Strange Redirect Loop In Safari and Firefox Only When Accessing My App

Embedded Shopify apps enter a redirect loop in Safari/Firefox (Chrome unaffected), sometimes triggering a Content Security Policy error. Network traces and a video/screenshot show OAuth redirects behaving differently across browsers, likely due to newer privacy features (e.g., third‑party cookie restrictions).

Main causes identified:

• Redirecting to Shopify’s OAuth inside the embedded iframe, which is blocked by Shopify admin’s framing/CORS rules.
• Missing/incorrect Whitelisted Redirect URLs (admin URL not included).
• Cookie settings (SameSite/Secure) and a test-cookie redirect in @shopify/shopify-express causing loops.

Fixes reported to work:

• Implement Shopify’s recommended auth flow: escape the iframe (parent redirect) before sending users to the OAuth URL (per shopify.dev OAuth guide).
• Update app-bridge and/or koa-shopify-auth to latest versions.
• Add the app’s admin URL to the Whitelisted Redirect URLs.
• Set appropriate session cookie sameSite and secure values; remove the test-cookie top-level redirect snippet in shopify-express.
• Ensure you check for an existing token and route to the main page when present.

Status/outcome:

• Original poster resolved the issue by adding the admin URL to the whitelist.
• Others report success after adopting the iframe-escape OAuth flow. Some still note Safari’s cookie blocking; one user suggests Firefox site exceptions (a user-side workaround). Discussion partially resolved; Shopify docs on iframe protection/OAuth are referenced.