Shopify_app: Safari 13.0.4 refreshes 3 times, and returns Shopify Admin error: "The application can鈥檛 be loaded with the current version of Safari, try clearing your cookies or using another browser"

Created on 19 Dec 2019  路  31Comments  路  Source: Shopify/shopify_app

Steps to reproduce:

  1. Set up the clean Shopify app on Rails 5.x using the shopify_app setup instructions.
  2. Run the app, and tunnel using Ngrok.
  3. Open it on Chrome - see that the sample works.
  4. Open the Safari 13.0.4.
  5. Go to Safari Preferences -> Privacy -> Manage Website Data and clear all the data related to domains ngrok and myshopify.com.
  6. Make sure that in Safari Privacy preferences it's not blocking cookies and not preventing cross-site tracking:
    Screenshot 2019-12-19 at 19 39 15
  7. Open the app via Shopify Admin on Safari 13.0.4.
  8. See that it shows the full-screen page telling: "Your browser needs to authenticate My Shopify App".
    Screenshot 2019-12-19 at 19 15 56
  9. Press the blue "Continue" button.

  10. See that the browser loops the redirect 3 times, and then Shopify Admin shows the error toast:
    _The application can鈥檛 be loaded with the current version of Safari, try clearing your cookies or using another browser_.

Screenshot 2019-12-19 at 19 17 00

Expected result:

When opening with Safari, after pressing "Continue" on the page "Your browser needs to authenticate My Shopify App", it should show another page inside the iframe asking to press the button there telling that it needs to accept cookies.
Then Safari should show the ITP cookies confirmation popup.
But that is not happening.

Alternatives attempted:

  • Clearing all cookies and website data - same result.
  • Opening Safari in Private Window - same result.
  • Tried with Safari Technology Preview Release 97 (Safari 13.1, WebKit 15609.1.11.4) - there it just refreshed once, and opened the app. It didn't ask to confirm cookies, even though I set to disable all 3rd party cookies (ITP) under Develop -> Experimental features.

Proof that others have this issue

During the last 2 days we had at least 4 customers complaining about the same issue.

Most helpful comment

Okay, I have found someone who is working on a fix for this. I have asked them to update you here. @uurcankaya you are right in that it is the cross-site tracking protection that is preventing your cookie storage. Also, the message that you are seeing @marisveide is our loop detector which is probably happening because the cookie cannot be persisted. I hope to have an update for you soon

All 31 comments

Hi, @gilbermatt !

I am working on this, yes - trying to fix the issue in the Excelify app, but so far cannot.
It looks like it is implemented in shopify_app gem, but probably for this particular Safari version, it kind of is not working as expected.

So I was hoping you guys, who made that implementation of ITP handling, could look into that.

@gilbermatt - I feel the same way, man! 馃憤

Thanks for pushing this forward - our mutual customers will appreciate that a lot.

I'm experiencing the same issue on my shop

Sorry for bugging, but can we have some update on this?
How are things going on this change?
Getting worried, people still can't use Safari with apps, and it's getting worse...

I am experiencing something similar when using Chrome 80.0.3987.42.

The application can鈥檛 be loaded, check that your browser allows third-party cookies

Firefox has no issues.

Hey 馃憢 What version of the Gem are you using?

Hey 馃憢 What version of the Gem are you using?
11.7.0

@tanema I am running into an infinite loop in Safari.

granted_storage_access method in sessions_controller has redirect_to a "return" URL, which in my case the root_url protected by ShopifyApp::Authenticated

ShopifyApp::Authenticated method redirects the user back to the login route. I guess since no cookie is registered in Safari, it is not able to detect any session, which then loops back into granted_storage_access

I could not figure out what method is supposed to detect that the storage access is granted.

session['shopify.granted_storage_access'] seems like always nil in Safari

That seems to point toward an issue with persisting the session cookie on safari. What version of safari are you using. I will try and look into this soon

Edit, I guess 13 since this issue isnt that old

Safari: Version 13.0.4 (15608.4.9.1.3)
That's the latest.

And we have several clients complaining that for them also it doesn't work.
And for our colleagues with Safari also it doesn't work - the same thing as in my screenshots.

Can you not repeat that issue?

