Full Third-Party Cookie Blocking and More:
Does Shopify have an approach for getting embedded apps to work in Safari on the latest release?
Disabling the privacy option 'Prevent cross-site tracking' allows the apps to work, but we're looking for a solution that doesn't require users to change the default settings.
We managed to work around the restrictions in the previous release (by redirecting to the top window and setting a first-party cookie) but I can't see a way yet with these changes. There is reference to using the Storage Access API, but this requires sandbox tokens applied to the 'iframe' element in Shopify.
Has anyone else tackled this issue?
Solved! Go to the solution
This is an accepted solution.
The embedded app iframe isn't sandboxed, so there's no sandbox token to be added. Calling the Storage Access API will just work, give it a try! We use it in the apps we build internally (with some exceptions that have regrettably not updated as quickly as they should have).
This is an accepted solution.
I went through the 'Build a Shopify App with Node and React' tutorial:
and the result doesn't work in Safari 13.1 -- I get into an endless redirect loop. So I suspect the 'koa-shopify-auth' library needs to be patched.
I wrote up how we fixed our apps:
We don't use either of the Shopify-provided libraries since our apps have a .NET Core (C#) backend but I hope this help others.
Thanks for getting back to me. My Safari 12 is set to the default settings as far as I can tell. "Block All Cookies" breaks most websites including Shopify, so I don't think that is the issue. Disabling "Prevent Cross-Site Tracking" also did not help.
I tested the same demo app on another iPad with Safari 13 and it works fine, and it works fine with Chrome on Windows and Android. I haven't made any changes to the Shopify Node React demo App other than adding the API and Secret keys to the .env file and updating koa-shopify-auth and other dependencies to the latest version.
Just to make sure, I retested on Safari on yet another iPad with iOS 12.4.7 (my iPad has iOS 12.4.8) with the same result. It always fails with an empty shop= parameter at https://xxxxxx.ngrok.io/auth/inline
GET /auth/inline 400 Bad Request
I could ask merchants to update iOS on their devices but that isn't a good solution, especially since older iPad Airs and iPad 2s will not get the iOS 13/iPadOS 13 update.
Thanks for looking in to this.
In reply to your question to me in another thread...
My solution for getting embedded Shopify apps with Safari to work (referenced in this thread) is now outdated. You should be using session tokens instead of relying on third-party cookies. I believe this is now a requirement for all new apps, in order to get through the app review process.
Here's information on session tokens:
When we went through the process, I found Shopify's documentation a little confusing for the front-end React components. But we sorted it out in the end. Our app now uses session tokens for authentication -- and we're using C# .NET Core in the backend, like you. We use the ShopifySharp library to help with the OAuth2 flow, but we don't use it to validate the session tokens.
Hope this helps,
@sleyhane thank you for answering. We have read about appbridge and jwt tokens but we are still confused what changes we need in existing app, which is developed on top of shopifysharp. We are using VanillaJS with Bootstrap on frontend and Backend is developed in Asp.net MVC.
Can you provide us some instructions or code boilerplate because shopify documentation is confusing us and there are no help documents for dot net. We may also need to write some articles so we can help dot net community, which is interested in shopify development.