Partners and Developers

Same here. My app does not use cookies, so solutions like this do not apply.

I am still trying to wrap my head around the issue, but what I think is happening is this:

1. When the Shopify admin page is loaded in the browser, Shopify's web server is sending along a Content-Security-Policy header containing the "worker-src" string which is unrecognized / unsupported in Safari.
   
   
2. Because Safari doesn't recognize that string, it defaults to the strictest possible interpretation, which is not to allow loading of iframes from external sources.  Thus, the iframe that loads the embedded app does not get rendered.

Does that explanation sound at all accurate?  Or am I off base?

Having same issue. Still no solution.

You may be getting this error during OAuth by redirecting to the authorisation url https://{shop}.myshopify.com/admin/oauth/authorize from inside the iframe without escaping it. This happened to me and for some reason it only causes this error in Safari. To get around this, you need to use app bridge to escape the iframe, which can be done in Node JS (for example) by replacing something like:

res.redirect(authUrl)

with the following:

const html = (shop, apiKey, url) => {
  return `<html>
    <head>
      <script src="https://unpkg.com/@shopify/app-bridge"></script>
      <script>
        var AppBridge = window['app-bridge'];
        var createApp = AppBridge.createApp;
        var actions = AppBridge.actions;
        var Redirect = actions.Redirect;

        if (window.top == window.self) {
          window.location.assign('${url}');
        } else {
          var app = createApp({ apiKey: '${apiKey}', shopOrigin: '${shop}' });
          Redirect.create(app).dispatch(Redirect.Action.REMOTE, '${url}');
        }
      </script>
    </head>
    <body>
      <p>Error: Failed to escape iframe during OAuth</p>
    </body>
  </html>`
}

res.send(html(shop, apiKey, authUrl))

After making this change you may have a redirect loop that keeps repeating OAuth if you have forceRedirect set to true in the config for Shopify App Bridge. I couldn't find documentation for this, but it seems that forceRedirect causes a redirect to the App URL path that you specified in the Partner Dashboard ( restarting OAuth ) rather than the URL where you loaded and created an instance of app bridge. To get around this you can skip OAuth by redirecting to your apps homepage if you already have an access token for the merchant during Step 3 of OAuth.

Hi @Shaibt and others who run into this issue.

We ran into the same issue. I'll describe here how we resolved it.

Problem
On Safari only, the browser refuses to redirect to /admin/oauth/authorize (as mentioned by @Patrick_Hughes). It fails with the error mentioned by the OP related to the CSP.

Context
In our case, this happened because we redirect to the oAuth flow from the server. In other words, the browser redirects to an endpoint of our app, which decides that control should be given to Shopify to perform an oAuth check (check/grant permissions). This means the browser received a 302 (redirect) instructing it to go to the oAuth flow, which is a Shopify endpoint. Safari does not allow this. It seems other browsers have no problems with it.

Solution
The solution we implemented was to replace our redirect with an API call, which returns the URL for the oAuth flow. We then use the AppBridge (as mentioned by @Patrick_Hughes) to redirect the merchant to the URL received from the API.
The JavaScript function that handles this is conceptually implemented as follows:

//Note: this excerpt is meant as a draft/example only
function RedirectToAuthorizationFlow(apiKey, host, forceRedirect) {  
  //Change this logic to use your own endpoint here
  fetch(yourendpointhere)
    .then(response => response.json())
    .then(data => 
       //Get the URL to which we need to redirect the merchant 
       let url = data.url;
       
       //Instantiate the AppBridge
       let createApp = window['app-bridge']['default'];
       createApp({ apiKey: apiKey, host: host, forceRedirect: forceRedirect });

       //Redirect to remote URL
       let redirect = Redirect.create(shopifyAppBridgeApp);
       redirect.dispatch(Redirect.Action.REMOTE, { url: url });
}