[Bug]: Codespaces `app dev` CSP error

[aaronadamsCA]

Please confirm that you have:

• Searched existing issues to see if your issue is a duplicate. (If you’ve found a duplicate issue, feel free to add additional information in a comment on it.)
• Reproduced the issue in the latest CLI version.

In which of these areas are you experiencing a problem?

App

Expected behavior

shopify app dev should work correctly in a Codespaces environment.

Actual behavior

The Shopify embedded app iframe shows "github.com refused to connect." The error message is:

Refused to frame 'https://github.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

The root cause seems to be that GitHub auth cookies have SameSite=Lax, so the iframe will never see them.

I can work around it with CODESPACE_NAME= pnpm exec shopify app dev to force a Cloudflare tunnel (side note, I'd love a better way to configure the tunnel).

Verbose output

N/A

Reproduction steps

1. Start the embedded app template in Codespaces.
2. Run shopify app dev and open the preview URL.

Operating System

Codespaces

Shopify CLI version (shopify --version)

@shopify/cli/3.83.2

Shell

No response

Node version (run node -v if you're not sure)

No response

What language and version are you using in your application?

No response

[isaacroldan]

Thanks for the report @aaronadamsCA, i'll add a internal note to fix this, but since there is an easy workaround i'll mark it as non-urgent.

When you say "a better way to configure the tunnel", what do you have in mind? what config would be useful to have?