Refused to frame app in shopify

GreenReceipt · February 12, 2024, 11:28am

Hi,
I am facing the issue regarding Refused to frame ‘https://mystore.myshopify.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”, i have mentioned all required fields of frame-ancestors that has to be added, below is the implementation. someone can please help me how do i to reach out the solution

header(“Content-Security-Policy: frame-ancestors https://".$shop/.” https://admin.shopify.com"/);
if( isset($_SERVER[‘HTTP_SEC_FETCH_DEST’]) && $_SERVER[‘HTTP_SEC_FETCH_DEST’] == ‘iframe’ ) { redirect(base_url(‘shopifyapi/setup?embedded=’.$param.‘&token=’.$result[0]->usertoken)); } }

where $shop= 'mystore.myshopify.com ’
and i am getting the value of this $_SERVER[‘HTTP_SEC_FETCH_DEST’] =document.

Liam · February 14, 2024, 11:54am

Hi Faiyaz,

This error message suggests that the CSP directive frame-ancestors 'none' is in effect, which means no domain is allowed to frame your content. This directive overrides any other frame-ancestors directive you set.

I’d recommend ensuring that your Content-Security-Policy header syntax is correct and that you’re handling string concatenation properly in PHP, ensuring that variables are properly embedded within the string. You should also ensure that no other part of your application (or server configuration) is setting a conflicting CSP header with frame-ancestors ‘none’, and try clearing the browser cache or test in incognito mode, as browsers can aggressively cache headers, leading to misleading outcomes during troubleshooting.

Hope this helps!

GreenReceipt · February 15, 2024, 5:53am

Hi Liam,

Thankyou for your response,

As you recommended, i tried all the possible solutions and also set .htaccess file(

Header set Content-Security-Policy: "frame-ancestors [https://mystore.myshopify.com](https://buynxtstore.myshopify.com) [https://admin.shopify.com](https://admin.shopify.com)"

)

and the point about variable, i also checked it by adding complete name of my store

header(“Content-Security-Policy: frame-ancestors https://mystore.myshopify.com https://admin.shopify.com”);
but still getting the same errror and According to shopify document (https://shopify.dev/docs/apps/store/security/iframe-protection) we are getting
“Content-Security-Policy: frame-ancestors https://mystore.myshopify.com https://admin.shopify.com”
as headers in network tab on install function but unable to get same headers on authorize function call.(

$install_url = “https://” . $shop . “/admin/oauth/authorize?client_id=” . $api_key . “&scope=” . $scopes .

) What else i have to add in my code. Below is app install function

Caebixus · August 22, 2024, 9:11am

Same problem, Is there any information regarding this issue?

Topic		Replies	Views
Frame-ancestors content security policy directive Technical Q&A	0	24	January 12, 2022
Content Security Policy directive: "frame-ancestors 'none'" Shopify Apps shopify-apps	1	62	March 28, 2025
I have implemented frame-ancestors content security policy directive but not sure how to test Shopify Apps	11	121	December 28, 2022
How to fix iframe connection refusal due to Content Security Policy directive? Shopify Apps	4	675	November 14, 2024
Shopify Refused to frame xxx.myshopify.com because an ancestor violates the following Security Partners Discussion troubleshooting	2	28	December 6, 2022

Refused to frame app in shopify

Related topics