How can i add current URL to .htaccess CSP header dynamically?

Question

I'm currently working on Shopify app, one of their main requirement is to add an iframe-protection. here is more info

Currently, to resolve this I need the CSP to set should be in this format :

Content-Security-Policy: frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com;

The https://shopify-dev.myshopify.com in above code should be the merchant/ requester domain.

What I tried? I created .htaccess file with following, it's not adding the dynamic url.

<IfModule mod_rewrite.c> 
RewriteEngine On 
Header set Content-Security-Policy   "frame-ancestors '%{HTTP_HOST}' 'https://admin.shopify.com';"
</IfModule>

This is what I'm getting in console:

Answer 1

Apache

On Apache, you would need to do it like this instead:

### Apache ###

Header set Content-Security-Policy "frame-ancestors https://%{HTTP_HOST}e https://admin.shopify.com;"

Note the e after %{HTTP_HOST}e (specific syntax for mod_headers). I've also removed the single quotes (not present in the Spotify example) and included the https:// protocol.

The <IfModule> and RewriteEngine On directives are irrelevant here.

Reference:

• https://httpd.apache.org/docs/current/mod/mod_headers.html#header

---

UPDATE:

LiteSpeed

However, if you are using LiteSpeed (as opposed to Apache) you will instead need to first explicitly assign the Host header to an environment variable and use this in the Header directive instead. (Apache is able to access server variables directly using this syntax, but not LiteSpeed.)

For example:

### LiteSpeed ###

# Assign the "Host" header to an env var "HOSTNAME"
SetEnvIf Host "(.*)" HOSTNAME=$1

# Use "HOSTNAME" (env var) instead in the Header directive
Header set X-Content-Security-Policy "frame-ancestors https://%{HOSTNAME}e https://admin.shopify.com;"

Attempting to use the syntax %{HTTP_HOST} (as you originally had) on Apache would have resulted in a 500 Internal Server Error (with the error "Unrecognized header format %" being reported in the error logs). However, on LiteSpeed this just outputs the literal string {HTTP_HOST} and no error.