When the application frame is manually reloaded or the session expires, the app redirects the user to a standalone login UI (requesting the shop domain). After entering the domain, the application attempts to load accounts.shopify.com within the iframe, which is blocked by Shopify's X-Frame-Options: DENY (or Content-Security-Policy) headers. This results in a broken UI and a "refused to connect" error.
Steps to Reproduce
- Open the app within the Shopify Admin dashboard.
- Manually reload the iframe or trigger a session timeout.
- Observe the redirect to the internal "Log in" form
- Enter a valid shop domain and click "Log in".
- The iframe displays a connection refused error.
Expected Behavior
The app should detect it is being loaded within an iframe and use a Top-level Redirect (using App Bridge or a script like window.top.location.href) to handle authentication outside of the iframe.
Visual Evidence
- Unexpected Login UI within Iframe:
- Connection Refused Error:
When the application frame is manually reloaded or the session expires, the app redirects the user to a standalone login UI (requesting the shop domain). After entering the domain, the application attempts to load accounts.shopify.com within the iframe, which is blocked by Shopify's X-Frame-Options: DENY (or Content-Security-Policy) headers. This results in a broken UI and a "refused to connect" error.
Steps to Reproduce
Expected Behavior
The app should detect it is being loaded within an iframe and use a Top-level Redirect (using App Bridge or a script like window.top.location.href) to handle authentication outside of the iframe.
Visual Evidence