Issue While Implementing Content-Security-Policy In Public App

sureshsarak
Visitor
2 0 0

Hi,

I am trying to develop a public app & it got rejected for Content-Security-Policy as
per https://shopify.dev/apps/store/security/iframe-protection guidelines.

 

Shopify rejected our app and the reply for the failure I received was

 

[Your primary app listing has 1 issues to fix before you can submit your app for review

App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks.
The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop]

is the shop domain the app is embedded on.

 

I have already added the following in my code:

var fa = `frame-ancestors https://${ctx.query.shop} https://admin.shopify.com`;
ctx.set("Content-Security-Policy", fa);

but even after this, the app is getting rejected for Content-Security-Policy. Can someone
please guide me on a urgent basis, what am I doing wrong here?

Replies 3 (3)

InfiniteCom
Shopify Partner
19 4 5

@sureshsarak the header in the picture seems correct, have you validated that you are returning this header on all routes that return HTML?

Imagine editing your product and variant images on your local drive in realtime.
Checkout InfiniteSync Image Upload / Export and sync with you local or online drive

Did we answer your question? if yes, please like and/or accept the solution
sureshsarak
Visitor
2 0 0

Yes I have validated for all the routes.

InfiniteCom
Shopify Partner
19 4 5

As long as you have verified all routes in the browser (on both install and re-install) and selected 'Doc' under network as per Shopify's doc... I recommend you reach out to the app review team (by responding to the review email). they are pretty responsive and friendly.

Imagine editing your product and variant images on your local drive in realtime.
Checkout InfiniteSync Image Upload / Export and sync with you local or online drive

Did we answer your question? if yes, please like and/or accept the solution