This is source provided by Xiaofan which avoids the CORS/CSP issues by handling the auth check and OAuth redirect on the server side

dashEmbed.java

@GetMapping({"/dash-embedded"})
public String dashEmbedded(
		Principal principal,
		Model model,
		HttpServletRequest request,
		HttpServletResponse response) throws UnsupportedEncodingException {
	log.error("embeddedAuthCheck() running");

   String shopName = getShopNameFromRequest(request);

	response.setHeader("Content-Security-Policy",
			"frame-ancestors https://" + shopName + " https://admin.shopify.com;");
	AuthorizedClient client = getClientFromRequest(request);
	if (shopName != null) {
		if (client == null) {
			log.error(LocalDateTime.now() + "---- embedded-auth-check: client is null");
			byte[] textByte = shopName.getBytes("UTF-8");
			String params = Base64.getEncoder().encodeToString(textByte);
			String redirectTo = String.format(OAUTH_URL_TEMPLATE,
					shopName,
					clientKey,
					shopifyScopes,
					hostAddress + "/oauth2/authorization/shopify",
					shopifyScopes,
					params);
			return "redirect:" + redirectTo;
		} else {
			model.addAttribute("shopName", client.getPrincipalName());
			AuthCheckResponse responseObj = new AuthCheckResponse();
			responseObj.setScopes(shopifyScopes);
			responseObj.setAuthenticated(true);
			responseObj.setShopName(client.getPrincipalName());
			return "dash-embedded";
		}
	} else {
		log.error("No Authorization header found");
	}
	return null;
}