CSP issue

[ahartvanyi]

Hey All,

I followed the steps based on the documentation and created an app which I can install to a test store.

My problem is: I created a plan, but no matter what I'm doing, I keep getting the error message Unsafe attempt to initiate navigation for frame with origin 'https://admin.shopify.com' from frame with URL.....

I don't have any custom routes, and I also tried creating a middleware that adds $response->header('Content-Security-Policy', "frame-ancestors https://{$user->name} https://admin.shopify.com"); with no success.

The app is running from my local Ubuntu Apache and served to Shopify via ngrok.

Can you please help me with what I am missing?

UPDATE: the problem only occurs on the new unified admin domains.

Thanks.

[Kyon147]

I think this might be due to a recent issue on later versions of laravel that has stopped the iframe protection from being loaded.

There is an upcoming patch for it.

[ahartvanyi]

Thanks @Kyon147.

I also asked Shopify about this and if I use App Bridge Remote Redirect action (instead of window.top.location.href in billing/fullpage_redirect.blade.php) - then it works both for unified and earlier admins.

Here's the URL for that thread:
https://community.shopify.com/c/shopify-apis-and-sdks/embedd-app-redirection-with-unified-admin/m-p/1911767/thread-id/86921

[Kyon147]

Hey @ahartvanyi

This is some very good investigation and reply from Shopify. Thanks for sticking with it and I will get a PR out for the fix as I think another person I know is having the same issue.