Improve embedded requests detection with Sec-Fetch-Dest header

Shopify · Jul 4, 2024 · 490b689 · 490b689
1 parent c625c3b
commit 490b689
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/lib/shopify_app/controller_concerns/token_exchange.rb b/lib/shopify_app/controller_concerns/token_exchange.rb
@@ -64,10 +64,10 @@ def respond_to_invalid_shopify_id_token(error)
       return if performed?
 
       if request.headers["HTTP_AUTHORIZATION"].blank?
-        if missing_embedded_param?
-          redirect_to_embed_app_in_admin
-        else
+        if embedded?
           redirect_to_bounce_page
+        else
+          redirect_to_embed_app_in_admin
         end
       else
         ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
@@ -94,8 +94,8 @@ def redirect_to_bounce_page
       )
     end
 
-    def missing_embedded_param?
-      !params[:embedded].present? || params[:embedded] != "1"
+    def embedded?
+      params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe"
     end
 
     def online_token_configured?