JST vs first-party iFrame cookies?

HorseCowboy
Shopify Partner
57 0 16

Can't an embedded app set a 1st party cookie when the user visits its domain during the OAuth flow?

  • The user loads the app foo.myshopify.com/apps/bar.
  • When the app is loaded in its iFrame, the browser will send bar.com any of its own 1st party cookies, right? In which case the app can behave normally.

To set a new 1st party cookie for the app

  1. The user visit foo.myshopify.com/apps/bar.
  2. The app loads an empty page.
  3. The empty page requests an AppBridge redirect (https://shopify.dev/apps/tools/app-bridge/actions/navigation/redirect) to the app bar.com?shop=....
  4. Now the user is in a 1st party context. The app can now do an OAuth flow, redirecting the user back to Shopify to authenticate.
  5. The user authenticates on Shopify and then redirects the user back to Bar.com/callback
  6. At the OAuth callback step the app sets a 1st party cookie.
  7. Now the app redirects the user back to foo.myshopify.com/apps/bar.
  8. Shopify loads the app in an iFrame. The browser sends Bar.com its own 1st party cookie which authenticates the user.

I think I must be mistaken about the browser sending 1st party cookies to an iFrame... Otherwise I don't see how an embedded app ever uses 3rd party cookies...

Check out why Shopify store owners are switching to Horse for all of their inventory management needs.
Reply 1 (1)
HorseCowboy
Shopify Partner
57 0 16

TL;DR: My understanding is that the backend of an app which is loaded in an iFrame cannot WRITE a cookie. But can it read its own 1st party cookie(s) if a 1st party cookie was previously written in a 1st party context, such as during an OAuth flow?

Check out why Shopify store owners are switching to Horse for all of their inventory management needs.