X-FRAME

Gabriel_Ortiz
New Member
1 0 0

Hi.

 

Im trying to use my app shopify store on a external app, but im getting this error from x-frame-options.

i read in this forum about people having the same issue, but all the aswer were outdated.

 

Someone know is this can be disabled on the shopify admin, or a liquid code way?.

 

Also i was reading about having to configure a access_token or frame_token and if this is a solution how can i configure it?.

 

Thanks for your time reading this.

 

image.png

0 Likes
_JB
Shopify Staff
Shopify Staff
750 86 163

Hey @Gabriel_Ortiz,

 

Shopify doesn't allow shops to be served in an iframe, and the default behaviour for all storefront requests is to send the `X-Frame-Options` = `DENY` header. This prevents "clickjacking" (aka UI redress) attacks where a bad actor could use your site to trick and redirect users to a malicious site. More information about this can be found in the original API announcement here.

 

If you're trying to display your store contents in an external application, I recommend having a look at our storefront API docs here. The storefront API provides tools that allow you to get and display information about your store in mobile apps or on the web, and also allows you to easily use Shopify's checkout for fast and secure payment within your app.

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes
Adam_Hurlburt
Explorer
41 1 10

@_JB thank you for the explanation. I see this post is old however, I came across it today due to the fact that this implementation breaks mobile editing in google optimize which is very annoying for conversion optimization testing. 

Is there a workaround for this?

Google recommends setting X-Frame-Options: sameorigin, since this means only the website could frame itself, would this be a security risk?

0 Likes