Automated Review: Your embedded app is loading an invalid URL

Hi everyone. Please can anyone help with a recent automated rejection message we got ?

The rejection says: App must set security headers to protect against clickjacking: There was an error opening your app in the Shopify admin. Your embedded app is loading an invalid URL. . Make sure it is valid.

When you install and load our embedded app on the Shopify Admin, the app loads fine. When we follow the steps to setup iframe protection: https://shopify.dev/apps/store/security/iframe-protection, that all works fine on our app.

We believe the problem is with the Shopify Admin (or browser?) cancelling the first request to fetch our app, and then firing a second request. It seems the automated test only waits for the response of the first request, and assumes the app does not load. (see attached image)

We have previously passed automated stages of the app review, so we believe this could be a recent change from Shopify somewhere.

Any help will be appreciated.

app_complain.png1268×432 123 KB

Exactly the same problem with me, first request gets cancelled, second one goes through and iframe loads fine in development store

Screenshot 2022-09-21 at 14.29.02.png1688×298 151 KB

https://community.shopify.com/topic/1747008

Greetings, are you able to resolve this issue?

We just resubmitted the app and did not get the auto rejection. I assume Shopify resolved it.

oh i see, so basically you resubmitted the app, without doing any changes for this issue? or have you done some changes?

No changes. We just resubmitted as was.

I have the same problem. I can see in the network tab that first request is canceled. @yasir_naseer did you resubmit your app. Did they accept it?

Im getting the exact same error but it only happens in my test apps, the published ones do not get the first request cancelled

@Yusman But after the application passed the automated tests, do you still see the canceled request in the network tab?

This is extremely frustrating because earlier my app passed automated tests and was rejected by manual reviewer. Now I am stuck on the first requirement of application approval but nothing changed in the code of my application.

Does anybody have a similar problem? Why the first request is canceled? I believe this is the reason for rejection.

I haven’t checked for that again, I’ll check if it’s still canceled, and I’ll let you know

I just checked again on our app. it’s still cancels first request.

Ok thanks for the reply. This is so weird. It seems that the canceled request is not the problem.

Just a hypothesis, but have you guys tested clearing the “shopifyTestCookie” cookie?

I tested removing the “shopifyTestCookie” it from my browser and it stopped showing stalled requests.

It also stopped showing “prefetch” queries, maybe they use the cookies to pre render stuff and something goes wrong when you don’t erase cookies after auth?

Also having the same issue. The headers are present but I notice that the first request is canceled when loading the app, did you ever get this resolved?

Hello, I don't know if it will help but, apart from the content 
frame-ancestors https://shopify-dev.myshopify.com [https://admin.shopify.com ](https://admin.shopify.com)
I see that you have a ";" at the very end. in my case I use only 
frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com
I hope it helps
Cheers

Bumping this question as I’m running into this myself now. In my case, I don’t get any errors regarding clickjacking, I just get the first cancelled request with 0 bytes. Second request is fine. Same payload, same everything.

If anyone solved this, I’d LOVE to know how

still encountering this issue. My first request gets cancelled. This is causing longer load times for my app.

So if anyone of you got this figured out, I would appreciate a solution!