Shopify now prevents HTTP Basic Auth POST requests that have cookies

Highlighted
Shopify Staff
Shopify Staff
277 0 51

Shopify recently pushed a change to block HTTP Basic Auth requests to the API that could be used for a CSRF attack.

The change prevents any HTTP Basic Auth POST requests to the API that have cookies.

It is common that HTTP clients like Postman or Paw use cookies in their outgoing requests, so please keep the above change in mind when debugging your API calls. 

If you have any questions or need further clarification, don't hesitate to comment in the thread below.

 

All the best,


Jordan L
Developer Experience
Shopify

0 Likes
New Member
1 0 1

 

Good morning Jordan,

I´m an a account/project manager for Hugsmidjan digital agency that manages some websites using Shopify. On thursday, last week one site stopped beeing able to finish the payment process. 

That´s one problem. 

The other problem on our hands is that is it stayed like that from thursday until mid monday the week after.  

So basicly people were not able to purchase from that site during that time which has caused major problems for our client. 

We had to find out ourselfs what was causing this problem on monday.  Yesterday we got an answer from your forum that you made these changes. 

Did you flag these changes before hand and if so, where was it flagged and how?  

Best regards, 

Hjalti Egilsson

1 Like
Shopify Staff
Shopify Staff
277 0 51

Hey Hjalti, 

If possible, could you email me directly and describe how this change impacted your clients checkout experience?

- Jordan

0 Likes
New Member
1 0 0

This is a breaking change that has been put in with no warning - and in fact no announcement until 4 days ago. As you can see from this other thread, people were having issues due to this 8 days ago.

We've just identified this as the cause of a break for our shopify app that synchronises products and inventory with an external system - it's been broken for at least 8 days and only now have we been able to identify the issue - it's not even clear how we need to fix it, given we are sending our request using standard spring rest calls (without adding cookies).

Can you raise the way that this has been done and communicated to your management? If you're not going to roll this change back (even temporarily), at the very least in future you need to 1) communicate before breaking changes are made, 2) put a url or some kind of reference in the HTTP error body that links to the announcment so people don't have to spend hours debugging

 

0 Likes
Shopify Partner
3 0 0

Hi Jordan,

 

My site shop.paperchasepress.com is having problems caused by this update as well.  

Note - the URL involved in both these situations design.paperchasepress.com has a valid SSL certificate.

1. See here: https://shop.paperchasepress.com/pages/design-online. We have an iframe toward the top of the page that uses src="http://design.paperchasepress.com/site/px_projects".  Since your update the form does not appear at all in Safari.  In Chrome the form is visible but the URL bar indicates that our website is not safe (see attachment), this indication persists even when I navigate away from the page.

2. We utilize a third party service that provides a GUI that our customers use to layout business cards, books, etc..  Since Shopify has made these changes users are now prevented from accessing this GUI or warned that it is not safe with a popup or in the URL.

In order to replicate this do the following:

Go here https://shop.paperchasepress.com/pages/business_card and enter a quantity of 100

Hit the NEXT button at the bottom of form

Hit the DESIGN ONLINE button

This shoule take you into the GUI and you will most likely experience a warning

 

Please let me know if you have any recommendations.  I have some access to the programmers at Pixfizz but I would need to give them direction in order to change their set up in accordance with your new changes.

 

Thanks,

Emily

 

 

 

 

0 Likes
Shopify Partner
3 0 0

additional example of error message attached

0 Likes
Shopify Expert
9764 86 1510

@Emily - this doesn't look related to me. It seems you're trying to load http content within a https page. Content security errors should be expected. Load the content via https instead and see if that gives you better results. Of course you'll need a ssl certificate added to that other server as you don't have one at the moment.

★ Winning Partner of the Build a Business competition. ★ http://freakdesign.com.au
0 Likes
Shopify Partner
3 0 0

Thanks for the advice Jason, I am in the process of getting an SSL certificate and setting up everything via https.

I understand there can be issues with loading http content through an https page but we had this set up for a many years (since Shopify was http) and it never caused a problem.  This week something has changed and we are having the problem described above as well as another problem where iframes from Jotform (also http) are not displaying.   

It seems that this change within is Shopify is related.  I understand that Shopify needs to make improvements but they shoud really give a heads up to their customers or at least Shopify Partners.  A lot of people have custom sites built on this platform that can have serious problems and we are get zero warning.  This is not the first time I have experienced problems that paralyzed a site after Shopify ran an unannounced update.

Emily 

 

0 Likes
New Member
1 0 0

I have a small question, within the store, I created a page that I can see only when I am logged in the CMS as staff, I am using the API to add metafields to the customers in a store, it used to work correctly. But since a couple of weeks, instead of adding the metafield, and returning the object with the metafield information as it is specified in the API documentation (https://help.shopify.com/api/reference/metafield#create), it returns the HTML to the CMS for the store.

I send

url: .../admin/customers/customer#/metafields.json

data: {"metafield": {"namespace": "distributors","key": "image","value": "new","value_type": "string"}}

But the response I get, it is the HTML for the CMS page, I am sending attached as a txt file with it.

What is the reason this is happening now and not before? am I missing something?

0 Likes
New Member
13 0 0

Dear Shopify Team, 

This is really a huge change for many developers. Is there a mailing list you maintain for developer accounts? or accounts with private apps? And maybe in the future share these news with everyone? I spent 3 days just to end up in this forum post where I now "know" what my problem was, and now need to address the changes. It is very counter intuitive and doesn't meet Shopify standards in my opinion.

Thanks,

Murat

0 Likes