Reacquaint myself with how modern browsers deal with cross-origin cookies. Specifically, how aggressive does Safari limit them nowadays? (Answer: very aggressive, to the point of just disabling them.)

This endpoint simply tries to assign a 28-day-from-now-expiring device cookie when requested, providing all of the obligatory-in-2024 cookie flags and headers to allow cross-origin support. You can request it from another origin in different browsers and inspect if cookies are sent back or not (either via sendBeacon or fetch(..., {credentials: "include"}) or in the iframe browser preview below).

Chrome and Firefox subsequently send back a persistent cookie; Safari does not. Edge probably does what Chrome does. I dunno what Braze does.