report-to directive of Content-Security-Policy

Shopify Discussion

Topic summary

Main issue: CSP (Content-Security-Policy) violation reports aren’t being delivered from a Shopify embedded app when viewed inside the Shopify admin. The developer set a Reporting-Endpoints HTTP header and used the CSP report-to directive to reference the reporting group, but the reporting endpoint does not receive reports.

Context: The app runs inside the Shopify admin within a cross-origin iframe, which the poster believes is blocking the reporting mechanism. The report-to directive is intended to route CSP violation reports to the endpoint defined in the Reporting-Endpoints header.

Request: Guidance on whether Shopify’s iframe imposes restrictions that prevent CSP reporting, and advice/workarounds to enable CSP violation reporting from an embedded context.

Status: Unresolved. No confirmed causes or solutions provided yet; the poster is seeking clarification on Shopify’s iframe policies and feasible implementation options.

Summarized with AI on December 25. AI used: gpt-5.
1

Hello, I’m attempting to transmit a CSP violation report via the URL specified in the Reporting-Endpoints HTTP header for the embedded app in the Shopify admin. I am utilizing the report-to directive from the Content-Security-Policy HTTP header to designate the group name for the reporting endpoint.

The issue is that when I access the app within the Shopify admin panel, the reporting endpoint is not functioning due to cross-origin iframe restrictions.

Could you assist me with this and provide insights into any restrictions imposed by Shopify on the iframe?