PR #417 is not working, cookie are not floating on subequent subdomain requests

[naukri-engineering]

Hi ,

With reference to PR #417 submitted, we have added RWS Set where naukri.com is set as primary and infoedgeindia.com is associated
This RWS is already applied in chrome and storage is also granted on Naukri.com i.e if we do like this

if ('requestStorageAccessFor' in document) {
          document.requestStorageAccessFor('https://infoedgeindia.com').then(
            res => {
              // Success
              makeSubDomainCall()  //cookies not floating automatically 
            },
          );
}

We have a cross site cookie set by infoedgeindia for which we make initial call from naukri.com and set as third party cookie.We want this cookie to be floated in subequent calls from top level domain - naukri.com
Whenever we are making cross origin include credentials call to subdomain of infoedgeindia.com , this cookie is automatically not passing in request cookies

{ console.log('['+document.location.hostname+'] 🍪 Check if the demo cookie is sent on a cross-site, same-set request'); console.log('['+document.location.hostname+`] fetch('https://related-website-sets.glitch.me/getcookies.json', { method: 'GET', credentials: 'include' }).then(response => response.json()).then(json => {console.log(json)}) → `, json); }); }">

fetch("*https://xyz.infoedgeindia.com/*", {
  "headers": {
    **"credentials": "include"**
  },
}).then((json) => {
        console.log('['+document.location.hostname+'] 🍪 Check if the demo cookie is sent on a cross-site, same-set request');
        console.log('['+document.location.hostname+`] fetch('https://related-website-sets.glitch.me/getcookies.json', { method: 'GET', credentials: 'include' }).then(response => response.json()).then(json => {console.log(json)}) → `, json);
});
}

Cross site cookie not being passed in request cookies which was expected to float

Please help what is the issue here if there is some gap in understanding

[cfredric]

document.requestStorageAccessFor requires CORS mode for the request. Additionally, it looks like you've put the "credentials" field in the headers object, which won't do what you want.

This is probably close to what you want:

fetch("https://xyz.infoedgeindia.com/", {
  "headers": {},
  "credentials": "include",
  "mode": "cors",
}).then((json) => {
  ...
});

[naukri-engineering]

Hi @cfredric ,

Tried using cors as well
Still cross site cookie is not flowing to sub domain of infoedgeindia (associated site ) from primary site ( naukri)
May be due to sub-domain, cookie is not floating but ideally it should
With Cors enabled as well request cookie are not passing

fetch("https://xyz.infoedgeindia.com/", {
"headers": {},
"credentials": "include",
"mode": "cors",
}).then((json) => {
...
});

[cfredric]

Ah yes, it is because of the subdomain. requestStorageAccessFor(...) accepts an origin, not a site, so you must provide the specific origin to which you need to send cookies.

[naukri-engineering]

@cfredric even after mentioning xyz.infoedgeindia.com in requestStorageAccessFor(...) , ccokie set on infoedgeindia is not getting floated in request of xyz.infoedgeindia.com

[cfredric]

It's a bit tough for me to say what the problem is, without being able to see it myself. Broadly, these are the things I would check:

• Ensure that the document.requestStorageAccessFor(...) call supplies the correct origin.
• Ensure that the document.requestStorageAccessFor(...) call is resolving (not rejecting), with a user gesture.
• If the fetch request is in a script run by the top-level document:
  • Ensure the request mode is "cors".
  • Ensure the request's credentials is "include".
• If the fetch request is in a script run by an infoedgeindia.com iframe:
  • Ensure that the iframe has called document.requestStorageAccess() (and that promise resolved) before the fetch request.
• Inspect network activity in Chrome DevTools to see if the cookie is being blocked, and if so, why.

If you check all of those things, that should be enough to figure out why your cookie is not being sent.

[naukri-engineering]

thanks @cfredric for further clarification and explanation but we have already tried above things and this is not working

Ensure that the document.requestStorageAccessFor(...) call supplies the correct origin - we are calling it for correct origin and this is giving success as well
document.requestStorageAccessFor('https://infoedgeindia.com')
Ensure that the document.requestStorageAccessFor(https://infoedgeindia.com) call is resolving (not rejecting), with a user gesture - This is also resolving without user gesture.

Point 3 - Fetch request is already having "cors" request mode and request credentials is "include" as well

We have identified why it is not happening by trying changing different values of domain and subdomain
Reiterating the full scenario and issue here

RWS Set :-
{
"AssociatedSites": [ "https://ambitionbox.com", "https://infoedgeindia.com" ],
"PrimarySites": [ "https://naukri.com" ]
}

Request calling to associated site member (infoedgeindia.com) from Primary Member in RWS Set (www.naukri.com) is setting one cookie :-

i.e subdomain.infoedgeindia.com request on www.naukri.com is setting cookie on .infoedgeindia.com with samesite none and secure

Call for requestStorageAccessFor on naukri.com is resolving successfully

 document.requestStorageAccessFor('https://infoedgeindia.com').then(
          res => {
            checkCookie()
          },
          err => {}
        );

But cookies set on infoedgeinida.com are not floating subdomain calls

fetch('https://subdomain.infoedgeindia.com/collectorapi/v1/uba', {
    method: "POST", 
    credentials: "include",
    mode:"cors",
    body: JSON.stringify({}), 
  });  
}

Cookie set on infoedgeindia is not floating in above call and blocked ideally it should because by default cookies should float in subdomain calls

@cfredric we are bit stucked due to this , if we can connect over quick call and we can show you the issue and if may be you can help in resolving this , wont take much of your time but problem might get fixed for us , please let me know if we can connect

[cfredric]

document.requestStorageAccessFor('https://infoedgeindia.com')

fetch('https://subdomain.infoedgeindia.com/collectorapi/v1/uba',

You're specifying two different origins here:

• https://infoedgeindia.com
• https://subdomain.infoedgeindia.com

Note that the definition of an origin is very specific; it is more specific than "site", because an origin does not include any subdomains.

As I said in #448 (comment), if you want to send cookies to a particular origin, you need to use that origin when you call requestStorageAccessFor(). I.e., you need to change your code to:

document.requestStorageAccessFor('https://subdomain.infoedgeindia.com').then(
  // etc.
)

Invoking document.requestStorageAccessFor("https://infoedgeindia.com") only grants cookie access to https://infoedgeindia.com specifically. Any subdomain of that origin will still be blocked from accessing cookies, unless you specifically request access for it like in the code snippet I wrote above.

If you have changed the requestStorageAccessFor call to use the correct subdomain specifically, and you're still not seeing the cookies on the request, try using Chrome DevTools to find out why the cookies are being blocked. (My guess would be that you need to set a Domain attribute on the cookies.)

[cfredric]

Having not heard any followup questions in 2 months, I'm assuming this was fixed. Closing.