Unsupported Content-Security-Policy directive breaks embedded apps on Safari.

Highlighted
New Member
2 0 0

When loading an a Shopify admin embedded app the initial page load carries this response header:

Content-Security-Policy: block-all-mixed-content; upgrade-insecure-requests; default-src 'self' data: blob: https://* shopify-pos://*; connect-src 'self' blob: wss://* https://* https://bugsnag-mtl.shopifycloud.com:4900/js; style-src 'self' 'unsafe-inline' data: blob: https://*; media-src 'self' data: blob: https://videos.shopifycdn.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn checkout.shopifycs.com d2c7xlmseob604.cloudfront.net www.google-analytics.com stats.g.doubleclick.net app.myshopify.io app.myshopify.com c.paypal.com www.paypal.com appcenter.intuit.com mpsnare.iesnare.com api.stripe.com maps.googleapis.com js.braintreegateway.com www.youtube.com s.ytimg.com custom-fields.shopifycloud.com; child-src 'self' https://* shopify-pos://*; frame-src app.myshopify.io *.shopifyapps.com *.myshopify.io *.myshopify.com https://* shopify-pos://*; worker-src 'self' blob:

Because "worker-src" is not a supported directive for Safari (see documentation) it triggers the following error as seen in the Safari console: 

Screen Shot 2020-06-02 at 5.43.54 PM.png

 

Consequently, when the embedded apps <iframe> attempts to load it fails with the following error seen in the Safari console:
Screen Shot 2020-06-02 at 5.46.20 PM.png

 

I tested a few other apps and witnessed similar behavior. 


Safari version:

Version 13.1.1 (15609.2.9.1.2)

OS:
macOS Catalina v10.15.5


0 Likes
Highlighted
New Member
2 0 0

Also it appears that traffic is not being directed to the correct redirect uri. You can see in the image below that the redirect URI I have set is "https://shoppefeed.web.app/shopify/redirect" however it looks like traffic is being pushed to "https://shoppefeed.myshopify.com/admin/auth/login".redirects.png

 

I'm not seeing this behavior on Chrome or Firefox

0 Likes
Highlighted
Shopify Staff
Shopify Staff
1002 130 145

Thanks @hutch 

 

Similar threads here and here.

 

Have you made any progress? Which library are you using?

0 Likes