Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies aren't shared Cross Origin #2435

Open
edhgoose opened this issue Oct 25, 2024 · 0 comments
Open

Cookies aren't shared Cross Origin #2435

edhgoose opened this issue Oct 25, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@edhgoose
Copy link

edhgoose commented Oct 25, 2024
edited
Loading

Please list the package(s) involved in the issue, and include the version you are using

shopify/ui-extensions: ^2024.7

Describe the bug

When making a CORS request with all the right headers, Shopify UI Extensions will explicitly force cookies to be ommitted. This is via these lines from https://cdn.shopify.com/shopifycloud/checkout-web/assets/c1.en/sandbox.B93AeW43.worker.js:

    function eOt(t) {
        return (r, e) => {
            const n = r instanceof Request ? r : new Request(r);
            if (new URL(n.url).protocol !== "https:")
                throw new rOt("URL must be secure (HTTPS)");
            return t(n, {
                ...e,
                credentials: "omit"
            })
        }
    }

The credentials: "omit" will force cookies to be removed from the fetch request as per MDN: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials

Steps to reproduce the behavior:

  1. Make a fetch request to a URL cross origin.
  2. Ensure that the responding server has all the right CORS responses, e.g. access-control-allow-credentials: true and access-control-allow-origin: https://extensions.shopifycdn.com
  3. Observe no cookies are passed

Expected behavior

I would expect either:

  1. The behaviour of fetch isn't overriden by Shopify
  2. The documentation on fetch in the Security section https://shopify.dev/docs/api/checkout-ui-extensions#security, which leads to https://github.com/Shopify/ui-extensions/blob/unstable/documentation/runtime-environment.md would document that useCredentials is banned AND the same documentation would be available here too: https://shopify.dev/docs/api/checkout-ui-extensions/2024-10/configuration#network-access.

I would prefer (1), as I can think of other cases where passing cookies might be useful - e.g. accessing an authenticated backend.

Screenshots

Additional context

The reason we would like the cookies to be passed is that we use cookies as one of several signals into anti fraud systems. While the cookies are not a perfect tool, they are a useful signal that can help us to spot customers attempting to manipulate us or our clients out of discounts.
@edhgoose edhgoose added the bug Something isn't working label Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@edhgoose