What's your biggest current challenge? Have your say in Community Polls along the right column.
Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

frame-ancestors agains clickjacking

frame-ancestors agains clickjacking

ysern
Shopify Partner
15 0 4

Hi there,

it's a quite common problem as I see, but it seems there's still no reliable solution. I submit the app to the review and keep getting the rejection:

 

 

 

App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

 

 

 

I tried everything from here, carefully debugged with this doc. Even tried to find the problem with requests header logging during the review.

I develop embedded app with nodejs template from the docs

Set this in middleware, but no effect.

 

 

 

ctx.set('Content-Security-Policy', `frame-ancestors https://shop-from-request.myshopify.com https://admin.shopify.com;`);

 

 

 

It would be interesting to see header logs from approved app, or maybe you can share working template that approves.

Do you use the shop from saved one in cookies, or only JUST from ctx.query.shop from the middleware ctx? 

 

Any help would be very appreciated. Hope Shopify will notice and will give more details about such review rejections.

Reply 1 (1)

Appify_Commerce
Shopify Partner
31 1 3

Hi there, Did you found the solution, we are also having the same issue.