From 90840f9b160a3efc3b02da70f4b766f0ddb26501 Mon Sep 17 00:00:00 2001
From: Paulo Margarido <64600052+paulomarg@users.noreply.github.com>
Date: Tue, 12 Jul 2022 09:46:30 -0400
Subject: [PATCH] Add CSP headers to unauthenticated controller

---
 CHANGELOG.md                                     |  2 ++
 lib/shopify_app.rb                               |  1 +
 .../controller_concerns/embedded_app.rb          |  2 ++
 .../controller_concerns/frame_ancestors.rb       | 16 ++++++++++++++++
 4 files changed, 21 insertions(+)
 create mode 100644 lib/shopify_app/controller_concerns/frame_ancestors.rb

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f6ef546a..a5f8f655c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased
 ----------
 
+* Set the appropriate CSP `frame-ancestor` directive in controllers using the `EmbeddedApp` concern. [#1474](https://github.com/Shopify/shopify_app/pull/1474)
+
 20.0.2 (July 7, 2022)
 ----------
 
diff --git a/lib/shopify_app.rb b/lib/shopify_app.rb
index 5411d794c..4d64219a8 100644
--- a/lib/shopify_app.rb
+++ b/lib/shopify_app.rb
@@ -37,6 +37,7 @@ def self.use_webpacker?
   # controller concerns
   require "shopify_app/controller_concerns/csrf_protection"
   require "shopify_app/controller_concerns/localization"
+  require "shopify_app/controller_concerns/frame_ancestors"
   require "shopify_app/controller_concerns/itp"
   require "shopify_app/controller_concerns/login_protection"
   require "shopify_app/controller_concerns/ensure_billing"
diff --git a/lib/shopify_app/controller_concerns/embedded_app.rb b/lib/shopify_app/controller_concerns/embedded_app.rb
index a1fd12be0..1938f1ac2 100644
--- a/lib/shopify_app/controller_concerns/embedded_app.rb
+++ b/lib/shopify_app/controller_concerns/embedded_app.rb
@@ -4,6 +4,8 @@ module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
 
+    include ShopifyApp::FrameAncestors
+
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)
diff --git a/lib/shopify_app/controller_concerns/frame_ancestors.rb b/lib/shopify_app/controller_concerns/frame_ancestors.rb
new file mode 100644
index 000000000..2f46c916d
--- /dev/null
+++ b/lib/shopify_app/controller_concerns/frame_ancestors.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module FrameAncestors
+    extend ActiveSupport::Concern
+
+    included do
+      content_security_policy do |policy|
+        policy.frame_ancestors(-> do
+          domain_host = current_shopify_domain || "*.myshopify.com"
+          "https://#{domain_host} https://admin.shopify.com;"
+        end)
+      end
+    end
+  end
+end