safari 13.1 refused to load shopify embeded apps

New Member
14 0 0

our app was working just fine but recent changes in safari caused our app top break

safari 13.1 starts blocking apps embeded in shopify using iframe.

the error it throws is


        refused to load because it does not appear in the frame-ancestor directive of content security policy.


we tried all sorts of content security policy and chrome and firefox works just fine but safari always breaks,

we removed that header all together.

we even added

header("Content-Security-Policy: frame-ancestors * 'unsafe-inline' 'unsafe-eval' img-src * data:");

header("Sec-Fetch-Dest: iframe");
header("Sec-Fetch-Mode: navigate");
header("Sec-Fetch-Site: cross-site");



we tried all sorts of combination but every time it fails in safari. i can find that several of other apps works just fine in embeded mode in shopify and safari 13.1 so it definitely means it is possible.

one thing i noticed that url address needs to be changed post authorization and in our cast it is not changing as safari blocks but in other app it changes the url address in browser however i found nothing different in there code using view-source as well as tried to replicate all headers they are giving but nothing worked.,

any help will be great.


i am not using shopify app-bridge or koa library