Configuring CSP for iframe protection

d-llon · February 7, 2025, 4:04pm

Background & Architecture

I am the developer of an embedded app. One key difference between the Shopify remix template and my app is that I have a multi process architecture.

Vite / Vue SPA frontend hosted as a static site
Django / DRF backend API

On the Shopify admin panel, my static site is embedded by the app surface iframe, where once loaded, my static site calls my API.

It is my goal to set up a Content Security Policy (CSP) for iframe protection as outlined here:

My Problem

The requirements state:

Set the frame-ancestors directive dynamically based on the current shop domain and the Shopify admin domain . Setting this directive guarantees that your app can be framed only within the shop admin.

However, my frontend is hosted statically so I cannot know the current shop domain on initial load. How can I correctly set frame-ancestors with this architecture? has anyone experienced a similar issue?

JordanFinners · February 8, 2025, 4:29pm

Hey,

I use a similar architecture; my security headers look like below.
Ended up wildcarding the frame accessors to *.myshopify.com which isn’t actually used anymore ( i don’t believe) but at the time it was storeID.myshopify.com.
They now use admin.shopify.com, so I added that.
Hope it helps, love this architecture!

  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  X-DNS-Prefetch-Control: off
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  Referrer-Policy: same-origin
  Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(),payment=(), usb=()
  Server: pimsical
  Content-Security-Policy: default-src 'none'; script-src 'self' https://cdn.shopify.com; img-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; font-src 'self'; base-uri 'self'; form-action 'none'; frame-ancestors 'self' https://*.myshopify.com https://admin.shopify.com; manifest-src 'self'; frame-src 'self'; media-src 'self';

d-llon · February 8, 2025, 4:41pm

Hey Jordan!

Thank you so much for chiming in here. I will give your solution a shot and follow up in this thread if I run into any issues.

Much appreciated

JordanFinners · February 8, 2025, 4:46pm

No problem
Could you link to this from your other comment where you asked about this on a thread about separating your Shopify UI from API please
Just for consistency, incase someone finds that one but not this post

Topic		Replies	Views
Shopify app architecture question Built for Shopify	1	21	March 3, 2025
Unable to use defer to optimize LCP for BFS Built for Shopify	2	65	January 30, 2025
How to Restrict Access-Control-Allow-Origin to My Domain in Shopify? Partner Discussions app-store , dev-stores	4	54	February 28, 2025
How to decouple frontend and backend in Embedded App? Partner Discussions	3	45	February 8, 2025
Third level domain and shopify Partner Discussions dev-stores	5	33	December 5, 2024

Configuring CSP for iframe protection

Background & Architecture

My Problem

Related topics