Only allow authenticated shops to frame your app domain

Your app must set the proper frame-ancestors content security policy directive to avoid clickjacking attacks. To read more about clickjacking attacks and common examples, you can visit Portswigger's Web Academy or the OWASP Clickjacking webpage.

If we can't detect the frame-ancestors content security policy when we review your app, or if the policy is set incorrectly, then your app will be rejected. You'll be required to correctly set the frame-ancestors content security policy before submitting your app for another review.

If your app is an embedded app, set the frame-ancestors content security policy directive to the current shop domain only. This will allow the app to only be framed within the shop admin. Otherwise, set the frame-ancestors content security policy directive to none. This will disallow all framing. To learn more about the frame-ancestors directive, refer to MDN Web Docs.