FROM CACHE - en_header

X-FRAME

Gabriel_Ortiz
New Member
1 0 0
‎11-04-2019 06:51 PM

X-FRAME

Hi.

 

Im trying to use my app shopify store on a external app, but im getting this error from x-frame-options.

i read in this forum about people having the same issue, but all the aswer were outdated.

 

Someone know is this can be disabled on the shopify admin, or a liquid code way?.

 

Also i was reading about having to configure a access_token or frame_token and if this is a solution how can i configure it?.

 

Thanks for your time reading this.

 

image.png

3,450 Views
0 Likes
Report
Replies 3 (3)
_JB
Shopify Staff
Shopify Staff
836 99 211
‎11-06-2019 08:58 AM

Re: X-FRAME

Hey @Gabriel_Ortiz,

 

Shopify doesn't allow shops to be served in an iframe, and the default behaviour for all storefront requests is to send the `X-Frame-Options` = `DENY` header. This prevents "clickjacking" (aka UI redress) attacks where a bad actor could use your site to trick and redirect users to a malicious site. More information about this can be found in the original API announcement here.

 

If you're trying to display your store contents in an external application, I recommend having a look at our storefront API docs here. The storefront API provides tools that allow you to get and display information about your store in mobile apps or on the web, and also allows you to easily use Shopify's checkout for fast and secure payment within your app.

JB | Solutions Engineer @ Shopify 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

3,413 Views
0 Likes
Report
Adam_Hurlburt
Explorer
41 1 11
‎01-26-2021 09:34 AM

Re: X-FRAME

@_JB thank you for the explanation. I see this post is old however, I came across it today due to the fact that this implementation breaks mobile editing in google optimize which is very annoying for conversion optimization testing. 

Is there a workaround for this?

Google recommends setting X-Frame-Options: sameorigin, since this means only the website could frame itself, would this be a security risk?

2,094 Views
0 Likes
Report
RickFW
New Member
1 0 0
‎04-14-2021 08:22 PM

Re: X-FRAME

We recently run into the same issue breaking our feature for clients.

+1 to @Adam_Hurlburt 's suggestion on X-Frame-Options: sameorigin and that provides good protection against malicious cross-domain actors.

Would the Shopify team please take a look and consider? @_JB 

1,764 Views
0 Likes
Report

Community Blog Articles

Trevor_0-1658936764652.jpeg

How you can use PayPal to accept payments and pay your Shopify bill

Connect your PayPal account to allow your customers to checkout using the PayPal gateway a...

By shopify staff Ollie Jul 28, 2022
Ollie_0-1655835122068.jpeg

Improving your online store speed

Your online store speed can enhance your store’s discoverability, boost conversion rates a...

By shopify staff Ollie Jun 30, 2022
woman-holding-mobile-phone.jpg

Optimizing Storefront for Mobile Shopping

Shopping is at our fingertips with mobile devices. Is your theme optimized to be user-frie...

By shopify staff Holly Jun 24, 2022
Terms of Service Privacy Policy