Hello,
I’m currently working on an external widget that users can embed on their websites via a simple script tag. To maintain widget functionality across different pages, we utilize iframes. However, Shopify’s Content Security Policy (CSP) seems to block iframes, even from the same origin, which isn’t an issue on other platforms.
I understand that Shopify applies strict frame-ancestors settings in its CSP, which prevents iframes from being used. My questions are:
- Is there any way to configure or allow specific same-origin iframes in Shopify, for instance via the admin settings or in the Shopify Theme HTML code?
- Would embedding an app within Shopify (e.g., using Shopify App Bridge) allow us to bypass this restriction?
- Are there any recommended approaches or workarounds to enable iframe functionality without violating Shopify’s CSP?
I’ve researched this issue and found several related discussions in the forum, but no clear solution. Any guidance would be appreciated.
Relevant discussions:
- https://community.shopify.com/post/2437264
- https://community.shopify.com/post/2111201
- https://community.shopify.com/post/1386526
Thank you in advance for your help!