App must set security headers to protect against clickjacking

[manasirfan]

For bug reporting only! If you're posting a feature request or discussion, please ignore.

Expected Behavior

when am review our app from shopify that show this issue before submitting

There was an error installing your app. The app must be installed to perform the security check. We expected OAuth to be initiated at https://app-security.myshopify.com/admin/oauth/authorize but were redirected to https://mysite.com/login. Your app must request installation immediately after clicking "add app." Apps must request shop access during installation, or reinstallation if the app was previously uninstalled from the shop.

Current Behavior

this is my website first user login in our site

after login then user go this page and put store url and fetching the products against the store

But am not find what's the shopify app are required for approve the app

Failure Information

Please help provide information about the failure if this is a bug.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Step 1
2. Step 2
3. ...

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

*Package Version: v17.1
*Laravel Version: v8.75
*PHP Version: v8.1.5

Failure Logs

Please include any relevant log snippets or files here.

[manasirfan]

Anyone can help me for solving this issue?.
Thanks in advance.

[enmaboya]

You can take an implementation from here
#1178

but it has nothing to do with the package and can be exposed by the application.

[manasirfan]

Hi, thanks for reply.
Am follow your steps but we changing in the vendor file, therefore changing not add on live please guide me more,
Thanks in advance !

[manasirfan]

@enmaboya sir kindly help me !

[tanseercena]

@manasirfan You can check this: #1070 (comment)

I created the same and it fixed the issue.

I hope that this will help you :)

[manasirfan]

hi @tanseercena am using the same middleware but again rejected, middleware used globally ,kindly solving this issue

protected const HEADER_FORMAT = 'frame-ancestors %s %s';
protected const ADMIN_SHOPIFY_URL = 'https://admin.shopify.com';
public function handle(Request $request, Closure $next)
{
$response = $next($request);
if ($response instanceof Response && !$request->ajax()) {
if ($request->has('shop')) {
$shopDomain = ShopDomain::fromNative($request->get('shop'));
}elseif ($request->user() instanceof User) {
$shopDomain = $request->user()->getDomain();

        }else{
            $shopDomain = ShopDomain::fromRequest($request);

        }

        if ($shopDomain instanceof ShopDomain) {
            $response->header('Content-Security-Policy', sprintf(self::HEADER_FORMAT,'https://'. $shopDomain->toNative(), self::ADMIN_SHOPIFY_URL));
        }

    }
    return $response;
}

[tanseercena]

@manasirfan Did you add it in web middlewares in Kernal.php?

[manasirfan]

@tanseercena oops am added another middleware not group,please check now its fine ?

 protected $middlewareGroups = [
        'web' => [ 
            \App\Http\Middleware\ContentSecurityPolicy::class,

        ]
];

[Kyon147]

We wll try and get #1178 into the next release which should help.