Pass values to CSP frame_ancestors as individual arguments (#1929)

* Pass values to CSP frame_ancestors as individual arguments Rails core has patched a CVE preventing passing a string with whitespace as an argument. rails/rails@3da2479 This patch passes the arguments individually instead which achieves the same result whilst meeting the new requirements. * Reimplement frame_ancestors proc to fix tests @sle-c has pointed out that the tests rely on the proc and suggests reimplemeting the proc and returning an array. This patch implements the recommendation and achieves the same result.
Shopify · Dec 11, 2024 · e8798eb · e8798eb
1 parent 7411e62
commit e8798eb
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/lib/shopify_app/controller_concerns/frame_ancestors.rb b/lib/shopify_app/controller_concerns/frame_ancestors.rb
@@ -8,7 +8,10 @@ module FrameAncestors
       content_security_policy do |policy|
         policy.frame_ancestors(-> do
           domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
-          "#{ShopifyAPI::Context.host_scheme}://#{domain_host} https://admin.#{::ShopifyApp.configuration.unified_admin_domain}"
+          [
+            "#{ShopifyAPI::Context.host_scheme}://#{domain_host}",
+            "https://admin.#{::ShopifyApp.configuration.unified_admin_domain}",
+          ]
         end)
       end
     end