App Proxy removes custom headers

Solved
yadiguzel
Tourist
4 0 0

Hi,

I have a service worker for sending web push notifications which is hosted on my server and configured with header 'service-worker-allowed: /' (you can see below). 

curl -D - https://myapplicationserver/sw.js
HTTP/2 200 
date: Sat, 26 Dec 2020 08:03:34 GMT
content-type: application/javascript
content-length: 2213
service-worker-allowed: /
apigw-requestid: YJotkjunvHcEJmw=

When I am trying to host this script with App Proxy 'service-worker-allowed: /' header is removed from response (you can see below).

curl -D - https://myshop/apps/myapplication/sw.js
HTTP/2 200
apigw-requestid: YQUUTgckPHcES0A=
cf-cache-status: DYNAMIC
cf-ray: 6089fd490d5d3688-LAX
cf-request-id: 074a1ca1a300003688c987d000000001
content-encoding: br
content-type: application/javascript
date: Mon, 28 Dec 2020 08:42:42 GMT
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
nel: {"report_to":"network-errors","max_age":2592000,"success_fraction":0.0001}
report-to: {"group":"network-errors","max_age":2592000,"endpoints":[{"url":"https://monorail-edge.shopifycloud.com/v1/reports/nel/20190325/shopify"}]}
server: cloudflare
set-cookie: secure_customer_sig=; path=/; expires=Tue, 28 Dec 2021 08:42:41 GMT; secure; HttpOnly
set-cookie: cart_currency=USD; path=/; expires=Mon, 11 Jan 2021 08:42:41 GMT; SameSite=Lax
set-cookie: cart_sig=160343e4d7c8c38e333a06286465b09f; path=/; expires=Mon, 11 Jan 2021 08:42:41 GMT; HttpOnly; SameSite=Lax
vary: Accept-Encoding
x-dc: gcp-us-central1,gcp-us-central1

 

Last week I didn't have the issue because i was able to send web push notification with same configuration.  Do you have any suggestions regarding how to solve this issue. 

Thanks

 

 

0 Likes
Greg_Kujawa
Shopify Partner
1016 83 237

I ran into something similar, in that my app proxy calls were missing header values that previously were honored. Started back on 18-Dec-2020. Not sure if there was some sort of change on Shopify's end, but it sure sounds like it. Maybe someone from Shopify can weigh in on this? 

HunkyBill
Shopify Expert
4509 46 492

Not sure it is appreciated, but I have to ask anyway. Why use custom headers in the first place? You know Shopify strips cookies and other extraneous values, trying to ensure the Proxy is not a vector for anything nasty. So why not just send data to the Proxy endpoint, work on it, and return results, all without jamming something into the header.

Is there something you can do with a header you can't do with the data payload? What is the purpose where you can achieve something special?

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
yadiguzel
Tourist
4 0 0

Hi,

for sending web push notifications you have to use service workers. Application it self does not require anything from headers. But if you want to use service worker in root scope you have to use this header.

for more details about service workers please refer

https://developers.google.com/web/fundamentals/primers/service-workers

Thanks

 

 

0 Likes
HunkyBill
Shopify Expert
4509 46 492

I am surprised you'd try and jam that via the Proxy in the first place. Walking a tightrope there.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
Edgemesh
Tourist
6 0 3

Shopify has sent us (and others who use the Service Worker framework) a note indicating that they will not support the Service Worker Header in the App Proxy. We (along with numerous other application developers in the community) are reaching out to the team there to see what the plan/status is. However - in the meantime I believe newly submitted App-Proxy apps the require the Service Worker will fail. I'd suggest opening a support ticket with the Shopify team as well. 

HunkyBill
Shopify Expert
4509 46 492

Totally not surprised that end run is getting blocked. 

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes
yadiguzel
Tourist
4 0 0

HunkyBill why you are thinking such? What is problem working with service workers from your perspective?  Some applications still has this custom header. Here is push owl service worker response headers. 

apigw-requestid: YS0HehHnoAMEV3g=
cache-control: max-age=604800
cf-cache-status: DYNAMIC
cf-ray: 60903b48eac23610-LAX
cf-request-id: 074e03619300003610be151000000001
content-encoding: br
content-type: application/javascript
date: Tue, 29 Dec 2020 02:53:35 GMT
etag: W/"c0e26ab6ad4b93d4f3cc5e183294f413"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
last-modified: Wed, 23 Dec 2020 07:53:37 GMT
nel: {"report_to":"network-errors","max_age":2592000,"success_fraction":0.0001}
report-to: {"group":"network-errors","max_age":2592000,"endpoints":[{"url":"https://monorail-edge.shopifycloud.com/v1/reports/nel/20190325/shopify"}]}
server: cloudflare
service-worker-allowed: /
set-cookie: secure_customer_sig=; path=/; expires=Wed, 29 Dec 2021 02:53:35 GMT; secure; HttpOnly
set-cookie: cart_currency=USD; path=/; expires=Tue, 12 Jan 2021 02:53:35 GMT; SameSite=Lax
set-cookie: cart_sig=d445c8fcce2facbfd5b0add8f934de82; path=/; expires=Tue, 12 Jan 2021 02:53:35 GMT; HttpOnly; SameSite=Lax
vary: Accept-Encoding
x-amz-id-2: yhOAjtDPPVBsK4Rr+N6GTWv0sd5smxmbRhUmZUfOzKLNrbCX1cgWS92Rjj8RBMsBkUWUPRgMn6c=
x-amz-request-id: 313A0BD56BD914E8
x-dc: gcp-us-central1,gcp-us-central1

 

0 Likes
Greg_Kujawa
Shopify Partner
1016 83 237

Sounds like you will need to implement a "middleman" to receive the app proxy requests, massage the data into a format that your service worker will accept, then forward request that along, and finally take the service worker response and pass it back to the app proxy caller. 

My scenario where I found the app proxy mechanism had changed was actually a fortunate one. I had mistakenly referenced the app proxy URL with the partner development shop's DNS name. This had worked for about a year and then failed. Due to CORS. I corrected my goof-up by correctly referencing the app proxy URL with the shop's DNS name that it was installed on. Which was the way I should've implemented it all along. 

0 Likes
HunkyBill
Shopify Expert
4509 46 492

@yadiguzelthere is nothing about what push owl does that requires service workers. Everything that App offers is available through a regular call to a Proxy endpoint. So I see no point in arguing for these headers to be passed. I can see why Shopify would restrict that vector. So it is not like I have a problem with service workers, I am just commenting that I am NOT surprised Shopify does not allow them in the context of Proxy calls.

Custom Shopify Apps built just for you! hunkybill@gmail.com http://www.resistorsoftware.com
0 Likes