Im trying to use my app shopify store on a external app, but im getting this error from x-frame-options.
i read in this forum about people having the same issue, but all the aswer were outdated.
Someone know is this can be disabled on the shopify admin, or a liquid code way?.
Also i was reading about having to configure a access_token or frame_token and if this is a solution how can i configure it?.
Thanks for your time reading this.
Shopify doesn't allow shops to be served in an iframe, and the default behaviour for all storefront requests is to send the `X-Frame-Options` = `DENY` header. This prevents "clickjacking" (aka UI redress) attacks where a bad actor could use your site to trick and redirect users to a malicious site. More information about this can be found in the original API announcement here.
If you're trying to display your store contents in an external application, I recommend having a look at our storefront API docs here. The storefront API provides tools that allow you to get and display information about your store in mobile apps or on the web, and also allows you to easily use Shopify's checkout for fast and secure payment within your app.
@_JB thank you for the explanation. I see this post is old however, I came across it today due to the fact that this implementation breaks mobile editing in google optimize which is very annoying for conversion optimization testing.
Is there a workaround for this?
Google recommends setting X-Frame-Options: sameorigin, since this means only the website could frame itself, would this be a security risk?
Hi Adam, did you get a solution to this? Im also trying to run Optimize, and I understand I should change the X FRAME OPTION 'DENY' , to 'SAME ORIGIN', but don't know where I can find that.
@_JB This isn't right, I am looking at a site that is serving a Shopify site in an iframe here: https://lpqmvl.top/ - can you tell me what's happening? Shouldn't the Shopify site being sending headers to prevent this? I can see the headers being sent from Shopify include content-security-policy: block-all-mixed-content; frame-ancestors *; upgrade-insecure-requests; Which is explicitly allowing the site to be loaded in an iFrame.
Have you created a collection on your online store and experienced an issue with adding yo...By Ollie Aug 24, 2022