Pass values to CSP frame_ancestors as individual arguments

[matoakley]

What this PR does

Rails core has patched a CVE preventing passing a string with whitespace as an argument.

rails/rails@3da2479

This patch passes the arguments individually instead which achieves the same result whilst meeting the new requirements.

Reviewer's guide to testing

There is no change in overall functionality.

Checklist

Before submitting the PR, please consider if any of the following are needed:

• Update CHANGELOG.md if the changes would impact users
• Update README.md, if appropriate.
• Update any relevant pages in /docs, if necessary
• For security fixes, the Disclosure Policy must be followed.

[matoakley]

I have signed the CLA!

[chrisedington]

Thanks @matoakley - effecting me too.

[sle-c]

Thank you for fixing this. I encountered this issue yesterday as I was testing as well.

[sle-c]

although let's fix the test cases, the frame_ancestors config uses a proc to avoid the test case failing I think. Maybe try returning an array instead of a string?

policy.frame_ancestors(-> do
  domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
  [
    "#{ShopifyAPI::Context.host_scheme}://#{domain_host}",
    "https://admin.#{::ShopifyApp.configuration.unified_admin_domain}",
  ]
end)

[matoakley]

although let's fix the test cases, the frame_ancestors config uses a proc to avoid the test case failing I think. Maybe try returning an array instead of a string?

policy.frame_ancestors(-> do
  domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
  [
    "#{ShopifyAPI::Context.host_scheme}://#{domain_host}",
    "https://admin.#{::ShopifyApp.configuration.unified_admin_domain}",
  ]
end)

Thanks for the feedback @sle-c. I've taken your suggestion on-board and submitted a commit with green tests 🟢

[sle-c]

thanks again for fixing it @matoakley . Merging now!

[resistorsoftware]

Thank you for the fast update!