Questions and discussions about using the Shopify CLI and Shopify-built libraries.
After submitting an app it was rejected with CSP not setting frame-ancestors correctly. I believe shopify should allow the following:
- Use of 'self'
- Allow https://*.myshopify.com for simpler backends
Says it only allows " The 'content-security-policy' header should set frame-ancestorshttps://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on."
This seems too strict and basic as the above offers the same level of security and may be required for some apps.