Skip to content

Instantly share code, notes, and snippets.

@bhumit070

bhumit070/third_party_cookie.js

Created July 31, 2025 15:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bhumit070/b8b148348c98cf3ffbf7527ccbc9e12d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bhumit070/b8b148348c98cf3ffbf7527ccbc9e12d to your computer and use it in GitHub Desktop.
Download ZIP
@bhumit070
Copy link
Author

bhumit070 commented Jul 31, 2025

As we know, setting a cookie with SameSite: 'None' and Secure: true requires CORS requests to include credentials: 'include' on the client side. However, when the server uses Access-Control-Allow-Origin: *, it cannot be combined with Access-Control-Allow-Credentials: true — which is required for sending cookies.

To work around this limitation, we can use a dynamic CORS origin echo strategy:

This allows us to:
• Dynamically reflect the request’s Origin or Referer as the Access-Control-Allow-Origin value
• Bypass the * restriction
• Successfully send SameSite=None cookies with cross-origin requests when credentials: 'include' is set on the client

As a result, any frontend calling the API with credentials: true will have its cookies automatically sent, enabling persistent sessions and tracking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment