Shopify app review rejection – intermittent embedded app failure

Hi everyone,

Our embedded Shopify app has been recently rejected twice during app review because the reviewer encountered a page showing:

https://example.domain` took too long to respond`

The browser console contained the following errors:

Failed to execute 'postMessage' on 'DOMWindow':
The target origin provided ('https://example.domain')
does not match the recipient window's origin ('https://admin.shopify.com').

Unsafe attempt to load URL
https://example.domain/?embedded=1...
from frame with URL chrome-error://chromewebdata/.
Domains, protocols and ports must match.

We have not been able to reproduce this issue in our development environments or test stores. The app installation and OAuth flow consistently work when tested using our own Shopify accounts.

Our authentication route (auth.$.jsx) is straightforward:

import { boundary } from "@shopify/shopify-app-react-router/server";
import { authenticate } from "../shopify.server";

export const loader = async ({ request }) => {
  await authenticate.admin(request);
  return null;
};

export const headers = (headersArgs) => {
  return boundary.headers(headersArgs);
};

Based on the console output, our assumption is that the iframe failed to load, resulting in Chrome displaying chrome-error://chromewebdata. Because the embedded page never loaded successfully, App Bridge’s postMessage communication then failed due to the origin mismatch.

Has anyone experienced similar issues during Shopify app review or first-time app installations? Specifically, we’re trying to understand:

  • What conditions can cause an embedded app iframe to end up on chrome-error://chromewebdata?
  • Can intermittent delays or timeouts during /auth or /auth/callback lead to this behaviour?
  • Could redirects, session handling, CSP headers, or App Bridge initialization contribute to this issue?
  • Are the postMessage and “Unsafe attempt to load URL” messages usually symptoms of the failed page load rather than the underlying cause?
  • Does the Shopify review environment differ in ways that might expose issues not seen in development stores?

Hey @PIT_Solutions - thanks for reaching out.

From the error pattern, the `postMessage` and `chrome-error://chromewebdata` messages look like they may be follow-on symptoms after the embedded iframe failed to load as expected, rather than the root cause themselves.

Since this needs app-specific context, the best next step is to open an authenticated ticket with Shopify Support at help.shopify.com so we can take a look at the specifics of your setup and advise further.

Hope this helps!

@Alan_G. Can you please help me on this?

Wes has already guided you on next steps, so please don’t tag another Shopify staff member that hasn’t already engaged in the thread.

Hi @PIT_Solutions

As Luke mentioned above, next steps were already provided. Also, please do not tag Shopify staff - this is covered in our code of conduct: