Unsupported Content-Security-Policy directive breaks embedded apps on Safari.

2 0 0

When loading an a Shopify admin embedded app the initial page load carries this response header:

Content-Security-Policy: block-all-mixed-content; upgrade-insecure-requests; default-src 'self' data: blob: https://* shopify-pos://*; connect-src 'self' blob: wss://* https://* https://bugsnag-mtl.shopifycloud.com:4900/js; style-src 'self' 'unsafe-inline' data: blob: https://*; media-src 'self' data: blob: https://videos.shopifycdn.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.shopify.com cdn.shopify.cn checkout.shopifycs.com d2c7xlmseob604.cloudfront.net www.google-analytics.com stats.g.doubleclick.net app.myshopify.io app.myshopify.com c.paypal.com www.paypal.com appcenter.intuit.com mpsnare.iesnare.com api.stripe.com maps.googleapis.com js.braintreegateway.com www.youtube.com s.ytimg.com custom-fields.shopifycloud.com; child-src 'self' https://* shopify-pos://*; frame-src app.myshopify.io *.shopifyapps.com *.myshopify.io *.myshopify.com https://* shopify-pos://*; worker-src 'self' blob:

Because "worker-src" is not a supported directive for Safari (see documentation) it triggers the following error as seen in the Safari console: 

Screen Shot 2020-06-02 at 5.43.54 PM.png


Consequently, when the embedded apps <iframe> attempts to load it fails with the following error seen in the Safari console:
Screen Shot 2020-06-02 at 5.46.20 PM.png


I tested a few other apps and witnessed similar behavior. 

Safari version:

Version 13.1.1 (15609.

macOS Catalina v10.15.5

Replies 6 (6)

2 0 0

Also it appears that traffic is not being directed to the correct redirect uri. You can see in the image below that the redirect URI I have set is "https://shoppefeed.web.app/shopify/redirect" however it looks like traffic is being pushed to "https://shoppefeed.myshopify.com/admin/auth/login".redirects.png


I'm not seeing this behavior on Chrome or Firefox

Shopify Staff
1829 269 407

Thanks @hutch 


Similar threads here and here.


Have you made any progress? Which library are you using?

Scott | Developer Advocate @ Shopify 

Shopify Partner
136 16 62

If anyone finds a similar issue like this again, you can use postMessage to achieve the redirect.





Was this helpful? Press like!
Did it fix the problem? Mark it as the solution for others!
Buy me a beer? Well, sure!
Shopify Partner
901 23 175

Any update in 2021? If I am redirecting to the correct URI, where is the suitable place to handle this redirect?

BYOB - Build Your Own Bundles, SPO - SEO App to research keywords & edit social link preview
5 0 4

We are also having the same issue.

At the moment of writing this post  "worker-src" is still not supported for Safari (just as mentioned in this link). 

Also,  I confirm that (as mentioned in a previous post) the redirect is not being pointed correctly, for example, if we set a redirect URI as "https://somepage/redirect" it looks like traffic is being pushed to "https://somepage/redirect/admin/auth/login" .  The solutions proposed by @SBD_ are not helping in fixing this issue; furthermore our APP is using session tokens, we are not working with cookies.

@SBD_  Is there any official update regarding this issue? Thanks

Shopify Staff
1829 269 407

@mikeastral can you confirm the token is passed along in your redirect?

If so, and the issue persists, please DM me app details + replication steps.

Scott | Developer Advocate @ Shopify