Re: Safari 13.1 and embedded apps

Solved

Safari 13.1 and embedded apps

sleyhane
Shopify Partner
22 3 9

Yesterday, Apple released new versions of Safari with its OS updates (Safari 13.1 on macOS and  iOS/iPadOS 13.4). This release blocks all third-party cookies by default across the board. This has broken our embedded Shopify apps, which make use of cookies to store a session identifier.

 

Full Third-Party Cookie Blocking and More:

https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

 

Does Shopify have an approach for getting embedded apps to work in Safari on the latest release?

 

Disabling the privacy option 'Prevent cross-site tracking' allows the apps to work, but we're looking for a solution that doesn't require users to change the default settings.

 

We managed to work around the restrictions in the previous release (by redirecting to the top window and setting a first-party cookie) but I can't see a way yet with these changes. There is reference to using the Storage Access API, but this requires sandbox tokens applied to the 'iframe' element in Shopify.

 

Has anyone else tackled this issue?

Accepted Solutions (2)
Michael_Ragalie
Shopify Staff
38 2 12

This is an accepted solution.

The embedded app iframe isn't sandboxed, so there's no sandbox token to be added. Calling the Storage Access API will just work, give it a try! We use it in the apps we build internally (with some exceptions that have regrettably not updated as quickly as they should have).

To learn more visit the Shopify Help Center or the Community Blog.

View solution in original post

sleyhane
Shopify Partner
22 3 9

This is an accepted solution.

I went through the 'Build a Shopify App with Node and React' tutorial:

https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react

 

and the result doesn't work in Safari 13.1 -- I get into an endless redirect loop. So I suspect the 'koa-shopify-auth' library needs to be patched.

 

I wrote up how we fixed our apps:

https://medium.com/@sleyhane/shopify-embedded-apps-and-safari-81903dec20f7?sk=c747754dacdc8f35403af1...

 

We don't use either of the Shopify-provided libraries since our apps have a .NET Core (C#) backend but I hope this help others.

View solution in original post

Replies 38 (38)

Josef_Rousek
Shopify Partner
7 0 2

Yes, we're facing the same issue.

christie699
Visitor
1 0 2

I can't even access the Themes, Pages, or Preferences pages in the online store for customization.

Michael_Ragalie
Shopify Staff
38 2 12

Hi!

 

There is reference to using the Storage Access API, but this requires sandbox tokens applied to the 'iframe' element in Shopify.

 

I think the Storage Access API should work for embedded apps. I know it's used in the shopify_app ruby gem to request permission to access cookies. If you're able to use that API you should be able to get the cookie access you need. Maybe try taking a look at how shopify_app does it and see if it also works for you? Here's what appears to be the relevant JS: https://github.com/Shopify/shopify_app/blob/master/app/assets/javascripts/shopify_app/storage_access...

To learn more visit the Shopify Help Center or the Community Blog.

sleyhane
Shopify Partner
22 3 9

@Michael_Ragalie The rules changed in last week's Safari 13.1 release.

 

We were able to work around previous privacy changes ('Prevent cross-site tracking' and ITP 2.3) by using App Bridge to redirect the top window to set a cookie from our domain and then back into our app (which App Bridge automatically puts back in its correct frame). If you are classified as a tracking domain, then the user activation was required.

 

Safari 13.1 is a different beast, though. As I understand it, our app can only read its (previously set) first-party cookies after user interaction. And this only works if the app 'iframe' element is sandboxed with the appropriate tokens:

 

<iframe sandbox="allow-scripts allow-same-origin allow-top-navigation allow-storage-access-by-user-activation"></iframe>

 

So we need Shopify to add these to the embedded app iframe element in order to support this.

 

I've confirmed that Shopify's own 'Order Printer' app does not work in Safari 13.1. It redirects a few times and then gives up with an error. Presumably, all other apps are broken on this browser too.

Michael_Ragalie
Shopify Staff
38 2 12

This is an accepted solution.

The embedded app iframe isn't sandboxed, so there's no sandbox token to be added. Calling the Storage Access API will just work, give it a try! We use it in the apps we build internally (with some exceptions that have regrettably not updated as quickly as they should have).

To learn more visit the Shopify Help Center or the Community Blog.

sleyhane
Shopify Partner
22 3 9

@Michael_Ragalie Sorry, I stand corrected. I was under the impression that the iframe **had** to be sandboxed to get access to storage. You're correct. Thanks for your help!

