Shopify App handles Rails' configuration for Content-Security-Policy Header when the ShopifyApp::FrameAncestors controller concern is included in controllers. This is tyipcally done by including the ShopifyApp::Authenticated controller concern rather that directly including it.
For actions that include the ShopifyApp::FrameAncestors controller concern, the following hosts are added to the Content-Security-Policy header as per the store requirements:
current_shopify_domain||"*.myshopify.com"if current shopify domain isn't present- "https://admin.shopify.com"