Shopify App using Laravel keep rejecting because of Content Security Policy

Hello Every One
i’m developing my shopify App using Laravel and my App keep on recting because of Content security Policy

First i have used the following code in middleware

$response = $next($request);
$user = Auth::user();
if($user){
$response->header(‘Content-Security-Policy’, “frame-ancestors https://{$user->name} https://admin.shopify.com”);
}
return $response;

it’s not adding any header
$response->header(‘Content-Security-Policy’, "frame-ancestors https://{$user->name} https://admin.shopify.com" , false);
but if i use this code
but it instead of adding frame-ancestors next to existing ‘Content-Security-Policy’ it duplicated the header and i see duplicate ‘Content-Security-Policy’ in header

ram_5_0-1680092841053.png416×129 3.19 KB

Hmm, I’m not 100% sure, but you can try updating your middleware code to modify the existing ‘Content-Security-Policy’ header instead of adding a new one. Here’s an example of how you can do this:

$response = $next($request);
$user = Auth::user();

if ($user) {
    $csp = $response->headers->get('Content-Security-Policy');
    $csp .= "; frame-ancestors https://{$user->name} https://admin.shopify.com";
    $response->headers->set('Content-Security-Policy', $csp);
}

return $response;

The above should first retrieve the existing ‘Content-Security-Policy’ header value using $response->headers->get('Content-Security-Policy'). Then, it appends the required ‘frame-ancestors’ directive to the existing value. Finally, it sets the modified ‘Content-Security-Policy’ header back to the response using $response->headers->set('Content-Security-Policy', $csp).

This approach should prevent duplicate ‘Content-Security-Policy’ headers and apply the necessary ‘frame-ancestors’ directive to your app.

I hope this helps!