chore(clerk-js): Add comment for SameSite=Strict usage (#5781)

brkalow · web-flow · commit a44780b154de · 2025-05-01T11:07:07.000-05:00
diff --git a/.changeset/beige-rockets-stand.md b/.changeset/beige-rockets-stand.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/packages/clerk-js/src/core/auth/cookies/clientUat.ts b/packages/clerk-js/src/core/auth/cookies/clientUat.ts
@@ -31,6 +31,12 @@ export const createClientUatCookie = (cookieSuffix: string): ClientUatCookieHand
 
   const set = (client: ClientResource | undefined) => {
     const expires = addYears(Date.now(), 1);
+    /*
+     * SameSite=Strict is used here to force requests originating from a different domain to resolve the auth state.
+     * In development, it's possible that the auth state has changed on a different domain.
+     * Generally, this is handled by redirectWithAuth() being called and relying on the dev browser ID in the URL,
+     * but if that isn't used we rely on this. In production, nothing is cross-domain and Lax is used when client_uat is set from FAPI.
+     */
     const sameSite = inCrossOriginIframe() ? 'None' : 'Strict';
     const secure = getSecureAttribute(sameSite);
     const domain = getCookieDomain();
