From f923844393c5bd0c68cbe3a735f9c46a8c520128 Mon Sep 17 00:00:00 2001 From: Liz Kenyon Date: Thu, 12 Feb 2026 15:14:05 -0600 Subject: [PATCH] Deprecate ShopifyApp.add_csp_directives, targeting removal in v24.0.0 The method continues to function but now emits a deprecation warning via ShopifyApp::Logger.deprecated. Updates docs, changelog, and adds a test for the warning. Co-Authored-By: Claude Opus 4.6 (1M context) --- CHANGELOG.md | 1 + docs/shopify_app/content-security-policy.md | 2 ++ lib/shopify_app.rb | 5 +++++ test/shopify_app/csp_helper_test.rb | 9 +++++++++ 4 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2708a2c9..8b7478d63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ Unreleased ---------- - [Patch] Fix sorbet errors in generated webhook handlers +- Deprecate `ShopifyApp.add_csp_directives(policy)` - will be removed in v24.0.0 23.0.1 (December 22, 2025) - Fix engine initialization [#2040](https://github.com/Shopify/shopify_app/pull/2040) diff --git a/docs/shopify_app/content-security-policy.md b/docs/shopify_app/content-security-policy.md index 85b20ff25..ead8f21da 100644 --- a/docs/shopify_app/content-security-policy.md +++ b/docs/shopify_app/content-security-policy.md @@ -11,6 +11,8 @@ For actions that include the `ShopifyApp::FrameAncestors` controller concern, th ## Strict Content Security Policy +> **Deprecated:** The `ShopifyApp.add_csp_directives` helper is deprecated and will be removed in v24.0.0. + If you enable a strict Content Security Policy in your application, you'll need to explicitly allow Shopify's App Bridge script. The gem provides a helper method to make this easy. ### Without Strict CSP (Default) diff --git a/lib/shopify_app.rb b/lib/shopify_app.rb index 310321e4a..b2d400893 100644 --- a/lib/shopify_app.rb +++ b/lib/shopify_app.rb @@ -27,6 +27,11 @@ def self.use_webpacker? end def self.add_csp_directives(policy) + ShopifyApp::Logger.deprecated( + "ShopifyApp.add_csp_directives is deprecated and will be removed in v24.0.0.", + "24.0.0", + ) + # Get current script-src directives current_script_src = policy.directives["script-src"] || [] diff --git a/test/shopify_app/csp_helper_test.rb b/test/shopify_app/csp_helper_test.rb index 5f24f98f4..f0f5317fc 100644 --- a/test/shopify_app/csp_helper_test.rb +++ b/test/shopify_app/csp_helper_test.rb @@ -7,6 +7,15 @@ class CspHelperTest < ActiveSupport::TestCase @policy = ActionDispatch::ContentSecurityPolicy.new end + test "emits a deprecation warning" do + ShopifyApp::Logger.expects(:deprecated).with( + "ShopifyApp.add_csp_directives is deprecated and will be removed in v24.0.0.", + "24.0.0", + ) + + ShopifyApp.add_csp_directives(@policy) + end + test "adds App Bridge script source to empty policy" do ShopifyApp.add_csp_directives(@policy)