Solved

Unnecessarily strict and uncustomizable HTTP response headers (X-Frame-Options, CSP)

shodev
Tourist
4 0 12

Hi,

 

I recently ran into an issue with Shopify setting unnecessarily strict HTTP response headers: "X-Frame-Options: DENY" and/or "Content-Security-Policy: frame-ancestors: 'none';". Furthermore, the headers are set on the server-side and cannot be customized by the merchant. This is a CRITICAL issue for merchants that want to use apps that rely on iframes (and consequently developers of such apps).

 

When I looked for answers here on the forums, the first topic I found was over four years old.

 

Could you allow merchants to change the "X-Frame-Options" response header value (and/or "Content-Security-Policy", directive "frame-ancestors", if that is used) via the Shopify Admin panel? At least to "SAMEORIGIN" ('self' in case of CSP), which would hardly cause security risks. This would be a BIG help to the mentioned merchants (and developers)...

 

Thanks!

Accepted Solution (1)
Shay
Shopify Staff
2968 460 608

This is an accepted solution.

Hi @Zanar 

 

I'd be happy to share some more information on this topic with you and let you know what the options are moving forward. This option is enabled by default for all online stores as a preventative measure to protect from clickjacking attacks on the store. 

 

You can request this is disabled through our authenticated support channels (Shopify Help Center), but before doing so please review the information I shared below. If you accept these risks then feel free to make this request to our support team through the Help Center. 

 

  1. Disabling protection can only be done in relation to the storefront. It's not possible to disable this in order to access the admin OR our checkout inside an iFrame.
  2. The setting is either fully ON or fully OFF. There's no way to have a 'blocked' or 'unblocked' list for iFrame access for a storefront.
  3. Disabling this protection could allow Clickjacking attacks from hackers, which would be difficult to prevent or detect once the setting has been turned off. The risks include things like User Interface Redress Attacks where users are tricked into unintended actions, and Phishing and Social Engineering Attacks that deceive users into providing sensitive information. It can also lead to Unauthorized Actions performed without user consent, resulting in unwanted changes or purchases. Furthermore, disabling protection may cause a Loss of Trust and Reputation among users, negatively impacting your brand, and create Legal and Compliance Issues by violating security standards and regulations. It's crucial to consider these risks before making a decision about clickjacking protection.

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

View solution in original post

Replies 4 (4)

shodev
Tourist
4 0 12

Hello, Shopify staff?

shodev
Tourist
4 0 12

BUMP!

Zanar
Visitor
1 0 0

I am wondering the same. I need to it be set to sameorigin aswell.

Shay
Shopify Staff
2968 460 608

This is an accepted solution.

Hi @Zanar 

 

I'd be happy to share some more information on this topic with you and let you know what the options are moving forward. This option is enabled by default for all online stores as a preventative measure to protect from clickjacking attacks on the store. 

 

You can request this is disabled through our authenticated support channels (Shopify Help Center), but before doing so please review the information I shared below. If you accept these risks then feel free to make this request to our support team through the Help Center. 

 

  1. Disabling protection can only be done in relation to the storefront. It's not possible to disable this in order to access the admin OR our checkout inside an iFrame.
  2. The setting is either fully ON or fully OFF. There's no way to have a 'blocked' or 'unblocked' list for iFrame access for a storefront.
  3. Disabling this protection could allow Clickjacking attacks from hackers, which would be difficult to prevent or detect once the setting has been turned off. The risks include things like User Interface Redress Attacks where users are tricked into unintended actions, and Phishing and Social Engineering Attacks that deceive users into providing sensitive information. It can also lead to Unauthorized Actions performed without user consent, resulting in unwanted changes or purchases. Furthermore, disabling protection may cause a Loss of Trust and Reputation among users, negatively impacting your brand, and create Legal and Compliance Issues by violating security standards and regulations. It's crucial to consider these risks before making a decision about clickjacking protection.

Shay | Social Care @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog