I have implemented frame-ancestors content security policy directive but not sure how to test

usamadevhg · ‎01-18-2022

I have implemented frame-ancestors content security policy directive but not sure how to test if they are implemented correctly. I have also checked url via this website https://securityheaders.com/. It seems fine but Shopify have rejected my app and send this message. I am using laravel in backend

Requirements that must be met before initial screening

App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.

OleksiiWheat · ‎03-07-2022

Hi, have you resolved that? I'm facing the same issue.

usamadevhg · ‎03-15-2022

not resolved yet

OleksiiWheat · ‎03-15-2022

Actually, we sent multiple emails to the support team of Shopify with screencasts and screenshots. And at the end of the day, they said that we do have proper content-security-headers. But they haven’t elaborated on why we were rejected during pre-screening. I will keep this post in unresolved status to see if anyone has any ideas on why that could happen.

doughty · ‎05-14-2022

You ever get this resolved? Did you have to change anything?

Raghu05 · ‎03-15-2022

Can you please tell how to set the frame-ancestors content security policy directive ?

OleksiiWheat · ‎03-15-2022

Hi, we are using the shopify_app gem for Ruby on Rails. In ApplicationController, we have:

before_action :content_security_headers

And two methods:

def content_security_headers
  response.headers['Content-Security-Policy'] = current_domain if request.get?
end

def current_domain
  current_domain ||= (params[:shop] && 
  ShopifyApp::Utils.sanitize_shop_domain(params[:shop])) ||
  request.env['jwt.shopify_domain'] ||
  session[:shopify_domain]

  "frame-ancestors https://#{current_domain} https://admin.shopify.com"
end

JuanH · ‎07-11-2022

Same issue here, was someone able to fix it?

OleksiiWheat · ‎07-12-2022

In my case, the problem was on the Shopify side. There is a check in their docs under “The app is embedded, but isn't following the expected frame-ancestors guidelines” section:

My app passed the check, so I took multiple screencasts of that check to prove that the app correctly sets frame-ancestors directive and send them to Shopify support. It took almost two weeks for them to resolve the issue, but at the end of the day, they agreed that there is no problem with the app.

OleksiiWheat · ‎12-14-2022

Hi @PosstackThanh, have you tried to update your app following these instructions?
https://shopify.dev/apps/auth/oauth/update/ruby

Dynasort · ‎12-27-2022

Did you ever figure this out? I'm upgrading my (also PHP) apps over the holiday, and I can't get any partner or dev stores to stick to the admin.shopify.com domain - they all redirect to xyz.myshopify.com.

The Dynasort App

Dynamic collection sorting based on your product attributes. https://apps.shopify.com/dynasort

Dynasort · ‎12-27-2022

Thank you thank you thank you. Thought I was going nuts since I couldn't find that secret sauce anywhere.

The Dynasort App

Dynamic collection sorting based on your product attributes. https://apps.shopify.com/dynasort

I have implemented frame-ancestors content security policy directive but not sure how to test

I have implemented frame-ancestors content security policy directive but not sure how to test

Community Blog Articles