 

All third-party cookies are blocked and user activation is required to get access to previously set first-party cookies. This means that user activation is required every time an admin link extension page is accessed. This makes for a terrible user experience in Safari, but this is outside of Shopify's control.

jam_chan
Shopify Partner
913 23 187

I've the same issue. Except removing all cookie, is there any fix by the developer or Shopify can handle it?

BYOB - Build Your Own Bundles, SPO - SEO App to research keywords & edit social link preview
Michael_Ragalie
Shopify Staff
38 2 12

Hello! You'll want to use the Storage Access API to request cookie access: https://developer.mozilla.org/en-US/docs/Web/API/Storage_Access_API

 

Once you've successfully requested access via the Storage Access API you can read and modify cookies as normal.

 

It's admittedly a little tricky to get this right, but unfortunately this is the user experience that Safari has defined for this use case.

To learn more visit the Shopify Help Center or the Community Blog.

GhostApps
Shopify Partner
153 1 15

I've been testing with Safari 13.1 and I can't get it to work unless I disable "Prevent cross-site tracking" in Safari Preferences -> Privacy, there is also a couple of issues open on GitHub that say this previously fixed issue has re-emerged https://github.com/Shopify/shopify_app/issues/845 

https://github.com/Shopify/shopify_app/issues/944

 

Please can you provide a working example or confirm that there is an issue with Safari 13.1

 

Thanks

Workbench360
Visitor
2 0 0

Hi, We are having the same issue using Safari 12 and 13 with our app using App-Bridge on Node.js which was working before.

 

I try started a brand new sample app following the latest tutorial instruction from Shopify and downloaded the latest packages but still have the problem that the session cookies cannot be stored. The app won't even start and my  "Prevent crossing site tracking" in Safari Preference is off.

 

https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-express

 

Since we have no control over the Shopify packaged code which try to store the access token and shop id into the cookies, how can we change to use the Storage Access API to solve the problem.  

 

Will Shopify be releasing an updated package that will use Storage Access API or expect the partner developers to hack around Shopify code to get it working with the Storage Access API.

 

Please help and give proper instruction/ example on how to do it as this is very frustrating that we have to support the unhappy customers while we are hacking for a solution around the Shopify code.

 

Thanks

banned
Michael_Ragalie
Shopify Staff
38 2 12

Hello!

 

I'm sorry for the confusion, but that tutorial doesn't work, as we deprecated express support a while ago (see, e.g.https://www.npmjs.com/package/@shopify/shopify-express). I don't know how this slipped through the cracks. I've asked our team to note that that tutorial is deprecated to avoid confusion in the future.

 

We recommend using our `koa` library which properly handles requesting access via the Storage Access API: https://www.npmjs.com/package/@shopify/koa-shopify-auth

 

Again, sorry for the confusion!

-Mike

To learn more visit the Shopify Help Center or the Community Blog.

Workbench360
Visitor
2 0 0

Hi,

We have just tried to use koa with the following tutorial "Shopify App with Node and React" which is using koa-shopify-auth.

Still have the same problem. Don't see where it uses the storage access API. When we debug it using the Safari inspect, we see that the cookie is created and then disappeared in a split second and it does not use the local storage.

 

https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react/set-up-your-app

 

banned
sleyhane
Shopify Partner
22 3 9

This is an accepted solution.

I went through the 'Build a Shopify App with Node and React' tutorial:

https://shopify.dev/tutorials/build-a-shopify-app-with-node-and-react

 

and the result doesn't work in Safari 13.1 -- I get into an endless redirect loop. So I suspect the 'koa-shopify-auth' library needs to be patched.

 

I wrote up how we fixed our apps:

https://medium.com/@sleyhane/shopify-embedded-apps-and-safari-81903dec20f7?sk=c747754dacdc8f35403af1...

 

We don't use either of the Shopify-provided libraries since our apps have a .NET Core (C#) backend but I hope this help others.

Ghost_Test
Shopify Partner
8 1 3

Ok I finally figured it out.

Starting with Safari 13.1 you need to request access to set cookies twice

Once when the page is loaded at the top level and then again when the page is loaded as an embedded page within the Shopify admin

Then you can set cookies and it works as normal

Michael_Ragalie
Shopify Staff
38 2 12

This is amazing, thank you!

To learn more visit the Shopify Help Center or the Community Blog.

AvocadosLab
Shopify Partner
51 4 44

@Michael_Ragalie should we expect any patch from Shopify soon around this in koa-auth library? Would be great if you update templates with a fix so that everyone benefits from it rather using their own implementations.

arenacommerce
Shopify Partner
7 0 1

Any one try to fix koa-shopify-auth? 

