FROM CACHE - en_header

Customize csp. content-security-policy: frame-ancestors 'none'

EyalS
Shopify Partner
1 0 0

Hi,

I see that some Shopify stores return a different configuration in the HTTP csp header.

In my test store, it is:

content-security-policy: block-all-mixed-content; frame-ancestors 'none'; ...
but in other stores, like https://www.bluebella.com - it is:
content-security-policy: block-all-mixed-content; frame-ancestors *; ...

I would like to change the csp of my store, so that it would be: frame-ancestors *;
or at least: frame-ancestors 'self'
Does anyone know how can I configure this header?

Thanks,
EyalS

Replies 5 (5)
_JB
Shopify Staff
Shopify Staff
836 99 211

Hey @EyalS,

By default, Shopify prevents stores from being rendered in an iframe, which mitigates the possibility of clickjacking attacks. This includes setting the CSP header to none, and setting X-Frame-Options to DENY. To have this disabled, the account owner can contact our support team and ask them to disable clickjacking protection.

JB | Solutions Engineer @ Shopify 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

DariusWS
Explorer
52 1 8

@_JB it is only possible to turn on/off clickjacking protection? If setting up CSP header to SELF it is possible to clickjacking? because right now we have 

<amp-story-player> and it creates iframe. I can and other websites URL like makestories.io but my own website URL with amp can't add...
Gabe
Shopify Staff
Shopify Staff
7607 1216 1997

Might help

https://community.shopify.com/c/Ecommerce-Marketing/Google-Optimize-and-Content-Security-Policy-CSP-...

Gabe | Social Care @ Shopify
 - War meine Antwort hilfreich? Klicke Like um es mich wissen zu lassen! 
 - Wurde deine Frage beantwortet? Markiere es als Akzeptierte Lösung 
 - Um mehr zu erfahren, besuche das Shopify Help Center oder den Shopify Blog

Balouchi
Excursionist
44 0 6

Hello Can You Please Help me in resolving this issue ? I am stuck here. Help is appreciated.

Thanks

ISSUE

Requirements that must be met before initial screening
  1. App must set security headers to protect against clickjacking.
    Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.
shodev
Tourist
4 0 1

Hi. This is a CRITICAL issue for merchants that want to use apps that rely on iframes, and developers of such apps. I ran into this issue still today (the first topic on this I found was over four years old).

 

Could you allow merchants to change the X-Frame-Options response header value (or Content-Security-Policy, directive frame-ancestors, if that is used) via the Shopify Admin panel? At least to "SAMEORIGIN" ('self' in case of CSP), which would hardly be a security risk. This would be a BIG help to the mentioned merchants and developers... Thanks!