I am testing on 13.0.4, and my apps work however all my apps have been updated to rails 6. Also what version of shopify_app are you on?

shopify_app: 11.7.0
rails: 5.2.4.1

@tanema I just noticed that the machine I am testing with has "cross-site tracking" protection enabled under Safari privacy settings. Once that is disabled, all works as expected.

when this setting is on, session['shopify.granted_storage_access'] cookie is never persisted.

I think we can redirect the user to another warning page (just like enable cookie warning) by checking whether this cookie is present in sessions_controller > request_access_storage method

Otherwise, most users will think the apps are broken.

I am testing with

rails 6.0.1.2
omniauth gem 2.2.0
shopify_app: 11.7.1
Safari: 13.0.4

Okay, I have found someone who is working on a fix for this. I have asked them to update you here. @uurcankaya you are right in that it is the cross-site tracking protection that is preventing your cookie storage. Also, the message that you are seeing @marisveide is our loop detector which is probably happening because the cookie cannot be persisted. I hope to have an update for you soon

Hi folks, I'm looking to get an update on this.

If I'm not mistaken it could have been resolved with #1039, may I get that confirmed.

Thanks

@Smithnation haven't tested the entire scope of the issue but I just checked Point of Sale channel section that was affected by this and it is indeed fixed now

Hello, @Smithnation !
For us it looks to be working in the embedded app.
Will keep monitoring client complaints, but basically - we ourselves now cannot replicate that looping refresh issue anymore.

Thanks!

Awesome. Please re-open the issue if it appears again. Thanks for checking back in on the issue

Hi folks! This seems to have re-emerged with Safari 13.1

Disabling cross-site tracking still works to solve it, but it's not an ideal way to fix.

It seems like this is the issue here. https://github.com/Shopify/shopify_app/issues/944 I will try to have a fix for this soon.

FYI - I have cross-site tracking disabled and I still experienced the error in Safari, also in Shopify iOS when loading the embedded app. Clearing ALL cookies from the app domain allowed me to launch it successfully.

Does this gem generate a session_store.rb file ? If so the cookie key is the same for all apps. Can this be the reason for the cookie conflict?

Perhaps we can use something like this:

Rails.application.config.session_store(:cookie_store, key: ShopifyApp.configuration.application_name , expire_after: 14.days)

Continuing to see this issue in Safari 13.1 where app is stuck in cookie redirect loop as safari now blocks third party cookies by default. Hoping to get patch from Shopify soon in koa-auth or app bridge.

Upgrading koa-shopify-auth package to v3.1.61 fixed infinite cookie redirect loop on Safari 13.1

Hi team. Have another merchant experiencing the redirect loop, followed by "The application can鈥檛 be loaded with the current version of Safari, try clearing your cookies or using another browser" error. As Alan mentioned, disabling Prevent cross-site tracking does seem to work, but not sure if that is ideal.

Video with cross-site tracking disabled
Video with cross-site tracking enabled

Internal

Zendesk | AdequateDesk

My customers are experiencing the same issue. I have upgraded to shopify_app 13.0.4 but this has not resolved the problem

Hey folks, I have another merchant reaching out about this and a number of TMS agents have been able to replicate on their test stores when attempting to open digital downloads

Internal: https://app.shopify.com/services/internal/shops/11977261118
Zendesk

Issues loading apps in Safari usually fall into one of three categories:

  1. The user has fully disabled third-party cookies.
  2. The app is not on the latest version of shopify_app.
  3. The app has modified the auth flow in a way that bypasses some of the Safari ITP cookie logic.

We know getting Safari's ITP right is a challenge, which is why we're working on a solution that doesn't require cookies to function (see: https://twitter.com/jmwind/status/1256249454430224386). It's in beta with a limited number of apps right now, and we plan to get it to you this summer. Stay tuned!

@ragalie - Any word on this? I'm getting pummelled by my customers at the moment.

It doesn't help that the error messages imply it's the app developer's fault. Perhaps you could look at re-wording that too.

Hi @peterfealey! Yes, our alternative solution is in public beta, give it a look! https://shopify.dev/tools/app-bridge/authentication

Thanks @ragalie 鉁岋笍

Was this page helpful?
0 / 5 - 0 ratings

Related issues

skillmatic-co picture skillmatic-co  路  6Comments

robbyklein picture robbyklein  路  4Comments

MisinformedDNA picture MisinformedDNA  路  6Comments

arialblack14 picture arialblack14  路  5Comments

matias-eduardo picture matias-eduardo  路  6Comments