Merge pull request #381 from Shopify/fix_csp_headers_express_package

Fixing CSP headers for internal Shopify use

.changeset/few-pans-joke.md

@@ -0,0 +1,5 @@
+---
+'@shopify/shopify-app-express': patch
+---
+
+Fixing CSP header for internal Shopify use

packages/shopify-app-express/src/middlewares/__tests__/csp-headers.test.ts

@@ -15,7 +15,7 @@ const TESTS: {
   [TEST_SHOP, 12345, undefined].forEach((shop) => {
     let expectedCSP = `frame-ancestors 'none';`;
     if (isEmbeddedApp && typeof shop === 'string') {
-      expectedCSP = `frame-ancestors https://${shop} https://admin.shopify.com;`;
+      expectedCSP = `frame-ancestors https://${shop} https://admin.shopify.com https://*.spin.dev;`;
     }
     TESTS.push({shop, isEmbeddedApp, expectedCSP});
   });

packages/shopify-app-express/src/middlewares/__tests__/ensure-installed-on-shop.test.ts

@@ -49,7 +49,7 @@ describe('ensureInstalledOnShop', () => {
       },
     });
     expect(response.headers['content-security-policy']).toEqual(
-      `frame-ancestors https://${TEST_SHOP} https://admin.shopify.com;`,
+      `frame-ancestors https://${TEST_SHOP} https://admin.shopify.com https://*.spin.dev;`,
     );
   });
 

packages/shopify-app-express/src/middlewares/csp-headers.ts

@@ -23,7 +23,7 @@ export function addCSPHeader(api: Shopify, req: Request, res: Response) {
       'Content-Security-Policy',
       `frame-ancestors https://${encodeURIComponent(
         shop,
-      )} https://admin.shopify.com;`,
+      )} https://admin.shopify.com https://*.spin.dev;`,
     );
   } else {
     res.setHeader('Content-Security-Policy', `frame-ancestors 'none';`);