2

I'm currently working on Shopify app, one of their main requirement is to add an iframe-protection. here is more info

Currently, to resolve this I need the CSP to set should be in this format :

Content-Security-Policy: frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com;

The https://shopify-dev.myshopify.com in above code should be the merchant/ requester domain.

What I tried? I created .htaccess file with following, it's not adding the dynamic url.

<IfModule mod_rewrite.c> 
RewriteEngine On 
Header set Content-Security-Policy   "frame-ancestors '%{HTTP_HOST}' 'https://admin.shopify.com';"
</IfModule>

This is what I'm getting in console:

Check here

MrWhite
  • 43,179
  • 8
  • 60
  • 84
niyamxsept
  • 105
  • 6

1 Answers1

1

Apache

On Apache, you would need to do it like this instead:

### Apache ###

Header set Content-Security-Policy "frame-ancestors https://%{HTTP_HOST}e https://admin.shopify.com;"

Note the e after %{HTTP_HOST}e (specific syntax for mod_headers). I've also removed the single quotes (not present in the Spotify example) and included the https:// protocol.

The <IfModule> and RewriteEngine On directives are irrelevant here.

Reference:

UPDATE:

LiteSpeed

However, if you are using LiteSpeed (as opposed to Apache) you will instead need to first explicitly assign the Host header to an environment variable and use this in the Header directive instead. (Apache is able to access server variables directly using this syntax, but not LiteSpeed.)

For example:

### LiteSpeed ###

# Assign the "Host" header to an env var "HOSTNAME"
SetEnvIf Host "(.*)" HOSTNAME=$1

# Use "HOSTNAME" (env var) instead in the Header directive
Header set X-Content-Security-Policy "frame-ancestors https://%{HOSTNAME}e https://admin.shopify.com;"

Attempting to use the syntax %{HTTP_HOST} (as you originally had) on Apache would have resulted in a 500 Internal Server Error (with the error "Unrecognized header format %" being reported in the error logs). However, on LiteSpeed this just outputs the literal string {HTTP_HOST} and no error.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • Thanks @MrWhite for the reply but tits only printing https not the full domain , check the screenshot : https://ibb.co/1GLzXP8 i'm trying to find a solution since yesterday, still failing to solve this – niyamxsept May 21 '22 at 07:15
  • @niyamxsept Ah, I've just noticed you are on LiteSpeed (from your screenshot), not "Apache" (as your question is tagged). On LiteSpeed, you'll first need to assign the `Host` header to an env var and use this instead in the `Header` directive. I've updated my answer. – MrWhite May 21 '22 at 11:02