Why is the frame-ancestors value rejected for multiple Shopify shops?

Webdibs · ‎12-13-2021

Hello!

We added frame-ancestors as required on https://shopify.dev/apps/store/security/iframe-protection

We return the values https://*.myshopify.com and admin.myshopify.com to ensure that only shopify shops and admin works. But it got reject, do someone knows why? Does shopify requires to return only the requested shop domain? Does the wildcard domain https://*.myshopify.com is not valid for shopify?

There's no information in the documentation, and returning a wildcard domain is a valid response. So we don't know what happened. Do you have any recommendations?

Thanks for any help.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

Webdibs · ‎12-22-2021

We got our application approved, we needed to reply for each request the requested shop's domain and admin.shopify.com, for example, if example-store.myshopify.com does a request to our app. We reply with:

frame-ancestors: example-store.myshopify.com admin.shopify.com

But if shop2.myshopify.com does a request the value will be:

frame-ancestors: shop2.myshopify.com admin.shopify.com

We solved by using a middleware in PHP that returned those headers depending on requested site.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

View solution in original post

liambolling · ‎12-13-2021

I'm running into the same issue. We can't add every Shopify store URL in that field so confused how to fix this.

filbertn · ‎12-13-2021

I have the same issue as well. App got rejected, are wildcards not allowed?

liambolling · ‎12-14-2021

I restricted it using next-csp to the two URLs they suggest in review (admin and their test Shopify store) but it still got rejected. I’m so confused.

Webdibs · ‎12-14-2021

I think you need to add also any store that has installed the app. Not only their testing store because they use multiple.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

filbertn · ‎12-15-2021

Hey @Webdibs any updates on this? Were you able to fix it on your end? 🙂

I already did add the store urls that have installed the app but I still got rejected. 😞

TwoColors · ‎12-15-2021

@Shopify any updates on this? Any tips on how to set frame-ancestors dynamically?

Maciej Tokarczyk

Webdibs · ‎12-16-2021

Shopify replied me that they want to see only their requested website plus admin.shopify.com.

They don't want to see a list of all applications nor wildcards. Just requested shop's domain and admin.shopify.com

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

Webdibs · ‎12-14-2021

I read on slack that wildcards are not supported it must be the exact domain of the store.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

TwoColors · ‎12-17-2021

Personally I added middleware to server, where I am getting shop url from request headers, and add this to response csp. Just resubmitted the app, will see if that works out. Those instructions Shopify included are way too short, not sure if they require this frame-ancestors during installation process as well or what. Would appreciate more info on that from Shopify

Maciej Tokarczyk

tarassh · ‎12-20-2021

Just add middleware which populates required header. It worked for me.

Anglia · ‎12-21-2021

How to solve this problem? Can you elaborate on the solution?

Webdibs · ‎12-22-2021

We got our application approved, we needed to reply for each request the requested shop's domain and admin.shopify.com, for example, if example-store.myshopify.com does a request to our app. We reply with:

frame-ancestors: example-store.myshopify.com admin.shopify.com

But if shop2.myshopify.com does a request the value will be:

frame-ancestors: shop2.myshopify.com admin.shopify.com

We solved by using a middleware in PHP that returned those headers depending on requested site.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

Sinhaneil · ‎01-15-2022

In which file you have added the code ?
I have tried this syntax
header("Content-Security-Policy: frame-ancestors https://".$_SESSION['shop']."myshopify.com https://admin.shopify.com;");

can you please let me the steps.?

Webdibs · ‎01-16-2022

@Sinhaneilyou have to add that in the headers. If you check the http headers on the browser and these values appear, it means that it's ok.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

gillu13 · ‎06-20-2022

Hi, thanks for this very useful answer. Did you have to set this response's header for ALL the responses sent to shops? Even for assets (css, js, pictures, etc.) or only for html content displayed on the shop's side via an iframe?

Webdibs · ‎06-20-2022

I think only for the HTML. Since this avoid faking the iframe and point it to another HTML file and display a different app.

Stretching the limits of Shopfy, Wordpress & WooCommerce since 2010.

Why is the frame-ancestors value rejected for multiple Shopify shops?

Why is the frame-ancestors value rejected for multiple Shopify shops?

Community Blog Articles