App got rejected due to CSP

Retired Boards Appdev Authentication
1

Hi everyone,
here is my app tested with CSP as per the shopify document reference

app rejected message:

Your primary app listing has 1 issues to fix before you can submit your app for review

  • App must set security headers to protect against clickjacking.
    To prevent clickjacking attacks, your app must set the proper content security policy directive. If your app is not embedded in an Iframe in the Shopify admin, and you are seeing this message, check your app’s settings and make sure it is set to “non-embedded.” If your app is embedded, then we expect the ‘Content-Security-Policy’ header to be frame-ancestors https://admin.shopify.com https://[shop].myshopify.com, where [shop] is dynamically set to the shop domain the app is embedded on.

wFBuLMdx9wKdwAAAABJRU5ErkJggg
wFBuLMdx9wKdwAAAABJRU5ErkJggg1526×768 195 KB

end of the

content-security-policy:
frame-ancestors https://admin.shopify.com https://xxxxxx.myshopify.com;

end of the line " ; "

Still app get rejected

2

as far as I am aware there shouldnt be a semi-colon at the end of the frame ancestors unless you plan on adding another directive regardless

1 Like
3

@garyrgilbert i added the ; at end of the last line but it was till rejected.

does any way to test the CSP correct. app get auto rejected by the shopify automation testing i think.

4

Try this one from google

https://csp-evaluator.withgoogle.com/

3 Likes
5

@garyrgilbert thanks lot. here is CSP is valid. i think.
https://prnt.sc/DE-Pl3sXOnmh

6

Hey there,

yep looks valid to me too, I would reply to the rejection message with that screenshot and see what happens. Was that the only required fix for your app?

Cheers,

Gary

7

@garyrgilbert this is fail in automation testing. already contacted to support team.

1 Like
8

we just got an app delisted because the automated testing said we werent following the oAuth flow correctly.. after the app was publish.. but we made no changes to the apps auth flow but the automated testing must have gotten a false positive and now we are trying to get the problem resolved.. app has been delisted 3 days already..

1 Like
9

Hi All, here is the solution it work for me.
node js side CSP code

res.setHeader('Content-Security-Policy', "frame-ancestors https://admin.shopify.com https://" + req.query.shop + ";");

This code valid the app security test Successfully passed.

@VigneshQikink @garyrgilbert If you still facing issue. you can create new question and tag me i will help you.

10

@VigneshQikink Yes, It was passed. you can see the app history app security installed and uninstalled done then your valid for CSP.
If CSP fails then show Notice to your app dashboard within short time like 10 - 20 min.

1 Like
11

How is this different than what you showed in your initial screenshot?

I didn’t have any issues with the csp, my solution worked just fine. There is no need for a semi-colon unless you have further instructions in the CSP header.