cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon Shopify

[Bug]: Codespaces `app dev` CSP error

Open aaronadamsCA opened this issue 4 months ago • 3 comments

Please confirm that you have:

  • [x] Searched existing issues to see if your issue is a duplicate. (If you’ve found a duplicate issue, feel free to add additional information in a comment on it.)
  • [x] Reproduced the issue in the latest CLI version.

In which of these areas are you experiencing a problem?

App

Expected behavior

shopify app dev should work correctly in a Codespaces environment.

Actual behavior

The Shopify embedded app iframe shows "github.com refused to connect." The error message is:

Refused to frame 'https://github.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

The root cause seems to be that GitHub auth cookies have SameSite=Lax, so the iframe will never see them.

I can work around it with CODESPACE_NAME= pnpm exec shopify app dev to force a Cloudflare tunnel (side note, I'd love a better way to configure the tunnel).

Verbose output

N/A

Reproduction steps

  1. Start the embedded app template in Codespaces.
  2. Run shopify app dev and open the preview URL.

Operating System

Codespaces

Shopify CLI version (shopify --version)

@shopify/cli/3.83.2

Shell

No response

Node version (run node -v if you're not sure)

No response

What language and version are you using in your application?

No response

aaronadamsCA avatar Aug 09 '25 20:08 aaronadamsCA

Thanks for the report @aaronadamsCA, i'll add a internal note to fix this, but since there is an easy workaround i'll mark it as non-urgent.

When you say "a better way to configure the tunnel", what do you have in mind? what config would be useful to have?

isaacroldan avatar Aug 19 '25 11:08 isaacroldan

This issue seems inactive. If it's still relevant, please add a comment saying so. Otherwise, take no action. → If there's no activity within a week, then a bot will automatically close this. Thanks for helping to improve Shopify's dev tooling and experience.

P.S. You can learn more about why we stale issues here.

github-actions[bot] avatar Oct 01 '25 03:10 github-actions[bot]

Oh wow, I have spent the last two bloody days battling this problem trying to load the app in Shopify backend from a development environment in Github Codespaces! I couldn't even get a Cloudflare Quick Tunnel to work.

This should not be closed and developing in Codespaces with Shopify CLI should NOT be this challenging! I have given up with it now as nothing I tried worked. Plan to look at Ngrok hoping this may allow me to get somewhere with it.

Definitely should not be marked as non-urgent @isaacroldan this just basically does not work following any documentation I could find. If there is an easy workaround, it would be really good if someone could actually document this somewhere!

zigojacko2 avatar Oct 17 '25 16:10 zigojacko2

Is there a workaround for this issue? I am trying to create app using Codespaces for Shopify but every time i run the app, i get the same error: “Framing 'https://github.com/' violates the Content Security Policy directive: 'frame-ancestors 'none''. The request has been blocked.” I cannot use other options like ngrok and cloudflare.

opplearner avatar Nov 27 '25 01:11 opplearner