How do you guys deal with enabling third party cookies for embedded apps? Most browsers are much stricter about this nowadays. We use third party cookies to store the session and also ensure the user is who they say they are (using the HMAC).
Our current solution is to break out of the iframe in order to make the domain first party during the installation process. The problem is one of our new apps got rejected for doing this for "flashing too much" during the installation process. What other solution is there?
Hi @BGilbert. Thanks for posting about this, and apologies for the long delayed response.
Breaking out of the frame is our recommended approach — see our docs about authenticating embedded apps with OAuth that covers how to make sure the Oauth redirects work properly. One thing not covered there (which we should add; I’ll open a ticket internally about this) is the UX of this experience — if the app renders UI during this redirect step, it creates visible flashes of content that can be confusing for the merchant. Instead, we recommend rendering a plain blank/white page during the Oauth redirect steps. In addition to making the redirects less jarring, this has the added benefit of speeding the Oauth process up (since the browser doesn’t have to waste time downloading/rendering content).
I am using shopify_app gem to develop an embedded app and I want to know if I can unblock third party cookies from my app. My users are getting `samesite error ` due to chrome update regarding third party cookies. I don't want to ask users to turn off the blocking manually as that would not be a good user experience. Could someone please help me here?