We are implementing iframe protection according to the following docs:
https://shopify.dev/apps/store/security/iframe-protection
Our app also uses App Bridge modals which are loaded in an iframe by Shopify. But the documentation makes no mention of modals. Must they also implement iframe protection?
It seems that implementing this feature securely is not trivial for modals. In the parent frame we can use Shopify-provided HMAC signature in the URL params, but in the iframe the only way to do this seems to be by appending a token to the modal iframe URL.