Console logs are full of new nasty. What is up with that?

[resistorsoftware]

Referrer Policy: Less restricted policies, including ‘no-referrer-when-downgrade’, ‘origin-when-cross-origin’ and ‘unsafe-url’, will be ignored soon for the cross-site request:

So every single JS file using the Shopify App is now emitting this beauty to make things interesting. What is that due to? Any way to calm all that messaging down and ensure we don't burn in the afterlife?

[hannachen]

👋 Hi @resistorsoftware thanks for reporting this bug. A new content security policy was added to the rails boilerplate app in order to meet our App Store requirements: https://shopify.dev/apps/store/security/iframe-protection

I saw your message in the issue to introduce this change from earlier: #1377, did you encounter this warning message when you added the property manually?

Which browser are you seeing this warning? Do you receive this warning in all browsers?

[resistorsoftware]

Yes. I copied the CSP provided in this repo to see what would happen. So that was when my console filled based on default_src, object_src, script_src and style_src things. All were flagged as bad with :self, and :https.

I then backed off everything by commenting everything out but leaving the policy for frame ancestors.

policy.frame_ancestors :https, -> { "https://#{current_shopify_domain} https://admin.shopify.com;" }

So that works. The console stopped barking once I shut everything off again. I have never figured out that Rails CSP file so I guess for now I go back to having it all comments save for this one line on the frame ancestors.

I only use FF so I have no idea what Safari or Chrome would show...

[nelsonwittwer]

The recent CSP features we have merged should have fixed this issue. Let us know if the issues persist!