Issue: An embedded Shopify app (PHP/Symfony + React) attempts to redirect to the RecurringApplicationCharge confirmation page when no active charge exists, but shows a blank screen and a browser error citing Content Security Policy (CSP) frame-ancestors blocking admin pages from being iframed.
Key details:
App flow: Admin → app loads in iframe → app responds with 302 to charge confirmation → browser blocks with CSP error (“Refused to load … does not appear in the frame-ancestors directive”).
CSP: A security policy that restricts what can be framed; Shopify admin billing/ auth pages cannot be displayed inside the embedded iframe.
Proposed approach:
Initiate billing via a full-page (top-level) redirect instead of an iframe redirect.
Frontend requests backend to create the charge, backend returns the confirmation URL, frontend sets window.top.location.href to that URL (code snippet provided).
Recent update/complication:
Another user reports that attempting window.top.location.href from the embedded context triggers a browser error: unsafe top-level navigation without a user gesture and cross-origin restrictions, resulting in a DOMException.
Status:
No confirmed resolution yet. Open question: how to reliably navigate from an embedded app to the charge confirmation page without violating CSP or cross-origin/navigation gesture requirements.
I am creating a new app using PHP (Symfony) and React, taking inspiration from the Laravel APP located at https://github.com/Shopify/shopify-app-template-php. However, I am facing a specific issue and do not have any idea what the problem might be.
When I click on the URL in the console after calling npm run dev, everything works great and I am redirected to the Shopify Charge Confirmation page. However, the problem occurs when I open the app in the Admin panel, and the current installation does not have an active charge. Then I notice a strange behavior:
I can see an empty page (my app is not loaded) and an error in the console: “Refused to load https://xyz.myshopify.com/admin/auth/login because it does not appear in the frame-ancestors directive of the Content Security Policy.”
The issue you’re experiencing is related to Shopify’s Content Security Policy (CSP). When you try to load the charge confirmation page within the Shopify admin panel, it’s being blocked due to the CSP restrictions.
To fix this issue, you should handle the billing process in a way that it opens in a new window or a full-page redirect, rather than within the embedded app frame.
When the app is loaded and you detect that there’s no active charge, send a message from the app frontend (React) to the backend (PHP Symfony) to initiate the billing process.
In your PHP Symfony backend, create a route that handles the billing process. This route should redirect the user to the charge confirmation page with a full-page redirect, instead of returning a 302 redirect.
In your React frontend, listen for the response from the backend and use the window.top.location.href property to perform the full-page redirect. This will open the charge confirmation page in the parent window, bypassing the CSP restrictions.
// Receive the response from your backend containing the charge confirmation URL
const chargeConfirmationUrl = response.data.url;
// Perform the full-page redirect
window.top.location.href = chargeConfirmationUrl;
You can avoid the CSP issue with this approach and allow users to see the charge confirmation page without any errors.