Description
Please list the package(s) involved in the issue, and include the version you are using
shopify/ui-extensions: ^2024.7
Describe the bug
When making a CORS request with all the right headers, Shopify UI Extensions will explicitly force cookies to be ommitted. This is via these lines from https://cdn.shopify.com/shopifycloud/checkout-web/assets/c1.en/sandbox.B93AeW43.worker.js:
function eOt(t) {
return (r, e) => {
const n = r instanceof Request ? r : new Request(r);
if (new URL(n.url).protocol !== "https:")
throw new rOt("URL must be secure (HTTPS)");
return t(n, {
...e,
credentials: "omit"
})
}
}
The credentials: "omit" will force cookies to be removed from the fetch request as per MDN: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials
Steps to reproduce the behavior:
- Make a fetch request to a URL cross origin.
- Ensure that the responding server has all the right CORS responses, e.g.
access-control-allow-credentials: trueandaccess-control-allow-origin: https://extensions.shopifycdn.com - Observe no cookies are passed
Expected behavior
I would expect either:
- The behaviour of
fetchisn't overriden by Shopify - The documentation on
fetchin the Security section https://shopify.dev/docs/api/checkout-ui-extensions#security, which leads to https://github.com/Shopify/ui-extensions/blob/unstable/documentation/runtime-environment.md would document that useCredentials is banned AND the same documentation would be available here too: https://shopify.dev/docs/api/checkout-ui-extensions/2024-10/configuration#network-access.
I would prefer (1), as I can think of other cases where passing cookies might be useful - e.g. accessing an authenticated backend.
Screenshots
Additional context
The reason we would like the cookies to be passed is that we use cookies as one of several signals into anti fraud systems. While the cookies are not a perfect tool, they are a useful signal that can help us to spot customers attempting to manipulate us or our clients out of discounts.