If helpful then please Like and Accept Solution.
Want to modify or custom changes on store Hire Us.
Feel free to contact us at support@arenacommerce.com
- Manage your Shopify store metafieds data with Advanced Custom Fields
Michael_Ragalie
Shopify Staff
38 2 12

We're working on a fix! I'll post back once we have something for you to try! Thanks for the ping!

To learn more visit the Shopify Help Center or the Community Blog.

Michael_Ragalie
Shopify Staff
38 2 12

We released v3.1.61 of koa-shopify-auth this afternoon that should fix issues with Safari 13.1: https://www.npmjs.com/package/@shopify/koa-shopify-auth/v/3.1.61

 

Please give it a try and let us know if it works for you!

To learn more visit the Shopify Help Center or the Community Blog.

AvocadosLab
Shopify Partner
51 4 44

I just tested "v3.1.61" of "koa-shopify-auth" on Safari 13.1 it did fix cookie redirect issue! Thanks a ton for releasing patch quickly. Much appreciated 🙂 

 

I'm seeing following prompt every time I'm trying to open my app on Safari 13.1 though, is that a new normal?

 

Screen Shot 2020-05-01 at 4.38.34 PM.png

Michael_Ragalie
Shopify Staff
38 2 12

Glad it's working for you!

 

Yes, that's the new normal (for the moment). But we're working on something better 🙂 https://twitter.com/jmwind/status/1256249454430224386

To learn more visit the Shopify Help Center or the Community Blog.

raymmondxma
Tourist
5 0 3

I'm still running into an issue with safari after auth redirect (following the next js and Shopify-koa-auth tutorial). 

After seeing the accept cookies screen I get redirected a few times (with shop parameter defined) but ultimately it takes me to this URL where the shop parameter is undefined.

Screen Shot 2020-05-07 at 9.16.09 PM.png

Ben-from-Obviyo
Shopify Partner
12 0 2

Thanks for v3.1.61 - one issue we are running into with shopifyAuth is we use "prefix", so when the new client-side redirect attempts to hit the "/auth/enable_cookies..." route, instead of "/{prefix}/auth/enable_cookies", the result is a 404 and not the nice "enable cookies" page.  i've added a note to the commit #1413, hope that helps, and thanks for all the efforts to get this to work!

Obviyo – Hyper-personalized product recommendations powered by Amazon's AI. Shopify Plus Certified App. 1200+ merchants.

Try it free: https://apps.shopify.com/obviyo
redalert1917
Visitor
1 0 0

I have the same problem.. What can I do?

22
Hey!
Michael_Ragalie
Shopify Staff
38 2 12

Hi! I think these two lines should incorporate the prefix: https://github.com/Shopify/quilt/blob/master/packages/koa-shopify-auth/src/auth/client/request-stora...

 

Would you mind opening an issue in the repo (or you can open a PR if you're up to it)? Thanks!

To learn more visit the Shopify Help Center or the Community Blog.

Ben-from-Obviyo
Shopify Partner
12 0 2

Ok, filed an issue https://github.com/Shopify/quilt/issues/1426 regarding "prefix" support.  Will try to have a look at a fix.

Obviyo – Hyper-personalized product recommendations powered by Amazon's AI. Shopify Plus Certified App. 1200+ merchants.

Try it free: https://apps.shopify.com/obviyo
Ben-from-Obviyo
Shopify Partner
12 0 2
dom-linq
Shopify Partner
34 1 14

Hi @Michael_Ragalie,

 

v3.1.61 works with being able to open the app without the enable cookies loop but still continues to be a problem when using an iframe modal. It will ask for permission again and redirect the iframe to the home page of the app. In my case, this makes my app unusable in Safari. Will there be any expected solutions to this issue? Thanks!

 

Screen Shot 2020-06-02 at 5.36.39 PM.png

sleyhane
Shopify Partner
22 3 9

@dom-linq: Shopify is beta testing a new approach that doesn't rely on iframes. I was invited to participate but haven't seen anything yet.

 

Here's the partner update on it:

https://www.shopify.com/partners/blog/whats-new#cookies-authorization

Michael_Ragalie
Shopify Staff
38 2 12

Hello! Thanks for the report! Did this work properly before the v.3.1.61 upgrade?

 

@sleyhane is correct, we are working on an alternative auth approach that avoids many of these issues. We're beta-ing it right now and plan to release it to everyone this summer. That has taken time away from ongoing maintenance work, so we may not get to this issue as quickly as we'd like.

 

However, you can open an issue with this information in our repo, which will help us track it: https://github.com/Shopify/quilt/issues

 

If you're especially ambitious you're welcome to open a PR with a fix too, if you think you know why it's not working 🙂

 

Thanks again!

