-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CSP headers to unauthenticated controller #1474
Conversation
fb869cd
to
87f0433
Compare
@paulomarg did you already test if this PR passes the app submission security robot? I tried a similar approach and it didn't pass it, sadly there's no further information or details provided in the rejection email. Update: seems like it passes 👍 (no rejection by the robot yet for over 1 hour), thanks! |
@luigi-zarrelli-latori Do you mind sharing the name of the app used? We would also like to double check to guarantee that the checks are passing. And thank you for testing! 🙏 |
# frozen_string_literal: true
module EmbeddedAppFrameAncestors
extend ActiveSupport::Concern
included do
content_security_policy do |policy|
policy.frame_ancestors(-> { "https://#{current_shopify_domain} https://admin.shopify.com;" })
end
end
end
Oh sorry I think I misunderstood you @bernardoamc Tax Exempt Manager 2 is the name of the app. |
@luigi-zarrelli-latori Thank you, I can confirm that your app passed the check! 🎉 |
87f0433
to
90840f9
Compare
What this PR does
As per #1389 (comment) in a different attempt at adding CSP headers, we should make sure to only include the
frame-ancestors
directive on requests that are actually for embedded apps.This PR attempts to solve that problem using the suggested lambda approach from the Rails docs and creating a controller concern specifically for this purpose, which is also included in the existing
EmbeddedApp
concern, so that controllers marked as embedded app ones are always setting the appropriate value for that directive.Reviewer's guide to testing
If you use a local clone of this gem in an app created with the CLI's ruby template, you should see this header in the document request for
/
when loading the app within the admin:Things to focus on
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.md
if the changes would impact users