Focuses on API authentication, access scopes, and permission management.
Hi,
I am trying to develop a public app & it got rejected for Content-Security-Policy as
per https://shopify.dev/apps/store/security/iframe-protection guidelines.
Shopify rejected our app and the reply for the failure I received was
[Your primary app listing has 1 issues to fix before you can submit your app for review
App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks.
The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop]
is the shop domain the app is embedded on.
I have already added the following in my code:
var fa = `frame-ancestors https://${ctx.query.shop} https://admin.shopify.com`;
ctx.set("Content-Security-Policy", fa);
but even after this, the app is getting rejected for Content-Security-Policy. Can someone
please guide me on a urgent basis, what am I doing wrong here?
@sureshsarak the header in the picture seems correct, have you validated that you are returning this header on all routes that return HTML?
Yes I have validated for all the routes.
As long as you have verified all routes in the browser (on both install and re-install) and selected 'Doc' under network as per Shopify's doc... I recommend you reach out to the app review team (by responding to the review email). they are pretty responsive and friendly.