Important

You are browsing upcoming documentation for version 6.1 of OroCommerce, scheduled for release in 2025. Read the documentation for version 6.0 (the latest LTS version) to get up-to-date information.

See our Release Process documentation for more information on the currently supported and upcoming releases.

Content Security Policy (CSP)

SalesFrontendBundle automatically configures CSP headers to allow embedding of the OroCommerce application into an iframe of the Sales Frontend application.

CSP is automatically configured for the following URLs:

• %oro_sales_frontend.routing_prefix%/*

where %oro_sales_frontend.routing_prefix% is /admin/sales-frontend by default.

Note

Routing prefix can be changed via the bundle configuration, see more in the Routing Prefix configuration.

CSP is configured by \Oro\Bundle\SalesFrontendBundle\EventListener\Kernel\SetContentSecurityPolicyOnResponseListener which by default sets the following directive into the Content-Security-Policy header:

• frame-ancestors self

The allowed frame ancestors (i.e., the Sales Frontend application hosts) are configured automatically as per the oro_sales_frontend.app_base_urls bundle configuration setting. Example of the CSP header that would be sent to browser when the Sales Frontend host is https://example.com:

Content-Security-Policy: frame-ancestors 'self' https://example.com

Note

As per the W3C CSP document, the frame-ancestors directive replaces the X-Frame-Options header.