We need to be able to adjust our CSP Content Security Policy and X-Frame-Options for our store

AmyChacon
Excursionist
15 0 1

 

Yes, we have added a new domain merch.app.totalvu.live to our shopify store and it appears within our iframe on our website. On that domain we are experiencing  the following from the iframe on our website:
 
POST https://shop.app/pay/session/start net::ERR_ABORTED 404
Refused to display 'https://shop.app/' in a frame because it set 'X-Frame-Options' to 'deny'.
Also these warnings which can be fixed by adjusting the Content Security Policy CSP of our store as well:
 

Screen Shot 2021-10-12 at 3.53.27 PM.png


Also for cookies we are experiencing all of these fail due to the wrong settings (see below)
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.

NameDomain & Path

_pay_sessionshop.app/
x-cdn.paypal.com/
_ga.pay.google.com/
_gapay.google.com/
_gid.pay.google.com/
_gidpay.google.com/
OTZpay.google.com/
_cookiecheckwww.paypal.com/smart
www.paypal.com/smart
checkoutshop.app/pay/transactions/new/token/WEJOQ2JaZ0FR...

Also these with the same issue
Screen Shot 2021-10-12 at 3.54.00 PM.png

 
Reply 1 (1)
AmyChacon
Excursionist
15 0 1

Hi there haven't been any responses from support. Hoping someone will get back to us asap.