Skip to content

fix(clerk-js): Prevent duplicate __client_uat cookies in iframe contexts #7875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brkalow merged 4 commits into from
Feb 18, 2026
Merged

fix(clerk-js): Prevent duplicate __client_uat cookies in iframe contexts #7875

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
306e463
fix(clerk-js): Prevent duplicate __client_uat cookies in iframe contexts
brkalow Feb 18, 2026
e4b2d6f
Apply suggestion from @brkalow
brkalow Feb 18, 2026
dc611ff
fix(clerk-js): Pass SameSite/Secure attributes to eTLD+1 cookie probe
brkalow Feb 18, 2026
b245c99
dedupe
brkalow Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/fix-iframe-client-uat-cookie-domain.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@clerk/clerk-js': patch
---

Fix `__client_uat` cookie being set on two different domain scopes when app is loaded in both iframe and non-iframe contexts. `getCookieDomain()` now falls back to `hostname` instead of `undefined` when the eTLD+1 probe fails, and the eTLD+1 probe uses the same `SameSite`/`Secure` attributes as the actual cookie to ensure consistent behavior across contexts.
17 changes: 15 additions & 2 deletions packages/clerk-js/src/core/auth/__tests__/getCookieDomain.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,19 @@ describe('getCookieDomain', () => {
expect(result).toBe(hostname);
});

it('passes cookie attributes to the probe', () => {
const hostname = 'app.example.com';
const handler: CookieHandler = {
get: vi.fn().mockReturnValueOnce(undefined).mockReturnValueOnce('1'),
set: vi.fn().mockReturnValue(undefined),
remove: vi.fn().mockReturnValue(undefined),
};
const attrs = { sameSite: 'None', secure: true };
getCookieDomain(hostname, handler, attrs);
expect(handler.set).toHaveBeenCalledWith('1', { sameSite: 'None', secure: true, domain: 'example.com' });
expect(handler.set).toHaveBeenCalledWith('1', { sameSite: 'None', secure: true, domain: 'app.example.com' });
});

it('handles localhost', () => {
const hostname = 'localhost';
const result = getCookieDomain(hostname);
Expand All @@ -53,15 +66,15 @@ describe('getCookieDomain', () => {
expect(getCookieDomain('bryce-local')).toBe('bryce-local');
});

it('returns undefined if the domain could not be determined', () => {
it('falls back to hostname if the domain could not be determined', () => {
const handler: CookieHandler = {
get: vi.fn().mockReturnValue(undefined),
set: vi.fn().mockReturnValue(undefined),
remove: vi.fn().mockReturnValue(undefined),
};
const hostname = 'app.hello.co.uk';
const result = getCookieDomain(hostname, handler);
expect(result).toBeUndefined();
expect(result).toBe(hostname);
});

it('uses cached value if there is one', () => {
Expand Down
2 changes: 1 addition & 1 deletion packages/clerk-js/src/core/auth/cookies/clientUat.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ export const createClientUatCookie = (cookieSuffix: string): ClientUatCookieHand
: 'Strict';
const secure = getSecureAttribute(sameSite);
const partitioned = __BUILD_VARIANT_CHIPS__ && secure;
const domain = getCookieDomain();
const domain = getCookieDomain(undefined, undefined, { sameSite, secure });

// '0' indicates the user is signed out
let val = '0';
Expand Down
27 changes: 22 additions & 5 deletions packages/clerk-js/src/core/auth/getCookieDomain.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,19 @@ import { createCookieHandler } from '@clerk/shared/cookie';
let cachedETLDPlusOne: string;
const eTLDCookie = createCookieHandler('__clerk_test_etld');

export function getCookieDomain(hostname = window.location.hostname, cookieHandler = eTLDCookie) {
/**
* @param hostname - The hostname to determine the eTLD+1 for.
* @param cookieHandler - The cookie handler to use for the eTLD+1 probe.
* @param cookieAttributes - Optional cookie attributes (sameSite, secure) to use
* during the eTLD+1 probe. These should match the attributes that will be used
* when setting the actual cookie, so the probe accurately reflects whether a
* domain-scoped cookie can be set in the current context.
*/
export function getCookieDomain(
hostname = window.location.hostname,
cookieHandler = eTLDCookie,
cookieAttributes?: { sameSite?: string; secure?: boolean },
) {
Comment on lines +11 to +23
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n packages/clerk-js/src/core/auth/getCookieDomain.ts

Repository: clerk/javascript

Length of output: 2746

Add explicit return type and complete JSDoc documentation for the exported getCookieDomain function.

This public API lacks an explicit return type annotation. Its JSDoc documentation is also incomplete, missing @returns, @throws, and @example tags required by the TypeScript and JSDoc guidelines.

