CSP blocking same-origin iframes in themes

CSP blocking same-origin iframes in themes

Shopify Partner
3 0 0

I'm trying to use an iframe to embed some content from another page on a Shopify store, but Shopify's CSP seems to block ALL iframes as it outputs:


frame-ancestors: 'none'


whereas I ideally need to safelist the specific page, e.g.:


frame-ancestors: https://example.com/pages/my-page


or at least enable site-wide same-origin frames, i.e.:


frame-ancestors: self


I've seen a lot of discussion around this being a setting on Shopify Apps, but what about Shopify Themes? Surely depending on JavaScript and using `fetch` can't be the only option?

Replies 0 (0)