We need to be able to adjust our CSP Content Security Policy and X-Frame-Options for our store

AmyChacon · ‎10-12-2021

Yes, we have added a new domain merch.app.totalvu.live to our shopify store and it appears within our iframe on our website. On that domain we are experiencing the following from the iframe on our website:

POST https://shop.app/pay/session/start net::ERR_ABORTED 404

Refused to display 'https://shop.app/' in a frame because it set 'X-Frame-Options' to 'deny'.

Also these warnings which can be fixed by adjusting the Content Security Policy CSP of our store as well:

Also for cookies we are experiencing all of these fail due to the wrong settings (see below)
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.

NameDomain & Path

_pay_sessionshop.app/
x-cdn.paypal.com/
_ga.pay.google.com/
_gapay.google.com/
_gid.pay.google.com/
_gidpay.google.com/
OTZpay.google.com/
_cookiecheckwww.paypal.com/smart
www.paypal.com/smart
checkoutshop.app/pay/transactions/new/token/WEJOQ2JaZ0FR...

Also these with the same issue

Screen Shot 2021-10-12 at 3.54.00 PM.png

AmyChacon · ‎10-20-2021

Hi there haven't been any responses from support. Hoping someone will get back to us asap.

We need to be able to adjust our CSP Content Security Policy and X-Frame-Options for our store

Community Blog Articles

Shopify Community

Support

Shopify

Quick Links