Why is the frame-ancestors value rejected for multiple Shopify shops?

Hello!

We added frame-ancestors as required on https://shopify.dev/apps/store/security/iframe-protection

We return the values https://.myshopify.com and admin.myshopify.com to ensure that only shopify shops and admin works. But it got reject, do someone knows why? Does shopify requires to return only the requested shop domain? Does the wildcard domain https://.myshopify.com is not valid for shopify?

There’s no information in the documentation, and returning a wildcard domain is a valid response. So we don’t know what happened. Do you have any recommendations?

Thanks for any help.

I’m running into the same issue. We can’t add every Shopify store URL in that field so confused how to fix this.

I have the same issue as well. App got rejected, are wildcards not allowed?

I restricted it using next-csp to the two URLs they suggest in review (admin and their test Shopify store) but it still got rejected. I’m so confused.

I think you need to add also any store that has installed the app. Not only their testing store because they use multiple.

I read on slack that wildcards are not supported it must be the exact domain of the store.

Hey @Webdibs any updates on this? Were you able to fix it on your end?

I already did add the store urls that have installed the app but I still got rejected.

@Shopify_77 any updates on this? Any tips on how to set frame-ancestors dynamically?

Shopify replied me that they want to see only their requested website plus admin.shopify.com.

They don’t want to see a list of all applications nor wildcards. Just requested shop’s domain and admin.shopify.com

Personally I added middleware to server, where I am getting shop url from request headers, and add this to response csp. Just resubmitted the app, will see if that works out. Those instructions Shopify included are way too short, not sure if they require this frame-ancestors during installation process as well or what. Would appreciate more info on that from Shopify

Just add middleware which populates required header. It worked for me.

How to solve this problem? Can you elaborate on the solution?

We got our application approved, we needed to reply for each request the requested shop’s domain and admin.shopify.com, for example, if example-store.myshopify.com does a request to our app. We reply with:

frame-ancestors: example-store.myshopify.com admin.shopify.com

But if shop2.myshopify.com does a request the value will be:

frame-ancestors: shop2.myshopify.com admin.shopify.com

We solved by using a middleware in PHP that returned those headers depending on requested site.

In which file you have added the code ?
I have tried this syntax
header(“Content-Security-Policy: frame-ancestors https://”.$_SESSION[‘shop’]."myshopify.com https://admin.shopify.com;");

can you please let me the steps.?

@Sinhaneil you have to add that in the headers. If you check the http headers on the browser and these values appear, it means that it’s ok.

Hi, thanks for this very useful answer. Did you have to set this response’s header for ALL the responses sent to shops? Even for assets (css, js, pictures, etc.) or only for html content displayed on the shop’s side via an iframe?

I think only for the HTML. Since this avoid faking the iframe and point it to another HTML file and display a different app.