The CSP frame-ancestors 'none' setting is causing some problems.
Our new web application has some embedded iframes which point to pages in our legacy web application. In the legacy application, we redirect the user to their store's "/auth/login" URL. However we noticed that the "/auth/login" endpoint has a response header content-security-policy of "frame-ancestors 'none'", which prevents the redirect from occurring and throws the following error:
Refused to display 'https://our-store.myshopify.com/admin/auth/login' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Is there a simple way to work around this that lets the user login from within an iframe?
I encountered a similar problem, detailed it here https://community.shopify.com/c/Shopify-APIs-SDKs/App-doesn-t-load-in-iframe-on-firefox-safari/m-p/7...