Improve embedded requests detection with Sec-Fetch-Dest header

Shopify · Jul 4, 2024 · 34ebfe6 · 34ebfe6
1 parent c625c3b
commit 34ebfe6
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@ Unreleased
 - Remove old translation keys for `enable_cookies_*`, `top_level_interaction_*` and `request_storage_access_*` [#1865](https://github.com/Shopify/shopify_app/pull/1865)
 - Add invalid id token handling for `current_shopify_domain` method [#1868](https://github.com/Shopify/shopify_app/pull/1868)
 - Keep original path and params when redirecting deep links to embed [#1869](https://github.com/Shopify/shopify_app/pull/1869)
+- Improve embedded requests detection with `Sec-Fetch-Dest` header [#1873](https://github.com/Shopify/shopify_app/pull/1873)
+
 
 22.2.1 (May 6,2024)
 ----------

diff --git a/lib/shopify_app/controller_concerns/token_exchange.rb b/lib/shopify_app/controller_concerns/token_exchange.rb
@@ -64,10 +64,10 @@ def respond_to_invalid_shopify_id_token(error)
       return if performed?
 
       if request.headers["HTTP_AUTHORIZATION"].blank?
-        if missing_embedded_param?
-          redirect_to_embed_app_in_admin
-        else
+        if embedded?
           redirect_to_bounce_page
+        else
+          redirect_to_embed_app_in_admin
         end
       else
         ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
@@ -94,8 +94,8 @@ def redirect_to_bounce_page
       )
     end
 
-    def missing_embedded_param?
-      !params[:embedded].present? || params[:embedded] != "1"
+    def embedded?
+      params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe"
     end
 
     def online_token_configured?