ethyca · eastandwestwind · Oct 16, 2024 · Sep 27, 2024 · Sep 30, 2024 · Sep 30, 2024
diff --git a/clients/fides-js/__tests__/lib/cookie.test.ts b/clients/fides-js/__tests__/lib/cookie.test.ts
@@ -396,34 +396,53 @@ describe("cookies", () => {
 
     it.each([
       { cookies: [], expectedAttributes: [] },
-      { cookies: [{ name: "_ga123" }], expectedAttributes: [{ path: "/" }] },
+      { cookies: [], removeSubdomainCookies: true, expectedAttributes: [] },
       {
-        cookies: [{ name: "_ga123", path: "" }],
-        expectedAttributes: [{ path: "" }],
+        cookies: [{ name: "_ga123" }],
+        expectedAttributes: [undefined],
       },
       {
-        cookies: [{ name: "_ga123", path: "/subpage" }],
-        expectedAttributes: [{ path: "/subpage" }],
+        cookies: [{ name: "_ga123" }],
+        removeSubdomainCookies: true,
+        expectedAttributes: [undefined, { domain: ".example.co.jp" }],
       },
       {
-        cookies: [{ name: "_ga123" }, { name: "shopify" }],
-        expectedAttributes: [{ path: "/" }, { path: "/" }],
+        cookies: [{ name: "aax-uid" }, { name: "pixel" }],
+        expectedAttributes: [undefined, undefined],
+      },
+      {
+        cookies: [{ name: "aax-uid" }, { name: "pixel" }],
+        removeSubdomainCookies: true,
+        expectedAttributes: [undefined, { domain: ".example.co.jp" }],
       },
     ])(
       "should remove a list of cookies",
       ({
         cookies,
+        removeSubdomainCookies,
         expectedAttributes,
       }: {
         cookies: CookiesType[];
-        expectedAttributes: CookieAttributes[];
+        removeSubdomainCookies?: boolean;
+        expectedAttributes: Array<CookieAttributes | undefined>;
       }) => {
-        removeCookiesFromBrowser(cookies);
-        expect(mockRemoveCookie.mock.calls).toHaveLength(cookies.length);
-        cookies.forEach((cookie, idx) => {
-          const [name, attributes] = mockRemoveCookie.mock.calls[idx];
-          expect(name).toEqual(cookie.name);
-          expect(attributes).toEqual(expectedAttributes[idx]);
+        removeCookiesFromBrowser(cookies, removeSubdomainCookies);
+        const expectedLength = removeSubdomainCookies
+          ? cookies.length * 2
+          : cookies.length;
+        expect(mockRemoveCookie.mock.calls).toHaveLength(expectedLength);
+        cookies.forEach((cookie, cookieIdx) => {
+          const calls = removeSubdomainCookies
+            ? mockRemoveCookie.mock.calls.slice(
+                cookieIdx * 2,
+                cookieIdx * 2 + 2,
+              )
+            : mockRemoveCookie.mock.calls.slice(cookieIdx, cookieIdx + 1);
+          calls.forEach((call, i) => {
+            const [name, attributes] = call;
+            expect(name).toEqual(cookie.name);
+            expect(attributes).toEqual(expectedAttributes[i]);
+          });
         });
       },
     );

diff --git a/clients/fides-js/src/fides-tcf.ts b/clients/fides-js/src/fides-tcf.ts
@@ -259,6 +259,7 @@ const _Fides: FidesGlobal = {
     base64Cookie: false,
     fidesPrimaryColor: null,
     fidesClearCookie: false,
+    automaticSubdomainCookieDeletion: false,
   },
   fides_meta: {},
   identity: {},

diff --git a/clients/fides-js/src/fides.ts b/clients/fides-js/src/fides.ts
@@ -199,6 +199,7 @@ const _Fides: FidesGlobal = {
     base64Cookie: false,
     fidesPrimaryColor: null,
     fidesClearCookie: false,
+    automaticSubdomainCookieDeletion: false,
   },
   fides_meta: {},
   identity: {},

diff --git a/clients/fides-js/src/lib/consent-types.ts b/clients/fides-js/src/lib/consent-types.ts
@@ -126,6 +126,9 @@ export interface FidesInitOptions {
 
   // Shows fides.js overlay UI on load deleting the fides_consent cookie as if no preferences have been saved
   fidesClearCookie: boolean;
+
+  // Whether cookies on subdomains should be deleted when user opts out
+  automaticSubdomainCookieDeletion: boolean;
 }
 
 /**

diff --git a/clients/fides-js/src/lib/cookie.ts b/clients/fides-js/src/lib/cookie.ts
@@ -331,13 +331,18 @@ export const makeConsentDefaultsLegacy = (
 
