Add CSP headers to unauthenticated controller

Shopify · Jul 12, 2022 · 87f0433 · 87f0433
1 parent 52f6d39
commit 87f0433
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased
 ----------
 
+* Set the appropriate CSP `frame-ancestor` directive in controllers using the `EmbeddedApp` concern. [#1474](https://github.com/Shopify/shopify_app/pull/1474)
+
 20.0.2 (July 7, 2022)
 ----------
 

diff --git a/lib/shopify_app.rb b/lib/shopify_app.rb
@@ -37,6 +37,7 @@ def self.use_webpacker?
   # controller concerns
   require "shopify_app/controller_concerns/csrf_protection"
   require "shopify_app/controller_concerns/localization"
+  require "shopify_app/controller_concerns/frame_ancestors"
   require "shopify_app/controller_concerns/itp"
   require "shopify_app/controller_concerns/login_protection"
   require "shopify_app/controller_concerns/ensure_billing"

diff --git a/lib/shopify_app/controller_concerns/embedded_app.rb b/lib/shopify_app/controller_concerns/embedded_app.rb
@@ -4,6 +4,8 @@ module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
 
+    include ShopifyApp::FrameAncestors
+
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)

diff --git a/lib/shopify_app/controller_concerns/frame_ancestors.rb b/lib/shopify_app/controller_concerns/frame_ancestors.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module FrameAncestors
+    extend ActiveSupport::Concern
+
+    included do
+      content_security_policy do |policy|
+        policy.frame_ancestors(-> do
+          domain_host = current_shopify_domain || "*.myshopify.com"
+          "https://#{domain_host} https://admin.shopify.com;"
+        end)
+      end
+    end
+  end
+end