shopify-hotwire-sample icon indicating copy to clipboard operation
shopify-hotwire-sample copied to clipboard

Published 20 hours ago verified publisher icon kirillplatonov

Adding the new Shopify frame-ancestor policy

Open Kurbm opened this issue 2 years ago • 0 comments

Hey @kirillplatonov

Shopify now enforces the frame-ancestor policy for new apps (frame-ancestors https://[shop].myshopify.com https://admin.shopify.com/). Do you have an idea, how it needs to get implemented?

I'm just playing around with the following

Based on the CSP from Shopify's JWT Sample app: https://github.com/Shopify/turbolinks-jwt-sample-app

` initial_frame_ancestors = [:https, "*.myshopify.com", "admin.shopify.com"]

def current_domain @current_domain ||= (params[:shop] && ShopifyApp::Utils.sanitize_shop_domain(params[:shop])) || request.env["jwt.shopify_domain"] || session[:shopify_domain] end

frame_ancestors = lambda { current_domain ? [ current_domain, "admin.shopify.com" ] : initial_frame_ancestors }

Rails.application.config.content_security_policy do |policy| policy.default_src(:https, :self) policy.style_src(:https, "'unsafe-inline'", "cdn.shopifycloud.com") policy.script_src(:https, "'unsafe-inline'", "cdn.shopifycloud.com") policy.img_src(:self, :https, :data, "cdn.shopifycloud.com") policy.upgrade_insecure_requests(true) policy.frame_ancestors(frame_ancestors) end `

This leads now to the problem that the Recurring Charge Worklow with a full-page redirect does not work anymore.

Best, Kevin

Kurbm avatar Sep 13 '22 19:09 Kurbm