Log inSign up
visnup avatar
Public
HTTP (deprecated)
Fork
0 Likes
Val Town is a social website to write and deploy JavaScript.
Build APIs and schedule functions from your browser.
Sign up with GitHub
Readme

Cross-origin cookie test

Reacquaint myself with how modern browsers deal with cross-origin cookies. Specifically, how aggressive does Safari limit them nowadays? (Answer: very aggressive, to the point of just disabling them.)

This endpoint simply tries to assign a 28-day-from-now-expiring device cookie when requested, providing all of the obligatory-in-2024 cookie flags and headers to allow cross-origin support. You can request it from another origin in different browsers and inspect if cookies are sent back or not (either via sendBeacon or fetch(..., {credentials: "include"}) or in the iframe browser preview below).

Chrome and Firefox subsequently send back a persistent cookie; Safari does not. Edge probably does what Chrome does. I dunno what Braze does.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import { randomUUID } from "node:crypto";
import { parse } from "npm:cookie";
export default async function(req: Request): Promise<Response> {
const origin = req.headers.get("origin") ?? "*";
const { D = randomUUID() } = parse(req.headers.get("cookie") ?? "");
const expires = new Date(Date.now() + 1000 * 60 * 60 * 24 * 28).toUTCString();
const headers = {
"set-cookie": `D=${D}; Expires=${expires}; SameSite=None; Secure; Partitioned`,
"access-control-allow-credentials": "true",
// "access-control-allow-headers": "cookie", // not required?
"access-control-allow-origin": origin,
};
return Response.json(headers, { headers });
}
visnup-beacon.web.val.run
January 31, 2024