CSP blocking same-origin iframes in themes

twnsnd
Shopify Partner
3 0 0

I'm trying to use an iframe to embed some content from another page on a Shopify store, but Shopify's CSP seems to block ALL iframes as it outputs:

 

frame-ancestors: 'none'

 

whereas I ideally need to safelist the specific page, e.g.:

 

frame-ancestors: https://example.com/pages/my-page

 

or at least enable site-wide same-origin frames, i.e.:

 

frame-ancestors: self

 

I've seen a lot of discussion around this being a setting on Shopify Apps, but what about Shopify Themes? Surely depending on JavaScript and using `fetch` can't be the only option?

Replies 0 (0)