ENG-1933: Add support for cookie deletion using wildcards

[guncha]

Ticket ENG-1933

Description Of Changes

This PR adds support for deleting cookies using wildcards which will typically be the form of prefix[id] or rarely [id]suffix. The removeCookiesFromBrowser function will now detect these, turn them into a regex pattern and use it to match cookies to be deleted. The attributes are ignored in this implementation since js-cookie doesn't return them when getting all of the cookies, but this could be worked around with some additional complexity.

Code Changes

• Update removeCookiesFromBrowser function

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
• No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 13, 2026 2:07am
fides-privacy-center	Ignored		Jan 13, 2026 2:07am

[greptile-apps]

Greptile Overview

Greptile Summary

Adds support for deleting cookies using wildcard patterns (e.g., _ga[id] to match _ga123, _ga456). The implementation separates wildcard cookies from regular cookies, builds a regex pattern by escaping special characters and replacing [id] with .*?, then matches and removes all matching cookies.

Key changes:

• Added isWildcardCookie helper to detect cookies containing [id] placeholder
• Modified removeCookiesFromBrowser to handle wildcard cookies separately using regex matching
• Comprehensive test coverage including special characters and multiple wildcards

Issue found: The regex pattern uses .*? (zero or more characters) for wildcard matching, which would incorrectly match cookies where the wildcard portion is empty (e.g., _ga[id] would match both _ga123 and _ga). Should use .+? (one or more characters) instead.

Confidence Score: 3/5

• This PR has a logical issue that could cause unintended cookie deletions
• The wildcard regex pattern uses .*? which matches zero or more characters, potentially matching cookies without the expected ID portion. This could lead to deleting cookies that don't match the intended pattern (e.g., _ga[id] matching _ga exactly). Tests don't cover this edge case.
• clients/fides-js/src/lib/cookie.ts needs attention for the regex pattern logic

Important Files Changed

File Analysis

Filename	Score	Overview
clients/fides-js/src/lib/cookie.ts	4/5	Added wildcard cookie detection and removal logic for cookies with [id] placeholder patterns
clients/fides-js/tests/lib/cookie.test.ts	5/5	Added comprehensive test coverage for wildcard cookie functionality including edge cases

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[guncha]

@gilluminate ready for another look! The cookies on the notice that are coming from the website monitor will have the domain field so we can always use that, unless the domain overrides are enabled. The cookies will not have path though and will default to /, but not when doing the subdomain cookie deletion? I don't know, that was the existing behavior so I didn't want to change it.

[gilluminate]

Approved with one very minor nitpick to prefer arrow functions