What is the problem?
I have a couple of public apps. It was brought to my attention that on some shops, the apps do not load inside the Theme Customizer.
Full Description / Reproducing the Problem
1. Have a test shop that has a read domain. The problem does not occur on shops that are only served on myshopify.com!
The iframe uses https://[shop_slug].myshopify.com, not the real domain!
3. The app makes a call to the /apps/[app_slug]/some-route app proxy route.
4. The request is made to https://[shop_slug].myshopify.com/apps/[app_slug]/some-route - so far so good
5. Shopify's API automatically returns a 301 redirect to https://[REAL-SHOP-DOMAIN]/apps/[app_slug]/some-route - OK... but this would only work if CORS worked too.
6. The browser make an OPTIONS request to https://[REAL-SHOP-DOMAIN]/apps/[app_slug]/some-route - OK... my app is ready for it!
7. Shopify's API does NOT forward this to the app, instead it automatically responds with a 405 (Method not allowed)
Because the options request failed, no other API calls through the app proxy are allowed...
I have tested using a request method that would result in a 405 from the app's backend, and those have a different 405 error message - generated by the app.
The 405 error message in the CORS flow is coming from Shopify's backend, so nothing is even reaching the app.