fix(clerk-js): Prevent duplicate __client_uat cookies in iframe contexts

[brkalow]

Summary

• When an app runs in both an iframe and a standalone tab, getCookieDomain() returns undefined in the iframe because the eTLD+1 test cookie probe fails (third-party cookie restrictions prevent domain cookies from sticking)
• This causes clientUat.ts to set host-only cookies (no Domain attribute) in the iframe, while the non-iframe context sets domain-scoped cookies (with Domain attribute)
• The browser treats these as two separate cookies, creating duplicate __client_uat entries with conflicting values
• Fix: getCookieDomain() now falls back to hostname instead of undefined, so the cookie set() either matches the non-iframe's domain-scoped cookie (common on platforms like Replit where hostname == eTLD+1) or silently fails — both preferable to creating a conflicting host-only cookie

Test plan

• Updated existing unit test for getCookieDomain to reflect new fallback behavior
• Manual testing: load app in iframe on Replit, verify only domain-scoped __client_uat cookies are created (no host-only duplicates)
• Manual testing: load app in standalone tab, verify cookie behavior unchanged

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Fixed __client_uat cookie domain handling so it behaves correctly when the app loads in iframe and non-iframe contexts.
  • Added a deterministic fallback for cookie domain resolution (returns the hostname when a broader domain can't be derived) to avoid host-only cookie conflicts in restricted environments.

[changeset-bot]

🦋 Changeset detected

Latest commit: e4b2d6f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/chrome-extension	Patch
@clerk/expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Feb 18, 2026 5:37am

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@7875

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@7875

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@7875

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@7875

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@7875

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@7875

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@7875

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@7875

@clerk/express

npm i https://pkg.pr.new/@clerk/express@7875

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@7875

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@7875

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@7875

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@7875

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@7875

@clerk/react

npm i https://pkg.pr.new/@clerk/react@7875

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@7875

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@7875

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@7875

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@7875

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@7875

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@7875

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@7875

commit: e4b2d6f

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Adds a changeset entry for a patch release and updates getCookieDomain() in clerk-js to return the provided hostname when eTLD+1 detection fails instead of returning undefined. The change ensures a deterministic fallback for cookie domain determination and includes an updated test that expects the hostname fallback. The changes address the __client_uat cookie being set across two domain scopes when the app loads in iframe and non-iframe contexts.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main fix: preventing duplicate __client_uat cookies in iframe contexts by making getCookieDomain fall back to hostname instead of undefined.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}