Pass values to CSP frame_ancestors as individual arguments (#1929)

* Pass values to CSP frame_ancestors as individual arguments

Rails core has patched a CVE preventing passing a string
with whitespace as an argument.

rails/rails@3da2479

This patch passes the arguments individually instead
which achieves the same result whilst meeting the new
requirements.

* Reimplement frame_ancestors proc to fix tests

@sle-c has pointed out that the tests rely on the proc
and suggests reimplemeting the proc and returning an array.

This patch implements the recommendation and achieves the
same result.

Author: matoakley

lib/shopify_app/controller_concerns/frame_ancestors.rb

@@ -8,7 +8,10 @@ module FrameAncestors
       content_security_policy do |policy|
         policy.frame_ancestors(-> do
           domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
-          "#{ShopifyAPI::Context.host_scheme}://#{domain_host} https://admin.#{::ShopifyApp.configuration.unified_admin_domain}"
+          [
+            "#{ShopifyAPI::Context.host_scheme}://#{domain_host}",
+            "https://admin.#{::ShopifyApp.configuration.unified_admin_domain}",
+          ]
         end)
       end
     end