-
Notifications
You must be signed in to change notification settings - Fork 683
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CSP headers to unauthenticated controller
- Loading branch information
Showing
4 changed files
with
21 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# frozen_string_literal: true | ||
|
||
module ShopifyApp | ||
module FrameAncestors | ||
extend ActiveSupport::Concern | ||
|
||
included do | ||
content_security_policy do |policy| | ||
policy.frame_ancestors(-> do | ||
domain_host = current_shopify_domain || "*.myshopify.com" | ||
This comment has been minimized.
Sorry, something went wrong. |
||
"https://#{domain_host} https://admin.shopify.com;" | ||
end) | ||
end | ||
end | ||
end | ||
end |
For an embedded app, because
current_shopify_domain
will throw an exception if a JWT token isn't found, this means that this will never benil
and that this line of code will cause an exception.It's is fine when an unauthenticated page of the app is loaded, because then this code won't ever run.
But if a user tries to visit a different page of the app directly (example.myshopify.com/admin/apps/my_app/foo), then this will blow them up. The app will not redirect to load the skeleton and then continue. The user will just encounter a seemingly broken app.