While embedding HubSpot forms into my Shopify site I am running into some issues with Content Security Policies.
Shopify's Content Security Policy includes: frame-ancestors 'none' while HubSpot's includes: frame-ancestors 'self'.
These seem to be incompatible, leading to console warnings. Is there any way to remedy this? Can Shopify set the CSP for my site to allow HubSpot?
Solved! Go to the solution
This is an accepted solution.
By default, Shopify enables security features on the storefront to prevent "clickjacking" attacks. This includes setting X-FRAME-OPTIONS to 'none' (which prevents your store from being rendered in an iframe), and setting the Content Security Policy (CSP) header to 'self' (which prevents embedding content from other domains on your store). If you'd like to have this disabled for your shop, contact our support and let them know you'd like clickjacking protection disabled, and they can disable that from our end.