Skip to content

fix: add preview.admin.shopify.com to CSP frame-ancestors#3156

Draft
gil-- wants to merge 1 commit intomainfrom
fix/csp-frame-ancestors-preview-admin
Draft

fix: add preview.admin.shopify.com to CSP frame-ancestors#3156
gil-- wants to merge 1 commit intomainfrom
fix/csp-frame-ancestors-preview-admin

Conversation

@gil--
Copy link
Copy Markdown
Member

@gil-- gil-- commented Apr 14, 2026

Summary

  • Adds https://*.preview.admin.shopify.com to the CSP frame-ancestors directive across all three framework packages (Remix, Express, React Router)
  • Embedded apps were refusing to load inside admin preview environments because this origin was missing from the allowed framing domains
  • Updates all corresponding test files (7 files total)

Test plan

  • Remix add-response-headers tests pass (4 tests)
  • Express csp-headers tests pass (7 tests)
  • React Router add-response-headers tests pass (1 test)
  • Verify an embedded app loads correctly in a *.preview.admin.shopify.com environment after bumping to this version

🤖 Generated with Claude Code

@gil-- @claude
fix: add preview.admin.shopify.com to CSP frame-ancestors
30564e4 
Embedded apps set a Content-Security-Policy frame-ancestors header that
controls which origins can iframe them. The current list omits
https://*.preview.admin.shopify.com, causing apps to refuse loading
inside admin preview environments.

Add the missing origin to the CSP directive in all three framework
packages (Remix, Express, React Router) and update corresponding tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gil--