I am using Asp.net C# webform, and developing Shopify embedded app code for installation and authorization. I have created the Install and Auth (redirect callback) in ApiController. When I was using this code [System.Web.Http.AcceptVerbs("GET")] [System.Web.Http.Route("api/shopify/install")] public IHttpActionResult Install(string shop) { logger.Info("Start Install : "); //string req = string.Format("https://{0}/admin/oauth/authorize?client_id={1}&scope={2}&redirect_uri=https://{3}/api/shopify/auth", shop, AppKey, Scope, CurrentURL); var installUrl = $"https://{shop}/admin/oauth/authorize" + $"?client_id={AppKey}&scope={Scope}&redirect_uri=https://{CurrentURL}/api/shopify/auth"; return Redirect(installUrl); } Auth function [System.Web.Http.AcceptVerbs("GET")] [System.Web.Http.Route("api/shopify/auth")] public HttpResponseMessage auth(string shop, string code, string host) { logger.Info("Start auth"); if (!VerifyShopifyRequest(null)) { logger.Info("install method: Unauthorized shopify request"); //return Redirect($"https://{shop}/admin/apps"); return new HttpResponseMessage(HttpStatusCode.Unauthorized) { Content = new StringContent(Helper.ApiResponse("error", "Unauthorized")) }; } var AccessToken = GetToken(shop, code); HttpResponseMessage responseUrl = null; string WebHookToken = Guid.NewGuid().ToString("N").ToLower(); #region Insert Details to our Database if (AccessToken != null) { //got the Access token responseUrl = SetWebHookDynamic(shop, AccessToken, WebHookToken); return responseUrl; } The code was installed and authorized the app successfully, the issue is that this code is not working when I enable "Block third-party cookies" . It's getting me an error Refused to frame 'xx.myshopify.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'". Then I used Appbridge for solve this error and create the install function like this. Install Function [System.Web.Http.AcceptVerbs("GET")] [System.Web.Http.Route("api/shopify/install")] public HttpResponseMessage install(string shop, string host = "") { logger.Info("Start Install : "); if (!VerifyShopifyRequest(null)) { logger.Info("install method: Unauthorized shopify request"); return new HttpResponseMessage(HttpStatusCode.Unauthorized) { Content = new StringContent(Helper.ApiResponse("error", "Unauthorized")) }; } string authRedirectUrl = string.Format("https://{0}/admin/oauth/authorize?client_id={1}&scope={2}&redirect_uri=https://{3}/api/shopify/auth", shop, AppKey, Scope, CurrentURL); string htmlContent = $@" <!DOCTYPE html><html><head> </head><body></body> <script src='https://unpkg.com/@shopify/app-bridge@3'></script> <script type='text/javascript'> document.addEventListener('DOMContentLoaded', function () {{ var AppBridge = window['app-bridge']; var createApp = AppBridge.default; if (window.top == window.self) {{ window.location.assign('{authRedirectUrl}'); }} else {{ var app = createApp({{ apiKey: '{AppKey}', host: '{host}', shopOrigin: '{shop}', forceRedirect: true }}); var Redirect = AppBridge.actions.Redirect; Redirect.create(app).dispatch(Redirect.Action.REMOTE, '{authRedirectUrl}'); window.location.assign('{authRedirectUrl}'); }} }}); </script></html>"; return new HttpResponseMessage(HttpStatusCode.OK) { Content = new StringContent(htmlContent, System.Text.Encoding.UTF8, "text/html") }; } When I am running the code it's working and authorized successfully but It goes out of the embedded app means it did not come within the Iframe but Shopify needs that either its app would be either fully embedded or non Embedded. As I have cross checked, the ApiKey, SecretKey, Scope, and Redirect URL is correct. Could you please lookout this issue ? Let me know if you need further information or something