). If you'd like to have this disabled for your shop, contact our support and let them know you'd like clickjacking protection disabled, and they can disable that from our end. 

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes