my app was rejected

9 0 3

Hello, i submitted an embded app, the app got rejected.

the reviewer was testing my app in private mode on chrome and he got an error from my be server.

for me it's the good behaviour for security reason.

we should check in the cookies header state with the state given by shopify as mentionned in shopify doc.

on Nodejs we should check the state of cookies 

const stateCookie = cookie.parse(req.headers.cookie).state;
     if (state !== stateCookie) {
        return res.status(403).send('Request origin cannot be verified'); //TODO rediret to error page

should i remove the check of cookies header??

Secondly in my app i am storing some tokens in the local storage, in private mode on chrome we could not access to iframe local storage.

i got this error on chrome console (private mode)

Failed to read the 'localStorage' property from 'Window': Access is denied for this document.

please help me how to deal with these issues.

I noticed that many app listed on shopify are not working on private browser mode because of one of the 2 reasons


thank you in advance for helping

Replies 3 (3)
Shopify Partner
72 7 31

Hi @sefiani ,


I just had an app approved, myself. I'm not entirely sure what your cookie check is for, but if you are using the Shopify auth libraries I don't think you need this code.

I didn't consider storing tokens on the front end a good idea. Again the auth libraries take care of the verification of incoming traffic. If I needed the current token for an API call, I just take it out of the database for that store.

Not sure if this is how other developers have done this - just giving you my limited experience.



Store owner and app developer. Canada.
9 0 3

Hi  @GMKnight 

thank you for your answer, 

i am developping a solution for many e commerce platform and also for mobile and web.

i could not use auth shopify library because i am lokking or a global and generic solution.

the token i am talking about  is used for auth to my application (i m not talking about the  permanent token given by shopify wich i store in my  databases)

i am not sure but i think for me there is 2 solutions: 

not making the application embded (no iframe will be used), it's wil resolve the problem.

or the user (reviewer) who is installing my app should unblock third party cookis like in bellow

i m posting this message to check if there is a better solution.

thank you in advance





Shopify Partner
73 0 18

Very shortly, checking option in chrome to disable 3rd party cookies also disable local storage. I was scratching my head about it, but finally found some clues in the internet. I guess Shopify uses this chrome option to validate 3rd party cookies, in my opinion this is not accurate. I guess I need to stick to database and store cookies there

Maciej Tokarczyk