Enabled cross-subdomain console sessions by making the cookie domain configurable and aligning the frontend so it reads the shared CSRF cookie. (#27190)

2025-10-28 10:04:24 +08:00
parent 543c5236e7
commit ff32dff163
10 changed files with 94 additions and 13 deletions
--- a/web/.env.example
+++ b/web/.env.example
@@ -34,6 +34,9 @@ NEXT_PUBLIC_CSP_WHITELIST=
 # Default is not allow to embed into iframe to prevent Clickjacking: https://owasp.org/www-community/attacks/Clickjacking
 NEXT_PUBLIC_ALLOW_EMBED=

+# Shared cookie domain when console UI and API use different subdomains (e.g. example.com)
+NEXT_PUBLIC_COOKIE_DOMAIN=
+
 # Allow rendering unsafe URLs which have "data:" scheme.
 NEXT_PUBLIC_ALLOW_UNSAFE_DATA_SCHEME=false