The CSP frame-ancestors 'none' setting is causing some problems.
Our new web application has some embedded iframes which point to pages in our legacy web application. In the legacy application, we redirect the user to their store's "/auth/login" URL. However we noticed that the "/auth/login" endpoint has a response header content-security-policy of "frame-ancestors 'none'", which prevents the redirect from occurring and throws the following error:
Refused to display 'https://our-store.myshopify.com/admin/auth/login' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
Is there a simple way to work around this that lets the user login from within an iframe?
I am facing a similar issue with
frame-ancestors 'none'; header value
It is now allowing me to domain forward using masking.
I encountered a similar problem, detailed it here https://community.shopify.com/c/Shopify-APIs-SDKs/App-doesn-t-load-in-iframe-on-firefox-safari/m-p/7...
Any movement on this?
i have the same issue - can’t add shopify cart widget to my site since our shop can’t be loaded into an embedded iframe, even though shopify says to use in an iframe.
the http header causing this problem is on shopify’s end since they’re the ones hosting the pages.
Actually I just found out that the post I read was from 2013. Please disregard my request for an update - it is clear to me now that shopify doesn't allow it any more.