Suggested patch 
 /**
  * `@param` hostname - The hostname to determine the eTLD+1 for.
  * `@param` cookieHandler - The cookie handler to use for the eTLD+1 probe.
  * `@param` cookieAttributes - Optional cookie attributes (sameSite, secure) to use
  *   during the eTLD+1 probe. These should match the attributes that will be used
  *   when setting the actual cookie, so the probe accurately reflects whether a
  *   domain-scoped cookie can be set in the current context.
+ * `@returns` The resolved eTLD+1 domain to use for setting cookies.
+ * `@throws` If the cookie handler throws while probing domains.
+ * `@example`
+ * getCookieDomain('app.example.com', undefined, { sameSite: 'None', secure: true });
  */
 export function getCookieDomain(
   hostname = window.location.hostname,
   cookieHandler = eTLDCookie,
   cookieAttributes?: { sameSite?: string; secure?: boolean },
-) {
+): string {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
/**
* @param hostname - The hostname to determine the eTLD+1 for.
* @param cookieHandler - The cookie handler to use for the eTLD+1 probe.
* @param cookieAttributes - Optional cookie attributes (sameSite, secure) to use
* during the eTLD+1 probe. These should match the attributes that will be used
* when setting the actual cookie, so the probe accurately reflects whether a
* domain-scoped cookie can be set in the current context.
*/
export function getCookieDomain(
hostname = window.location.hostname,
cookieHandler = eTLDCookie,
cookieAttributes?: { sameSite?: string; secure?: boolean },
) {
/**
* `@param` hostname - The hostname to determine the eTLD+1 for.
* `@param` cookieHandler - The cookie handler to use for the eTLD+1 probe.
* `@param` cookieAttributes - Optional cookie attributes (sameSite, secure) to use
* during the eTLD+1 probe. These should match the attributes that will be used
* when setting the actual cookie, so the probe accurately reflects whether a
* domain-scoped cookie can be set in the current context.
* `@returns` The resolved eTLD+1 domain to use for setting cookies.
* `@throws` If the cookie handler throws while probing domains.
* `@example`
* getCookieDomain('app.example.com', undefined, { sameSite: 'None', secure: true });
*/
export function getCookieDomain(
hostname = window.location.hostname,
cookieHandler = eTLDCookie,
cookieAttributes?: { sameSite?: string; secure?: boolean },
): string {
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/clerk-js/src/core/auth/getCookieDomain.ts` around lines 11 - 23, The
exported function getCookieDomain lacks an explicit TypeScript return type and
its JSDoc is incomplete; update the declaration of getCookieDomain to include an
explicit return type (e.g., string | undefined) and ensure cookieAttributes has
precise types (sameSite?: 'Lax' | 'Strict' | 'None' | string; secure?: boolean),
then expand the JSDoc for getCookieDomain to include `@returns` describing the
returned eTLD+1 or undefined, `@throws` describing any errors thrown during the
eTLD+1 probe (e.g., when cookie handling fails), and an `@example` showing typical
usage; reference the function name getCookieDomain and the cookieAttributes
param as the places to change.

// only compute it once per session to avoid unnecessary cookie ops
if (cachedETLDPlusOne) {
return cachedETLDPlusOne;
Expand All @@ -28,17 +40,22 @@ export function getCookieDomain(hostname = window.location.hostname, cookieHandl
// we know for sure that the first entry is definitely a TLD, skip it
for (let i = hostnameParts.length - 2; i >= 0; i--) {
const eTLD = hostnameParts.slice(i).join('.');
cookieHandler.set('1', { domain: eTLD });
cookieHandler.set('1', { ...cookieAttributes, domain: eTLD });

const res = cookieHandler.get();
if (res === '1') {
cookieHandler.remove({ domain: eTLD });
cookieHandler.remove({ ...cookieAttributes, domain: eTLD });
cachedETLDPlusOne = eTLD;
return eTLD;
}

cookieHandler.remove({ domain: eTLD });
cookieHandler.remove({ ...cookieAttributes, domain: eTLD });
}

return;
// Fallback to hostname to ensure domain-scoped cookie rather than host-only.
// In restricted contexts (e.g. cross-origin iframes), the set() will silently
// fail — which is preferable to creating a host-only cookie that conflicts
// with domain-scoped cookies set by non-iframe contexts.
cachedETLDPlusOne = hostname;
Copy link
Member

@jacekradko jacekradko Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. I think it makes sense, but I wonder if this could potentially set a cookie on a different subdomain that would still create 2 separate cookies in some cases. 🤔

return hostname;
}
45 changes: 43 additions & 2 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.