Questions and discussions about using the Shopify CLI and Shopify-built libraries.
Hello,
After submitting an app it was rejected with CSP not setting frame-ancestors correctly. I believe shopify should allow the following:
- Use of 'self'
- Allow https://*.myshopify.com for simpler backends
https://shopify.dev/apps/store/security/iframe-protection
Says it only allows " The 'content-security-policy' header should set frame-ancestorshttps://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on."
This seems too strict and basic as the above offers the same level of security and may be required for some apps.