 /**
  * Given a list of cookies, deletes them from the browser
+ * Optionally removes subdomain cookies as well
  */
-export const removeCookiesFromBrowser = (cookiesToRemove: CookiesType[]) => {
+export const removeCookiesFromBrowser = (
+  cookiesToRemove: CookiesType[],
+  removeSubdomainCookies: boolean = false,
+) => {
   cookiesToRemove.forEach((cookie) => {
-    cookies.remove(cookie.name, {
-      path: cookie.path ?? "/",
-      domain: cookie.domain,
-    });
+    const { hostname } = window.location;
+    cookies.remove(cookie.name);
+    if (removeSubdomainCookies) {
+      cookies.remove(cookie.name, { domain: `.${hostname}` });
+    }
   });
 };
 

diff --git a/clients/fides-js/src/lib/preferences.ts b/clients/fides-js/src/lib/preferences.ts
@@ -143,7 +143,10 @@ export const updateConsentPreferences = async ({
           preference.consentPreference === UserConsentPreference.OPT_OUT,
       )
       .forEach((preference) => {
-        removeCookiesFromBrowser(preference.notice.cookies);
+        removeCookiesFromBrowser(
+          preference.notice.cookies,
+          options.automaticSubdomainCookieDeletion,
+        );
       });
   }
 

diff --git a/clients/privacy-center/app/server-environment.ts b/clients/privacy-center/app/server-environment.ts
@@ -65,6 +65,7 @@ export type PrivacyCenterClientSettings = Pick<
   | "BASE_64_COOKIE"
   | "FIDES_PRIMARY_COLOR"
   | "FIDES_CLEAR_COOKIE"
+  | "AUTOMATIC_SUBDOMAIN_COOKIE_DELETION"
 >;
 
 export type Styles = string;
@@ -342,6 +343,8 @@ export const loadPrivacyCenterEnvironment = async ({
     BASE_64_COOKIE: settings.BASE_64_COOKIE,
     FIDES_PRIMARY_COLOR: settings.FIDES_PRIMARY_COLOR,
     FIDES_CLEAR_COOKIE: settings.FIDES_CLEAR_COOKIE,
+    AUTOMATIC_SUBDOMAIN_COOKIE_DELETION:
+      settings.AUTOMATIC_SUBDOMAIN_COOKIE_DELETION,
   };
 
   // For backwards-compatibility, override FIDES_API_URL with the value from the config file if present

diff --git a/clients/privacy-center/app/server-utils/PrivacyCenterSettings.ts b/clients/privacy-center/app/server-utils/PrivacyCenterSettings.ts
@@ -36,4 +36,5 @@ export interface PrivacyCenterSettings {
   BASE_64_COOKIE: boolean; // whether or not to encode cookie as base64 on top of the default JSON string
   FIDES_PRIMARY_COLOR: string | null; // (optional) sets fides primary color
   FIDES_CLEAR_COOKIE: boolean; // (optional) deletes fides_consent cookie on reload
+  AUTOMATIC_SUBDOMAIN_COOKIE_DELETION: boolean; // (optional) deletes notice cookies from subdomains in addition to top-level domain on opt-out
 }
diff --git a/clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts b/clients/privacy-center/app/server-utils/loadEnvironmentVariables.ts
@@ -81,6 +81,11 @@ const loadEnvironmentVariables = () => {
     FIDES_CLEAR_COOKIE: process.env.FIDES_PRIVACY_CENTER__FIDES_CLEAR_COOKIE
       ? process.env.FIDES_PRIVACY_CENTER__FIDES_CLEAR_COOKIE === "true"
       : false,
+    AUTOMATIC_SUBDOMAIN_COOKIE_DELETION: process.env
+      .FIDES_PRIVACY_CENTER__AUTOMATIC_SUBDOMAIN_COOKIE_DELETION
+      ? process.env
+          .FIDES_PRIVACY_CENTER__AUTOMATIC_SUBDOMAIN_COOKIE_DELETION === "true"
+      : false,
   };
   return settings;
 };

diff --git a/clients/privacy-center/pages/api/fides-js.ts b/clients/privacy-center/pages/api/fides-js.ts
@@ -261,6 +261,8 @@ export default async function handler(
       base64Cookie: environment.settings.BASE_64_COOKIE,
       fidesPrimaryColor: environment.settings.FIDES_PRIMARY_COLOR,
       fidesClearCookie: environment.settings.FIDES_CLEAR_COOKIE,
+      automaticSubdomainCookieDeletion:
+        environment.settings.AUTOMATIC_SUBDOMAIN_COOKIE_DELETION,
     },
     experience: experience || undefined,
     geolocation: geolocation || undefined,