Reject due to not proper frame-ancestors policy directive but app returns right headers

OleksiiWheat
Shopify Partner
8 0 6


Hi all, my app is getting rejected due to not proper frame-ancestors content security policy directive. But the app returns the right headers, I’ve checked that via the recommended way in Shopify docs (troubleshooting section). Moreover, after the first rejection, I fixed the issue and pass prescreening. After rejection due to another reason, prescreening rejected the app due to “not proper frame-ancestors” one more time.

 

The reply:
Requirements that must be met before the initial screening

App must set security headers to protect against clickjacking.
Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The 'content-security-policy' header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.


Any response to GET request has next:

 

 

content-security-policy: frame-ancestors https://{shop.domain}.myshopify.com https://admin.shopify.com

 

 

{shop.domain} sets right store domain. I've tested that on multiply stores.

 

Any ideas why is that happening?

Docs

Replies 5 (5)

maxwhite
Shopify Partner
14 0 5

We do have exactly the same issue with Shopify.

Our app has been rejected 3 times with this frame-ancestors despite we have it on all app pages including redirect page. It might be the issue on Shopify review automation system and it rejects all apps. I've provided the video to Shopify support with the proofs that it works but haven't received answer from them. Have you checked that your app is embedded ? In your case it should be public and embedded.

maxwhite
Shopify Partner
14 0 5

Did you solve this ?

OleksiiWheat
Shopify Partner
8 0 6

Hi Max, sorry for the late reply. I'm from Ukraine just received an opportunity to spend some time on the project.

Our app is indeed embedded and public. Moreover, we have correct frame-ancestors headers on all of our pages and redirects in line with Shopify docs. The Shopify support team now says that there is some issue with third-party cookies, but we don't have them. Currently, we're waiting for the clarification from Shopify because that all doesn't make sense to me at all.

maxwhite
Shopify Partner
14 0 5

Hi Oleksii,

I'm from Ukraine too, Dnipro.

Hope your city wasn't under attack. Be safe!

I changed the settings for app. In App Setup-> Embedded app -> Manage

"Your app is not embedded in Shopify admin " Disable.

Then I tried to send app to review and it wasn't rejected by automatic system.

Seems that It helped but I'm waiting for manual review from Shopify team

OleksiiWheat
Shopify Partner
8 0 6

Hi Max, all is well here. Stay strong and safe! 
Thanks I will try that. As for the reply from the Shopify, I'm still waiting for it.