search

Shopify / ui-extensions

MIT License
269 stars 35 forks source link

Cookies aren't shared Cross Origin #2435

Open edhgoose opened 1 month ago

edhgoose commented 1 month ago

Please list the package(s) involved in the issue, and include the version you are using

shopify/ui-extensions: ^2024.7

Describe the bug

When making a CORS request with all the right headers, Shopify UI Extensions will explicitly force cookies to be ommitted. This is via these lines from https://cdn.shopify.com/shopifycloud/checkout-web/assets/c1.en/sandbox.B93AeW43.worker.js:

    function eOt(t) {
        return (r, e) => {
            const n = r instanceof Request ? r : new Request(r);
            if (new URL(n.url).protocol !== "https:")
                throw new rOt("URL must be secure (HTTPS)");
            return t(n, {
                ...e,
                credentials: "omit"
            })
        }
    }

The credentials: "omit" will force cookies to be removed from the fetch request as per MDN: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials

Steps to reproduce the behavior:

  1. Make a fetch request to a URL cross origin.
  2. Ensure that the responding server has all the right CORS responses, e.g. access-control-allow-credentials: true and access-control-allow-origin: https://extensions.shopifycdn.com
  3. Observe no cookies are passed

Expected behavior

I would expect either:

  1. The behaviour of fetch isn't overriden by Shopify
  2. The documentation on fetch in the Security section https://shopify.dev/docs/api/checkout-ui-extensions#security, which leads to https://github.com/Shopify/ui-extensions/blob/unstable/documentation/runtime-environment.md would document that useCredentials is banned AND the same documentation would be available here too: https://shopify.dev/docs/api/checkout-ui-extensions/2024-10/configuration#network-access.

I would prefer (1), as I can think of other cases where passing cookies might be useful - e.g. accessing an authenticated backend.

Screenshots

Additional context

The reason we would like the cookies to be passed is that we use cookies as one of several signals into anti fraud systems. While the cookies are not a perfect tool, they are a useful signal that can help us to spot customers attempting to manipulate us or our clients out of discounts.

renerbaffa commented 3 hours ago

hey @edhgoose 👋

Thanks for your feedback. This is an intentional behavior for now. Those requests would be considered third party requests and many browsers have third party cookies protection, which would prevent them from attaching cookies in those requests.

I brought your topic to the team and we will discuss it further. Meanwhile keep an eye out in our dev docs! We will post anything new there.