From d4816953856d4d3d381208072f59ecf836a197d4 Mon Sep 17 00:00:00 2001 From: SokratisVidros Date: Wed, 31 Jan 2024 16:42:26 +0200 Subject: [PATCH 1/2] fix(clerk-js): Fix same site in ClerkJS cookies __client_uat is samesite=none __session is samesite=lax __clerk_db_jwt is samesite=lax __initted is samesite=lax Fixes https://github.com/clerk/javascript/pull/2668 --- packages/clerk-js/src/utils/cookies/handler.ts | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/packages/clerk-js/src/utils/cookies/handler.ts b/packages/clerk-js/src/utils/cookies/handler.ts index c592bf27f2f..6e46fb7de7d 100644 --- a/packages/clerk-js/src/utils/cookies/handler.ts +++ b/packages/clerk-js/src/utils/cookies/handler.ts @@ -9,11 +9,6 @@ import { devBrowserCookie } from './devBrowser'; import { inittedCookie } from './initted'; import { sessionCookie } from './session'; -const DEFAULT_SAME_SITE = 'Lax'; -const IFRAME_SAME_SITE = 'None'; - -const COOKIE_PATH = '/'; - export type CookieHandler = ReturnType; export const createCookieHandler = () => { // First party cookie helpers @@ -22,16 +17,16 @@ export const createCookieHandler = () => { const setDevBrowserInittedCookie = () => inittedCookie.set('1', { expires: addYears(Date.now(), 1), - sameSite: inSecureCrossOriginIframe() ? IFRAME_SAME_SITE : DEFAULT_SAME_SITE, + sameSite: inSecureCrossOriginIframe() ? 'None' : 'Lax', secure: inSecureCrossOriginIframe() ? true : undefined, - path: COOKIE_PATH, + path: '/', }); const removeSessionCookie = () => sessionCookie.remove(); const setSessionCookie = (token: string) => { const expires = addYears(Date.now(), 1); - const sameSite = inSecureCrossOriginIframe() ? IFRAME_SAME_SITE : DEFAULT_SAME_SITE; + const sameSite = inSecureCrossOriginIframe() ? 'None' : 'Lax'; const secure = inSecureCrossOriginIframe() || window.location.protocol === 'https:'; return sessionCookie.set(token, { @@ -47,7 +42,7 @@ export const createCookieHandler = () => { const setClientUatCookie = (client: ClientResource | undefined) => { const expires = addYears(Date.now(), 1); - const sameSite = inSecureCrossOriginIframe() ? IFRAME_SAME_SITE : DEFAULT_SAME_SITE; + const sameSite = inSecureCrossOriginIframe() ? 'None' : 'strict'; const secure = inSecureCrossOriginIframe() || window.location.protocol === 'https:'; // '0' indicates the user is signed out @@ -67,7 +62,7 @@ export const createCookieHandler = () => { const setDevBrowserCookie = (jwt: string) => { const expires = addYears(Date.now(), 1); - const sameSite = inSecureCrossOriginIframe() ? IFRAME_SAME_SITE : DEFAULT_SAME_SITE; + const sameSite = inSecureCrossOriginIframe() ? 'None' : 'Lax'; const secure = inSecureCrossOriginIframe() || window.location.protocol === 'https:'; return devBrowserCookie.set(jwt, { From 4c5ee8629d344b81dcc56735e9e5756723bcfa42 Mon Sep 17 00:00:00 2001 From: Nikos Douvlis Date: Thu, 1 Feb 2024 21:22:06 +0200 Subject: [PATCH 2/2] Create slow-carrots-eat.md --- .changeset/slow-carrots-eat.md | 5 +++++ packages/clerk-js/src/utils/cookies/handler.ts | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 .changeset/slow-carrots-eat.md diff --git a/.changeset/slow-carrots-eat.md b/.changeset/slow-carrots-eat.md new file mode 100644 index 00000000000..2602efd5daf --- /dev/null +++ b/.changeset/slow-carrots-eat.md @@ -0,0 +1,5 @@ +--- +'@clerk/clerk-js': patch +--- + +Update cookie setting to ensure cookies can be set to be read when an application is embedded in an iframe. diff --git a/packages/clerk-js/src/utils/cookies/handler.ts b/packages/clerk-js/src/utils/cookies/handler.ts index 6e46fb7de7d..9139d9b216b 100644 --- a/packages/clerk-js/src/utils/cookies/handler.ts +++ b/packages/clerk-js/src/utils/cookies/handler.ts @@ -82,9 +82,9 @@ export const createCookieHandler = () => { const ssoCookie = clientCookie; const removeAllDevBrowserCookies = () => { - inittedCookie.remove({ path: COOKIE_PATH }); + inittedCookie.remove({ path: '/' }); // Delete cookie in a best-effort way by iterating all ETLDs - getAllETLDs().forEach(domain => ssoCookie.remove({ domain, path: COOKIE_PATH })); + getAllETLDs().forEach(domain => ssoCookie.remove({ domain, path: '/' })); }; return {