This is a critical bug in the Checkout Extensions system.
This means any Checkout Extensions are breaking customer checkouts if a fetch call is dependent on allowing the customer to continue through checkout.
Reproduction steps
In a Checkout Extension, enable API access
Perform a fetch call to any HTTP endpoint in the Checkout Extension
Observe the fetch is not allowed error
This is huge issue for any Checkout Extension that also uses Buyer Journey Intercepts to block checkout until the customer performs some required action / validation by the extension.
It looks as if the web worker functionality isn’t acknowledging that the permission has been set in the config, and as a result is throwing an error and blocking the request.
try {
/*
this error should only be surfaced if a developer attempts to
subvert `getFetch` by postMessaging out of their extensions' web
worker to attempt to call this directly
*/
if (!allowNetworkAccess) {
throw new Error('fetch is not allowed');
}
/*
Don't allow the workers to read content from the iframe origin,
https://extensions.shopifycdn.com, as this wouldn't require CORS.
*/
if (new URL(url).origin === window.location.origin) {
throw new Error('fetch to the iframe origin not allowed.');
}
if (new URL(url).protocol !== 'https:') {
throw new Error('URL must be secure (HTTPS)');
}
} catch (error) {
returnPort.postMessage({error});
returnPort.close();
return;
}
the exact error in the try block is one for where the allowNetworkAccess property is set to false. something is going awry inside the webworker logic.
