Hello,
After submitting an app it was rejected with CSP not setting frame-ancestors correctly. I believe shopify should allow the following:
-
Use of ‘self’
-
Allow https://*.myshopify.com for simpler backends
https://shopify.dev/apps/store/security/iframe-protection
Says it only allows " The ‘content-security-policy’ header should set frame-ancestors**https://[shop].myshopify.com https://admin.shopify.com**, where [shop] is the shop domain the app is embedded on."
This seems too strict and basic as the above offers the same level of security and may be required for some apps.