diff --git a/lib/shopify_app/login_protection.rb b/lib/shopify_app/login_protection.rb
index 3b7410b2e..0d704ef9e 100644
--- a/lib/shopify_app/login_protection.rb
+++ b/lib/shopify_app/login_protection.rb
@@ -79,9 +79,12 @@ def redirection_javascript(url)
 
               // If the current window is the 'child', change the parent's URL with postMessage
               } else {
+                normalizedLink = document.createElement('a');
+                normalizedLink.href = #{url.to_json};
+
                 data = JSON.stringify({
                   message: 'Shopify.API.remoteRedirect',
-                  data: { location: window.location.origin + #{url.to_json} }
+                  data: { location: normalizedLink.href }
                 });
                 window.parent.postMessage(data, "https://#{sanitized_shop_name}");
               }
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index f95917a52..24a6cf725 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -172,10 +172,12 @@ def assert_redirected_to_authentication(shop_domain, response)
       target_origin = "https://#{shop_domain}".to_json
 
       post_message_handle = "message: 'Shopify.API.remoteRedirect'"
-      post_message_data = "data: { location: window.location.origin + #{auth_url} }"
+      post_message_link = "normalizedLink.href = #{auth_url}"
+      post_message_data = "data: { location: normalizedLink.href }"
       post_message_call = "window.parent.postMessage(data, #{target_origin});"
 
       assert_includes response.body, post_message_handle
+      assert_includes response.body, post_message_link
       assert_includes response.body, post_message_data
       assert_includes response.body, post_message_call
     end