Iframe protection for embedded app modals

boronine
Shopify Partner
12 2 12

We are implementing iframe protection according to the following docs:

https://shopify.dev/apps/store/security/iframe-protection

 

Our app also uses App Bridge modals which are loaded in an iframe by Shopify. But the documentation makes no mention of modals. Must they also implement iframe protection?

 

It seems that implementing this feature securely is not trivial for modals. In the parent frame we can use Shopify-provided HMAC signature in the URL params, but in the iframe the only way to do this seems to be by appending a token to the modal iframe URL.

Founder and tech lead for Simple Affiliate:
https://apps.shopify.com/simple-affiliate
Replies 0 (0)