Hello,
I am looking for clarification regarding the following requirement from Shopify
For merchant security, your app must not use pop-up windows for essential app functionality, like running OAuth or approving app charges. Avoiding the use of pop-up windows also protects your app from being compromised by pop-up blockers.
We used to use a pop-up for approving an app charge in Shopify, however we had to remove it from our app due to this requirement. This is fine, however directing to accept the charge in the same window causes many issues for merchants and is a much worse experience for Shopify merchants due to the following.
- The merchant loses any changes that may have been in progress when redirected to a separate page. This includes in progress files uploads that may be very large and very frustrating for the merchant to have to restart.
- The merchant loses their place. After accepting the charge they have to navigate back to restart the action they were taking instead of being able to continue in place.
I understand that pop-ups can be blocked by pop-up blockers, however we did a lot of A/B testing and found the best option for merchants was to use a pop-up, but to offer a fallback "If you do not see a pop-up to accept the charge Click Here". This way we were not relying on the pop-up as we did give merchants the best possible experience and prevented a lot of frustration. This allowed merchants to continue the task they were working on before accepting the charge
As stated, after an audit from Shopify we have removed the pop-up, however this is a much worse experience for Shopify merchants, made worse only due to our need to comply with this requirement. We were told by the auditor that opening the "Approve Charge" tab in a new window/tab is also not allowed and it had to be done in place meaning that the only option was to disrupt the users currently in progress actions.
I would like to propose that pop-ups be allowed for accepting application charges provided there is a fallback/backup available. This way apps can give the merchants the best experience possible. This requirement feels like Shopify overstepping its control and ultimately in our case results in a frustrating experience for the Shopify merchant.
Can we please get some clarification as to if it is ok to use a pop-up for accepting an application charge if a fallback is provided, or if it is ok to use a new tab(target="_blank"). We work very hard to provide the best experience possible for Shopify merchants, however this limitation is actively preventing us from doing so.
Shopify Discussion
Partners and Developers