Question posted in 
I am trying to make a shopify app with phoenix-framework as the backend. I’ve been following this tutorial to load my app in the shopify admin, and I need to modify x-frame-options header.
This is my plug:
@doc false
def init(opts \ %{}), do: Enum.into(opts, %{})
@doc false
def call(%{params: %{"shop" => shopify_domain}} = conn, _opts) do
IO.puts("++++++++++ Plug Call ++++++++++++++")
IO.inspect(shopify_domain)
# %{"shopify_domain" => shopify_domain_only} = shopify_domain
shop = ShopifyApp.find_shop_by(shopify_domain)
allow_shop_or_halt(conn, shop)
end
def call(conn, _opts), do: conn
defp allow_shop_or_halt(conn, nil), do: Conn.halt(conn)
defp allow_shop_or_halt(conn, shop) do
conn
|> Conn.put_private(:shop, shop)
|> Conn.put_resp_header("x-frame-options", "ALLOW-FROM https://#{shop.shopify_domain}/")
end
But the console in the Chrome browser complains that:
Invalid ‘X-Frame-Options’ header encountered when loading …..:
ALLOW-FROM https://skbeautysupply.myshopify.com/‘ is not a recognized
directive. The header will be ignored.
What am I missing here?
2
Answers
Yes, that’s a documented issue. According to the spec, this does not work in Chrome or Safari. You can do one of two things:
1. Don’t set the
HeaderYou can do this by not using
:put_secure_browser_headersplug in the first place or deletingx-frame-optionsheader (after calling it):2. Use
Content-Security-PolicyThe second option is to specify your domain in
frame-ancestorssources in the CSP headers for full support. You may choose to use bothX-Frame-OptionsandContent-Security-Policyor just CSP:I used NGINX to (un-)set these headers. I’ll post the solution here because it took me a while to figure this out. Releasing a new application version was not an option.
/etc/nginx/sites-enabled/application.xyz.conf
Run
service nginx reloadto enable the change.I know this answer has nothing to do with shopify, but it removes the header from the proxy app (phoenix).