Closed MuzMoth closed 1 year ago
Thanks for the message. We'll be definitely adding this feature. I think it should be released in January.
Was this ever added?
No. I didn't add it to the package as it's not related to the auth itself. We're using this decorator.
def shopify_embedded_app_csp_header(view_func):
"""
The header should be used only for embedded apps.
Mark a view function as being extended by the Content-Security-Policy headers.
Set the frame-ancestors directive dynamically based on the current shop domain and the Shopify admin domain.
Read Shopify docs: https://shopify.dev/apps/store/security/iframe-protection
"""
def wrapped_view(request, *args, **kwargs):
shop_myshopify_domain = request.GET.get("shop")
response = view_func(request, *args, **kwargs)
if not shop_myshopify_domain:
return response
response.headers[
"Content-Security-Policy"
] = f"frame-ancestors https://{shop_myshopify_domain} https://admin.shopify.com"
return response
return wrapped_view
@method_decorator(shopify_embedded_app_csp_header, name="dispatch")
class DashboardView(View):
pass
App must set security headers to protect against click jacking. Your app must set the proper frame-ancestors content security policy directive to avoid click jacking attacks. The 'content-security-policy' header should set frame-ancestors https: //[shop].myshopify.com https://admin.shopify.com, where [shop] is the shop domain the app is embedded on.
Cant Resolve this issue please help![link](https://user-images.githubusercontent.com/96513171/147040700-ef30c7b2-2111-4b7f-b4c3-487b0042636d.jpg)