Embedded app wont load in Safari - no Cookies

Shaibt
Excursionist
16 1 10

Our embedded app won't load in Safari (13.1.2):

[Error] Unrecognized Content-Security-Policy directive 'worker-src'.

[Error] Refused to load https://XXXX.myshopify.com/admin/auth/login because it does not appear in the frame-ancestors directive of the Content Security Policy.

 

Seems the issue is is happening while still in Shopify flow.

We're using  app-bridge-react Provider component to embed in Shopify admin.

Our embedded app doesn't use cookies so I don't think this thread is relevant to our problem  - unless I've missed something.

 

instaconnect
Shopify Partner
5 0 0

Hi Shaibt, did you find a solution for this?  We are experiencing the same issue.

0 Likes
Shaibt
Excursionist
16 1 10

Hi @instaconnect , unfortunately - no, haven't found a solution yet. This has worked properly before but at some point stopped to.

Think that Safari updates are outpacing some of the Shopify iframe mechanisms.

eCreateStudio
Tourist
4 0 2

Hi @Shaibt, I'm also finding this issue.

It seems to be due to the Response header settings:

Content-Security-Policy: frame-ancestors 'none'

And possibly: 

X-Frame-Options: DENY

Which relate to the redirect response:

Redirect Response 303
Location: https://XXXX.myshopify.com/admin/auth/login
 
But I'm not sure so far where the headers for this response are set, and suspect its on the Shopify side anyway.
 
Pretty frustrating, my app works in Chrome and Firefox, but no joy in Safari, which is holding up my app approval.
0 Likes
olivert
Explorer
51 11 14

Another post with similar issue

https://community.shopify.com/c/Shopify-APIs-SDKs/Unrecognized-Content-Security-Policy-directive-wor...

Had anyone ever had apps working on safari?

Seems it blocks iframes 

 

0 Likes
phutureb
Shopify Expert
3 0 0

Same here. My app does not use cookies, so solutions like this do not apply.

I am still trying to wrap my head around the issue, but what I think is happening is this:

  1. When the Shopify admin page is loaded in the browser, Shopify's web server is sending along a Content-Security-Policy header containing the "worker-src" string which is unrecognized / unsupported in Safari.

  2. Because Safari doesn't recognize that string, it defaults to the strictest possible interpretation, which is not to allow loading of iframes from external sources.  Thus, the iframe that loads the embedded app does not get rendered.

Does that explanation sound at all accurate?  Or am I off base?

 

 

0 Likes

Any update in 2021?

My app also cannot work in Safari 13.1.3

SPO - SEO App to research keywords & edit social link preview
0 Likes