I was able to resolve it. My app.js looks like this -
var app = express();
app.use(cookieParser());
app.use(function (req, res, next) {
var shopurl;
var fa;
if (req.query.shop !== "") {
shopurl = req.query.shop;
fa = `frame-ancestors https://${shopurl} https://admin.shopify.com`;
res.setHeader(
"Content-Security-Policy",
fa
);
}
next();
});
I was using Helmet package before for various security reasons but then I removed it and it started to work.