Skip to content

fix(clerk-js): Set SameSite=None on cookies for .replit.dev origins#7846

Open
brkalow wants to merge 5 commits intomainfrom
bryce/fix-samesite-replit-dev
Open

fix(clerk-js): Set SameSite=None on cookies for .replit.dev origins#7846
brkalow wants to merge 5 commits intomainfrom
bryce/fix-samesite-replit-dev

Conversation

@brkalow
Copy link
Member

@brkalow brkalow commented Feb 13, 2026
edited by coderabbitai bot
Loading

Summary

  • Adds a shared requiresSameSiteNone() helper that detects .replit.dev origins
  • Updates session, clientUat, and devBrowser cookie setters to use SameSite=None on these origins
  • Adds test coverage for the new behavior

Test plan

  • Existing cookie tests pass
  • New tests verify SameSite=None is set when requiresSameSiteNone() returns true
  • Manual verification on a .replit.dev origin

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

    • Cookies now use SameSite=None for .replit.dev and other identified third‑party/development domains to fix cross‑origin session/auth behavior.

  • New Features

    • Centralized third‑party domain list added to detect origins requiring special cookie and popup handling.
    • Popup-preference checks now consult the centralized domain list.

  • Tests

    • Added/updated tests covering SameSite=None scenarios and case‑insensitive hostname handling.

@brkalow @claude
fix(clerk-js): Set SameSite=None on cookies for .replit.dev origins
f7c4178 
Cookies on .replit.dev origins need SameSite=None to work correctly.
Adds a shared requiresSameSiteNone() helper used by session, clientUat,
and devBrowser cookie setters.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Feb 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Feb 13, 2026 7:25pm

Request Review

@changeset-bot
Copy link

changeset-bot bot commented Feb 13, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 80dad18

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages
Name Type
@clerk/shared Patch
@clerk/clerk-js Patch
@clerk/ui Patch
@clerk/agent-toolkit Patch
@clerk/astro Patch
@clerk/backend Patch
@clerk/chrome-extension Patch
@clerk/expo-passkeys Patch
@clerk/expo Patch
@clerk/express Patch
@clerk/fastify Patch
@clerk/localizations Patch
@clerk/msw Patch
@clerk/nextjs Patch
@clerk/nuxt Patch
@clerk/react-router Patch
@clerk/react Patch
@clerk/tanstack-react-start Patch
@clerk/testing Patch
@clerk/vue Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 13, 2026
edited
Loading

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7846

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7846

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7846

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7846

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7846

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7846

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7846

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7846

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7846

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7846

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@7846

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7846

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7846

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7846

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7846

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7846

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7846

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7846

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7846

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7846

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7846

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7846

commit: 80dad18

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 13, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds a shared third-party domains list and a new re-export requiresSameSiteNone (aliasing isThirdPartyCookieDomain). Cookie modules (clientUat, devBrowser, session) now call requiresSameSiteNone() in addition to existing checks to set SameSite='None' when applicable. Tests were updated to mock requiresSameSiteNone() and verify SameSite behavior. originPrefersPopup now uses the centralized domain list. A changeset documents a patch-level update.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: setting SameSite=None on cookies for .replit.dev origins, which is the primary objective of the PR.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

No actionable comments were generated in the recent review. 🎉

Comment @coderabbitai help to get the list of available commands and usage tips.

@brkalow @claude
fix(clerk-js): Consolidate third-party domain list in @clerk/shared
604c835 
Extract POPUP_PREFERRED_ORIGINS and requiresSameSiteNone into a shared
THIRD_PARTY_COOKIE_DOMAINS list in @clerk/shared. Both originPrefersPopup
and cookie SameSite logic now reference the same list, which includes
.replit.dev.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
coderabbitai[bot]
coderabbitai bot reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@packages/ui/src/utils/originPrefersPopup.ts`:
- Line 10: The bug is that originPrefersPopup() uses window.location.origin
(which includes protocol and port) causing domain matching to fail; change the
check to use window.location.hostname instead so
THIRD_PARTY_COOKIE_DOMAINS.some(domain =>
window.location.hostname.endsWith(domain)) (preserving the existing inIframe()
short-circuit) within the originPrefersPopup function to mirror
isThirdPartyCookieDomain() behavior.

@brkalow @claude
fix(clerk-js): Bump bundlewatch limit for clerk.legacy.browser.js
5d17dd8 
106KB → 107KB to accommodate the new thirdPartyDomains import.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@brkalow @claude
fix(ui): Use hostname instead of origin for domain matching in origin…
a31f287 
…PrefersPopup

window.location.origin includes protocol and port, causing domain suffix
matching to fail. Switch to window.location.hostname to mirror
isThirdPartyCookieDomain() behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
brkalow
brkalow commented Feb 13, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@jacekradko jacekradko jacekradko approved these changes

Assignees

No one assigned

Labels

clerk-js core-3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brkalow @jacekradko