New Shopify Certification now available: Liquid Storefronts for Theme Developers

CSP Frame Ancestors not allowing 'self' https://*;

Shopify Partner
24 0 19



After submitting an app it was rejected with CSP not setting frame-ancestors correctly. I believe shopify should allow the following:


- Use of 'self'

- Allow https://* for simpler backends


Says it only allows " The 'content-security-policy' header should set frame-ancestorshttps://[shop], where [shop] is the shop domain the app is embedded on."


This seems too strict and basic as the above offers the same level of security and may be required for some apps.

FreightChick - Automate your Logistics
CartJumper - Ecommerce Automation | Shopify NetSuite Connector
Replies 0 (0)