Re: Refused to frame app in shopify

Refused to frame app in shopify

GreenReceipt
Shopify Partner
8 0 3

Hi,
I am facing the issue regarding Refused to frame
'https://mystore.myshopify.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'", i have mentioned all required fields of frame-ancestors that has to be added, below is the implementation. someone can please help me how do i to reach out the solution

header("Content-Security-Policy: frame-ancestors https://".$shop/." https://admin.shopify.com"/);
if
( isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] == 'iframe' ) { redirect(base_url('shopifyapi/setup?embedded='.$param.'&token='.$result[0]->usertoken)); } }


where $shop= 'mystore.myshopify.com '
and i am getting the value of this $_SERVER['HTTP_SEC_FETCH_DEST']  =document.

Replies 3 (3)

Liam
Community Manager
3108 341 879

Hi Faiyaz,

 

This error message suggests that the CSP directive frame-ancestors 'none' is in effect, which means no domain is allowed to frame your content. This directive overrides any other frame-ancestors directive you set. 

 

I'd recommend ensuring that your Content-Security-Policy header syntax is correct and that you're handling string concatenation properly in PHP, ensuring that variables are properly embedded within the string. You should also ensure that no other part of your application (or server configuration) is setting a conflicting CSP header with frame-ancestors 'none', and try clearing the browser cache or test in incognito mode, as browsers can aggressively cache headers, leading to misleading outcomes during troubleshooting.

 

Hope this helps!

Liam | Developer Advocate @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

GreenReceipt
Shopify Partner
8 0 3

Hi Liam,

Thankyou for your response,

As you recommended, i tried all the possible solutions and also set .htaccess file(

<IfModule mod_headers.c>
    Header set Content-Security-Policy: "frame-ancestors https://mystore.myshopify.com https://admin.shopify.com"
</IfModule>

)

and the point about variable, i also checked it by adding complete name of my store 

    header("Content-Security-Policy: frame-ancestors https://mystore.myshopify.com https://admin.shopify.com"); 
but still getting the same errror and According to shopify document (https://shopify.dev/docs/apps/store/security/iframe-protection) we are getting
"Content-Security-Policy: frame-ancestors https://mystore.myshopify.com https://admin.shopify.com"
as headers in network tab on install function but unable to get same headers on authorize function call.(
        $install_url = "https://" . $shop . "/admin/oauth/authorize?client_id=" . $api_key . "&scope=" . $scopes .
) What else i have to add in my code. Below is app install function Screenshot 2024-02-15 123817.png 
Caebixus
Shopify Partner
1 0 0

Same problem, Is there any information regarding this issue?