Shopify APIs and SDKs

Gabriel_Ortiz · ‎11-04-2019

Hi.

Im trying to use my app shopify store on a external app, but im getting this error from x-frame-options.

i read in this forum about people having the same issue, but all the aswer were outdated.

Someone know is this can be disabled on the shopify admin, or a liquid code way?.

Also i was reading about having to configure a access_token or frame_token and if this is a solution how can i configure it?.

Thanks for your time reading this.

_JB · ‎11-06-2019

Hey @Gabriel_Ortiz,

Shopify doesn't allow shops to be served in an iframe, and the default behaviour for all storefront requests is to send the `X-Frame-Options` = `DENY` header. This prevents "clickjacking" (aka UI redress) attacks where a bad actor could use your site to trick and redirect users to a malicious site. More information about this can be found in the original API announcement here.

If you're trying to display your store contents in an external application, I recommend having a look at our storefront API docs here. The storefront API provides tools that allow you to get and display information about your store in mobile apps or on the web, and also allows you to easily use Shopify's checkout for fast and secure payment within your app.

JB | Solutions Engineer @ Shopify
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

Adam_Hurlburt · ‎01-26-2021

@_JB thank you for the explanation. I see this post is old however, I came across it today due to the fact that this implementation breaks mobile editing in google optimize which is very annoying for conversion optimization testing.

Is there a workaround for this?

Google recommends setting X-Frame-Options: sameorigin, since this means only the website could frame itself, would this be a security risk?

RickFW · ‎04-14-2021

We recently run into the same issue breaking our feature for clients.

+1 to @Adam_Hurlburt 's suggestion on X-Frame-Options: sameorigin and that provides good protection against malicious cross-domain actors.

Would the Shopify team please take a look and consider? @_JB

harris2 · ‎09-26-2022

Hey Adam, I am also facing the same issue on google optimize. Can't find any solution yet. If you have any, pls tell.

Thanks

LesleyACB · ‎11-05-2022

Hi Adam, did you get a solution to this? Im also trying to run Optimize, and I understand I should change the X FRAME OPTION 'DENY' , to 'SAME ORIGIN', but don't know where I can find that.

ViridGabe · ‎12-02-2022

@_JB This isn't right, I am looking at a site that is serving a Shopify site in an iframe here: https://lpqmvl.top/ - can you tell me what's happening? Shouldn't the Shopify site being sending headers to prevent this? I can see the headers being sent from Shopify include content-security-policy: block-all-mixed-content; frame-ancestors *; upgrade-insecure-requests; Which is explicitly allowing the site to be loaded in an iFrame.

Gabe Harris

Shopify APIs and SDKs

X-FRAME

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links