Skip to content

[Minor][Fix] Replace automatic App Bridge CSP with opt-in helper method#2017

Merged
lizkenyon merged 2 commits intomainfrom
opt-in-strict-csp
Oct 28, 2025
Merged

[Minor][Fix] Replace automatic App Bridge CSP with opt-in helper method#2017
lizkenyon merged 2 commits intomainfrom
opt-in-strict-csp

Conversation

@lizkenyon
Copy link
Copy Markdown
Contributor

@lizkenyon lizkenyon commented Oct 22, 2025

Why?

PR #1997 automatically added the App Bridge script source (https://cdn.shopify.com/shopifycloud/app-bridge.js) to CSP headers for all
apps. This would cause breaking changes:

  • Forcing script-src 'self' breaks inline scripts, including Vite HMR in development

What this PR does

This PR reverts the automatic approach and provides an opt-in helper method instead:

  # config/initializers/content_security_policy.rb
  config.content_security_policy do |policy|
    policy.script_src :self, :unsafe_inline
    ShopifyApp.add_csp_directives(policy)  # Adds App Bridge URL
  end

Benefits:

  • ✅ No breaking changes - apps without CSP continue working
  • ✅ Future-proof - can extend to add more CSP directives

Alternatives Considered

  1. Constant (ShopifyApp::APPBRIDGE_SCRIPT_SRC) - Simple but less convenient, requires manual URL management
  2. Controller concern - Automatic but harder to debug and still faces controller-level CSP replacement issues. In Rails,
    controller-level content_security_policy blocks completely replace application-level CSP configuration, making it impossible to read or
    preserve the developer's application-level settings.

Reviewer's guide to testing

Things to focus on

Checklist

Before submitting the PR, please consider if any of the following are needed:

  • Update CHANGELOG.md if the changes would impact users
  • Update README.md, if appropriate.
  • Update any relevant pages in /docs, if necessary
  • For security fixes, the Disclosure Policy must be followed.

@lizkenyon @claude
Replace automatic App Bridge CSP with opt-in helper method
d4e1630 
Prevents breaking changes from PR #1997 which would force script-src on all apps
Apps using default template (CSP disabled) must continue working without changes.
Only apps explicitly enabling strict CSP should need App Bridge configuration.

Breaking change avoided: PR #1997 automatically added script-src 'self' to all apps,
blocking inline scripts including Vite HMR in development. This reverts to opt-in.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@lizkenyon lizkenyon requested a review from a team as a code owner October 22, 2025 14:11
@lizkenyon lizkenyon merged commit b8ad5d6 into main Oct 28, 2025
7 checks passed
@lizkenyon lizkenyon deleted the opt-in-strict-csp branch October 28, 2025 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@byrichardpowell byrichardpowell byrichardpowell approved these changes

@sle-c sle-c sle-c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lizkenyon @byrichardpowell @sle-c