CSP Issue suddenly reappeared

[resistorsoftware]

Issue summary

Ruby 3.2 and 3.3 were used
Rails 7.1 through 7.2.2
Shopify App 21 through to 22.4
Shopify API 14.7

Last time I checked all my development Apps were fine and localhost dev was not a problem. yarn dev and I would be happily computing.

So now, all my attempts at doing this are suspiciously failing at the CSP for frame ancestors and I cannot figure out why.

Expected behavior

The CSP emits the same old string it always has and it should work. Obviously I cannot be the only person with the same code everyone has, and yet be victim to a bug in the same code, so I am looking for where all of a sudden, all my code is dying.

Actual behavior

ActionDispatch::ContentSecurityPolicy::InvalidDirectiveError (Invalid Content Security Policy frame-ancestors: "https://hot-oomph.myshopify.com https://admin.shopify.com". Directive values must not contain whitespace or
semicolons. Please use multiple arguments or other directive methods instead.)

Steps to reproduce the problem

1. create a vanilla App to test out the framework
2. use the ShopifyApp::EnsureHasSession in a controller
   CSP Policy fails

Logs

ActionDispatch::ContentSecurityPolicy::InvalidDirectiveError (Invalid Content Security Policy frame-ancestors: "https://hot-oomph.myshopify.com https://admin.shopify.com". Directive values must not contain whitespace or                                                                                                                                                                                       │
semicolons. Please use multiple arguments or other directive methods instead.):
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    |
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:338:in `block in validate'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:336:in `each'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:336:in `validate'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:350:in `build_directive'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:325:in `block in build_directives'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:320:in `each'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:320:in `map'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:320:in `build_directives'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:296:in `build'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | actionpack (7.1.5.1) lib/action_dispatch/http/content_security_policy.rb:50:in `call'
19:58:12 │ web-frontend-backend │ 19:58:12 web.1    | rack-session (2.0.0) lib/rack/session/abstract/id.rb:272:in `context'

[matoakley]

I have submitted a PR which patches the CSP logic which is failing due to a Rails CVE update today.

#1929

[sle-c]

Fixed by #1929