After installing the May 2021 CU you will not be able to open or add new SharePoint Store apps, because the iframe from the appinv.aspx page is now blocked by default.
This is an example of the error:
Chrome-error://chromewebdata/:1 Refused to display ‘https://spaad.contoso.local/’ in a frame because it set multiple ‘X-Frame-Options’ headers with conflicting values (‘DENY, SAMEORIGIN’). Falling back to ‘deny’.
This issue has been corrected in the September CU 2021 for 2013, 2016 and 2019. After installing the patch, SharePoint Admin’s will need to create a new Farm property named “AddGenericAllowedListValue’ and add the SharePoint site URL in the “AllowIframeAppAuthorizePageDomains” list.
$farm = Get-SPFarm
- You can add more than one trusted domain to the AllowIframeAppAuthorizePageDomains by using the command multiple times.
- You can add the wildcard domain such as *.contoso.com to the AllowIframeAppAuthorizePageDomains.