CSP Frame Ancestors not allowing 'self' https://*.myshopify.com;

epelc
Shopify Partner
24 0 19

Hello,

 

After submitting an app it was rejected with CSP not setting frame-ancestors correctly. I believe shopify should allow the following:

 

- Use of 'self'

- Allow https://*.myshopify.com for simpler backends

 

https://shopify.dev/apps/store/security/iframe-protection

 

Says it only allows " The 'content-security-policy' header should set frame-ancestorshttps://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on."

 

This seems too strict and basic as the above offers the same level of security and may be required for some apps.

FreightChick - Automate your Logistics
CartJumper - Ecommerce Automation | Shopify NetSuite Connector
Replies 0 (0)