Hi Shopify folks, I'm wondering if there is any update to the recommended flow for setting session cookies in embedded apps? The approach of using the User-Agent check as recommended in https://help.shopify.com/en/api/guides/itp-impact seems pretty "hacky" and the possibility of issues seems higher than necessary. Additionally MDN has a big fat warning in their docs imploring devs not to use the User-Agent for browser detection.
Is there any plan to offer an alternate method for embedded apps to set a session cookie that is more user friendly? (Especially for those of us who can't use the koa node package or ruby gem). I feel like this should be important since other browsers are starting to follow the ITP way somewhat.
I agree that relying on User-Agent is not ideal, as it can be set to anything. That said, you sort of answered your own question in your post.
The actual flow highlighted in the doc you linked does not require checking the User-Agent, however that is given as a suggestion to limit the users you need to put through this flow. You mentioned that other browsers are starting to follow the ITP way, in which case you should be able to scrap the User-Agent check altogether, as more browsers will require this flow in the future.
Thanks @Busfox. I agree we can run all browsers through the redirect if needed. I was curious though if Shopify had any plans to introduce a method into Embedded apps similar to the Shopify.API.remoteRedirect method that allows iframes to do a top-level redirect despite browser restrictions. Are there any plans for something like this?