Hi Shopify Developers,
I’ve been stuck on this issue for almost two weeks, and the Shopify app review team keeps rejecting my app with the feedback that it must run inside Shopify Admin without relying on 3rd-party cookies.
The thing is, my app does not use any cookies at all. I’ve already shared proof from the browser’s network tab confirming this. I’m also using the Shopify App Bridge library and its token for making API requests to my backend.
However, when 3rd-party cookies are disabled, the browser console still shows a CSP (Content Security Policy) error. I don’t understand why this happens, because I already have a CSP set up in my app. In the network tab, it clearly shows that my CSP allows Shopify Admin and Shopify-related domains.
Despite all this, the review team is unable to provide guidance, and my app keeps getting rejected. Can anyone here help me identify what I might be missing or misconfiguring?
Screencast of the problem
Thanks in advance!
Hey @Muhammad_Faisal,
This looks like it could be a configuration issue. Based on the symptoms you’re describing, there are two key areas to check:
App configuration Redirect URLs: Verify that your redirect URLs match your deployed app’s URLs (this can be set in either the partner dashboard or your app configuration file).
Dynamic CSP Frame-Ancestors: I noticed in your video that you have a wildcard set here. Your CSP frame-ancestors directive must be set dynamically for each shop installing your app. The header needs to look like Content-Security-Policy: frame-ancestors https://specific-shop.myshopify.com https://admin.shopify.com; and must be different for every shop. This directive needs to be set on all HTML responses from your app, not just the main route.
Check the iframe protection setup guide for the complete implementation details.
Hey @Muhammad_Faisal, Are you still experiencing this issue, or can I mark this as solved?