 

To learn more visit the Shopify Help Center or the Community Blog.

dom-linq
Shopify Partner
34 1 14

@sleyhane @Michael_Ragalie 

 

Thank you for the update! I'll be sure to watch this closely.

 

No, Safari was stuck in the enable cookies loop before the koa-auth v.3.1.61 upgrade but was resolved except when using modal iframes. I will remove the modal iframe usage from my app for now until this is figured out.

 

Thanks!

brdata
Shopify Partner
50 2 13

Hi,

I tried out the Shopify sample embedded app at -

https://github.com/Shopify/shopify-demo-app-node-react

The app works fine on Chrome/IE on Windows and the Shopify POS app on Android but fails with Safari/Shopify POS on iOS 12.4.8 running on my iPad.

I get a couple of redirects, it asks me for "Enable cookies" permission and then it fails with:

Expected a valid shop query parameter

Appears to be related to this discussion. Any plans on fixing this for iOS 12?

Thanks!

Michael_Ragalie
Shopify Staff
38 2 12

Hi!

This seems like a different issue; I'm going to report internally and see if we can figure out what's going on.

Thanks for the report!

-Mike

To learn more visit the Shopify Help Center or the Community Blog.

NabeelAhsen
Shopify Staff (Retired)
5 2 2

@brdata 

Hi there, 

We've been taking a look at this internally and wanted to make sure the following was communicated: 

  1. The message "Expected a valid shop query parameter" usually means that the shop your app is trying to be installed/viewed on was not passed in as a query parameter in the URL. A typical URL would look something like <public_app_host>/auth?shop=<your_shop_name>.myshopify.com.
  2. Make sure your mobile browser doesn't disable all cookies (this may include third-party / cross-site cookies as well for the time-being). Safari manages cookies differently for both Android and iOS. Check this guide to see if Safari is accidentally blocking all cookies: https://help.overdrive.com/en-us/0606.html

To learn more visit the Shopify Help Center or the Community Blog.

brdata
Shopify Partner
50 2 13

Hi,

Thanks for getting back to me. My Safari 12 is set to the default settings as far as I can tell. "Block All Cookies" breaks most websites including Shopify, so I don't think that is the issue. Disabling "Prevent Cross-Site Tracking" also did not help.

Image-1.jpg

I tested the same demo app on another iPad with Safari 13 and it works fine, and it works fine with Chrome on Windows and Android. I haven't made any changes to the Shopify Node React demo App other than adding the API and Secret keys to the .env file and updating koa-shopify-auth and other dependencies to the latest version. 

https://github.com/Shopify/shopify-demo-app-node-react

Image-2.jpg Image-3.jpg Image-4.jpg

Just to make sure, I retested on Safari on yet another iPad with iOS 12.4.7 (my iPad has iOS 12.4.8) with the same result. It always fails with an empty shop= parameter at https://xxxxxx.ngrok.io/auth/inline 

Image-5.jpg

Ngrok reports:

GET /auth/inline   400 Bad Request

I could ask merchants to update iOS on their devices but that isn't a good solution, especially since older iPad Airs and iPad 2s will not get the iOS 13/iPadOS 13 update.

Thanks for looking in to this.

sleyhane
Shopify Partner
22 3 9

@Zeshan,

In reply to your question to me in another thread...

 

My solution for getting embedded Shopify apps with Safari to work (referenced in this thread) is now outdated. You should be using session tokens instead of relying on third-party cookies. I believe this is now a requirement for all new apps, in order to get through the app review process.

Here's information on session tokens:

https://shopify.dev/apps/auth/session-tokens

 

When we went through the process, I found Shopify's documentation a little confusing for the front-end React components. But we sorted it out in the end. Our app now uses session tokens for authentication -- and we're using C# .NET Core in the backend, like you. We use the ShopifySharp library to help with the OAuth2 flow, but we don't use it to validate the session tokens.

 

Hope this helps,

Stefan

 

 

Zeshan
Visitor
3 0 0

@sleyhane thank you for answering. We have read about appbridge and jwt tokens but we are still confused what changes we need in existing app, which is developed on top of shopifysharp. We are using VanillaJS with Bootstrap on frontend and Backend is developed in Asp.net MVC.

Can you provide us some instructions or code boilerplate because shopify documentation is confusing us and there are no help documents for dot net. We may also need to write some articles so we can help dot net community, which is interested in shopify development. 



sanjar
Shopify Partner
21 1 2

Hello, is there any way to setup server cookies for storefront?