Issue with Embedded App - CSP Directive Error

Retired Boards Appdev Authentication

Topic summary

Issue: An embedded Shopify app fails to load when third‑party cookies are disabled, showing a browser console error: “Refused to frame ‘https://jalpi-app.myshopify.com/’ because an ancestor violates the Content Security Policy directive: ‘frame-ancestors ‘none’’.” A screenshot is referenced as evidence.

Context: The app works correctly when third‑party cookies are enabled, indicating a reliance on cookie-based authentication.

Technical note: The CSP directive frame-ancestors ‘none’ prevents a page from being embedded in any iframe, which breaks embedded app rendering when cookies are blocked. Using cookies for auth can fail in privacy-restrictive browser settings.

Recommendation: Adopt Shopify App Bridge and session tokens (short-lived tokens passed client-side) to avoid cookie dependency and provide more robust authentication.

Outcome/Status: No fix has been implemented yet. The suggested next step is to migrate to App Bridge with session tokens per Shopify’s documentation; the thread remains open pending confirmation of resolution.

Summarized with AI on December 23. AI used: gpt-5.
1

Dear Shopify Support Team,

I am reaching out to seek assistance with an issue I am encountering in my Shopify embedded app. My embedded app works correctly when third-party cookies are enabled. However, when third-party cookies are disabled, I receive an error, and my page is refused.

The error message displayed in the browser’s console is as follows:

Refused to frame ‘https://jalpi-app.myshopify.com/’ because an ancestor violates the following Content Security Policy directive: “frame-ancestors ‘none’”.

I have attached a screenshot of the error for your reference.

Could you please provide guidance on how to resolve this issue? Any help or suggestions to overcome this problem would be greatly appreciated.

2

Hi Brijesh,

It sounds like you are not using Shopify App Bridge - this model allows you to use session tokens instead of relying on cookies. I’d recommend using App Bridge for a more robust authentication process.