Deprecate ShopifyApp.add_csp_directives

CHANGELOG.md

@@ -1,6 +1,7 @@
 Unreleased
 ----------
 - [Patch] Fix sorbet errors in generated webhook handlers
+- Deprecate `ShopifyApp.add_csp_directives(policy)` - will be removed in v24.0.0
 
 23.0.1 (December 22, 2025)
 - Fix engine initialization [#2040](https://github.com/Shopify/shopify_app/pull/2040)

docs/shopify_app/content-security-policy.md

@@ -11,6 +11,8 @@ For actions that include the `ShopifyApp::FrameAncestors` controller concern, th
 
 ## Strict Content Security Policy
 
+> **Deprecated:** The `ShopifyApp.add_csp_directives` helper is deprecated and will be removed in v24.0.0.
+
 If you enable a strict Content Security Policy in your application, you'll need to explicitly allow Shopify's App Bridge script. The gem provides a helper method to make this easy.
 
 ### Without Strict CSP (Default)

lib/shopify_app.rb

@@ -27,6 +27,11 @@ def self.use_webpacker?
   end
 
   def self.add_csp_directives(policy)
+    ShopifyApp::Logger.deprecated(
+      "ShopifyApp.add_csp_directives is deprecated and will be removed in v24.0.0.",
+      "24.0.0",
+    )
+
     # Get current script-src directives
     current_script_src = policy.directives["script-src"] || []
 

test/shopify_app/csp_helper_test.rb

@@ -7,6 +7,15 @@ class CspHelperTest < ActiveSupport::TestCase
     @policy = ActionDispatch::ContentSecurityPolicy.new
   end
 
+  test "emits a deprecation warning" do
+    ShopifyApp::Logger.expects(:deprecated).with(
+      "ShopifyApp.add_csp_directives is deprecated and will be removed in v24.0.0.",
+      "24.0.0",
+    )
+
+    ShopifyApp.add_csp_directives(@policy)
+  end
+
   test "adds App Bridge script source to empty policy" do
     ShopifyApp.add_csp_directives(@policy)