From e8798ebbe802adc9edecf9c4f6f2c001efbdc2bf Mon Sep 17 00:00:00 2001
From: Matt Oakley <matt.oakley@pm.me>
Date: Wed, 11 Dec 2024 14:40:41 +0000
Subject: [PATCH] Pass values to CSP frame_ancestors as individual arguments
 (#1929)

* Pass values to CSP frame_ancestors as individual arguments

Rails core has patched a CVE preventing passing a string
with whitespace as an argument.

https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a

This patch passes the arguments individually instead
which achieves the same result whilst meeting the new
requirements.

* Reimplement frame_ancestors proc to fix tests

@sle-c has pointed out that the tests rely on the proc
and suggests reimplemeting the proc and returning an array.

This patch implements the recommendation and achieves the
same result.
---
 lib/shopify_app/controller_concerns/frame_ancestors.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/shopify_app/controller_concerns/frame_ancestors.rb b/lib/shopify_app/controller_concerns/frame_ancestors.rb
index 22fc325ca..168794b04 100644
--- a/lib/shopify_app/controller_concerns/frame_ancestors.rb
+++ b/lib/shopify_app/controller_concerns/frame_ancestors.rb
@@ -8,7 +8,10 @@ module FrameAncestors
       content_security_policy do |policy|
         policy.frame_ancestors(-> do
           domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
-          "#{ShopifyAPI::Context.host_scheme}://#{domain_host} https://admin.#{::ShopifyApp.configuration.unified_admin_domain}"
+          [
+            "#{ShopifyAPI::Context.host_scheme}://#{domain_host}",
+            "https://admin.#{::ShopifyApp.configuration.unified_admin_domain}",
+          ]
         end)
       end
     end