frame-ancestors agains clickjacking

ysern
Shopify Partner
15 0 4

Hi there,

it's a quite common problem as I see, but it seems there's still no reliable solution. I submit the app to the review and keep getting the rejection:

 

 

 

App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

 

 

 

I tried everything from here, carefully debugged with this doc. Even tried to find the problem with requests header logging during the review.

I develop embedded app with nodejs template from the docs

Set this in middleware, but no effect.

 

 

 

ctx.set('Content-Security-Policy', `frame-ancestors https://shop-from-request.myshopify.com https://admin.shopify.com;`);

 

 

 

It would be interesting to see header logs from approved app, or maybe you can share working template that approves.

Do you use the shop from saved one in cookies, or only JUST from ctx.query.shop from the middleware ctx? 

 

Any help would be very appreciated. Hope Shopify will notice and will give more details about such review rejections.

Reply 1 (1)

Appify_Commerce
Shopify Partner
31 1 3

Hi there, Did you found the solution, we are also having the same issue.