I have implemented frame-ancestors content security policy directive but not sure how to test

Shopify Apps
1

I have implemented frame-ancestors content security policy directive but not sure how to test if they are implemented correctly. I have also checked url via this website https://securityheaders.com/. It seems fine but Shopify have rejected my app and send this message. I am using laravel in backend

Requirements that must be met before initial screening

  1. App must set security headers to protect against clickjacking.
    Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. The ā€˜content-security-policyā€™ header should set frame-ancestors https://[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.
1 Like
2

Hi, have you resolved that? Iā€™m facing the same issue.

1 Like
3

Can you please tell how to set the frame-ancestors content security policy directive ?

4

not resolved yet

5

Hi, we are using the shopify_app gem for Ruby on Rails. In ApplicationController, we have:

before_action :content_security_headers

And two methods:

def content_security_headers
  response.headers['Content-Security-Policy'] = current_domain if request.get?
end

def current_domain
  current_domain ||= (params[:shop] && 
  ShopifyApp::Utils.sanitize_shop_domain(params[:shop])) ||
  request.env['jwt.shopify_domain'] ||
  session[:shopify_domain]

  "frame-ancestors https://#{current_domain} https://admin.shopify.com"
end
2 Likes
6

Actually, we sent multiple emails to the support team of Shopify with screencasts and screenshots. And at the end of the day, they said that we do have proper content-security-headers. But they havenā€™t elaborated on why we were rejected during pre-screening. I will keep this post in unresolved status to see if anyone has any ideas on why that could happen.

7

You ever get this resolved? Did you have to change anything?

8

Same issue here, was someone able to fix it?

9

In my case, the problem was on the Shopify side. There is a check in their docs under ā€œThe app is embedded, but isnā€™t following the expected frame-ancestors guidelinesā€ section:

My app passed the check, so I took multiple screencasts of that check to prove that the app correctly sets frame-ancestors directive and send them to Shopify support. It took almost two weeks for them to resolve the issue, but at the end of the day, they agreed that there is no problem with the app.

10

Hi @PosstackThanh , have you tried to update your app following these instructions?
https://shopify.dev/apps/auth/oauth/update/ruby

11

Did you ever figure this out? Iā€™m upgrading my (also PHP) apps over the holiday, and I canā€™t get any partner or dev stores to stick to the admin.shopify.com domain - they all redirect to xyz.myshopify.com.

12

Thank you thank you thank you. Thought I was going nuts since I couldnā€™t find that secret sauce anywhere.