Clickjacking and CSP policy preventing approval #1428
Assignees
Labels
Comments
resistorsoftware
changed the title
|
The reason I mention Webhooks is that when you decorate the CSP code in this App, you might have a params[:shop], or you might not. So is the CSP based on that? Webhooks controller is not the same as Authenticated controller, and yet the App review robot needs both CSP results to be the same? How does that work? |
nelsonwittwer
changed the title
|
#1474 should address the concerns pointed out here, so we are going to close this issue. If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the CONTRIBUTING.md(.github/CONTRIBUTING.md) file for guidelines |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
100% of what I check shows the CSP Policy in place and rendering the right data.
100% of Shopify robot rejects App due to clickjacking and CSP policy.
GET IT TOGETHER SHOPIFY and help us use this App to make Apps that pass the stupid robot test. What are we supposed to be doing here to pass this stupid test?
When I inspect the shop in my browser, the CSP is
When I send a bogus webhook to the App, I also see that. Seems right to me as it matches the documentation. But the robot hates it. WHY????
The text was updated successfully, but these errors were encountered: