# Cookies

{% hint style="success" %}
**Audience:** Developers & Solution Architects

**Purpose:** Explains best practices for managing cookies in <code class="expression">space.vars.Kizen\_company\_name</code> plugins, including iFrame behavior and partitioned cookies.
{% endhint %}

## Overview

This document outlines best practices for managing cookies within iFrames, which is essential for maintaining sessions within plugins for the <code class="expression">space.vars.Kizen\_company\_name</code> ecosystem. This guide also covers the basics of cookie domains and explains how partitioned cookies work.

### Cookies in iFrames <a href="#cookies-in-iframes" id="cookies-in-iframes"></a>

When working with iFrames, cookies behave differently compared to cookies set directly from a first-party context. When you build a plugin that frames your application into <code class="expression">space.vars.Kizen\_company\_name</code>, your application operates in a third-party context, meaning that the cookies set or accessed within them are subject to stricter privacy and security rules.

Standard attributes like `SameSite`, `Secure`, `Domain` and `HttpOnly` continue to apply. There is also a `Partitioned` attribute that can be set in Chromium browsers to allow for cross-site cookies to function securely. See [Google’s guide on cookies](https://privacysandbox.google.com/cookies/basics/cookie-attributes) for a full list of attributes.

### Partitioned Cookies <a href="#partitioned-cookies" id="partitioned-cookies"></a>

Partitioned cookies are a privacy-enhancing measure where cookies are isolated by the top-level site (i.e., the site that appears in the browser’s address bar). This means that even if a cookie is set in an iFrame, it is partitioned by the top-level domain. Chromium-based browsers currently provide support for partitioned cookies, but browsers without support fall back on the default cookie behavior.

Partitioned cookies can be applied via the `Partitioned=true` attribute. Its important to also correctly apply the Domain attribute to ensure frontend Javascript code can read the cookies. For example, `Domain=.example.com`

Partitioning prevents a third-party service embedded via an iFrame from tracking a user across different sites. Each site gets its own isolated instance of the cookie. For cookies using `SameSite=None`, partitioning will ensure these cookies continue to work in Chromium browsers with Google’s removal of cross-site cookies.

***

## Clearing and Updating Cookies in iFrames <a href="#clearing-and-updating-cookies-in-iframes" id="clearing-and-updating-cookies-in-iframes"></a>

We recommend avoiding manipulating partitioned cookies directly from front-end Javascript, due to differences in browser support. Instead, your application’s server should handle setting, modifying, and deleting cookies, especially if your application expects to be embedded in the <code class="expression">space.vars.Kizen\_company\_name</code> application through a plugin.

### Limitations of Clearing Cookies <a href="#the-limitation-in-script-based-updating-and-clearance" id="the-limitation-in-script-based-updating-and-clearance"></a>

Chromium browsers do not allow modifying or deleting partitioned cookies from front-end Javascript if your application is framed into a site using a different domain. This means that attempting to clear/update these cookies using JavaScript from within an iFrame will not work as expected, and will differ from other browsers such as Safari.

### Recommended Server Approach <a href="#recommended-backend-approach" id="recommended-backend-approach"></a>

Given this limitation, all cookie clearing operations for partitioned cookies should be implemented at the server level. Your API should send a response with the `Set-Cookie` header that clears the cookie. This typically involves setting the cookie’s value to an empty string, its expiration date to a past date, and match all the attributes applied to the cookie.

**Example (Using Node.js/Express):**

```javascript
// This express handler responds with a Set-Cookie header that clears the cookie defined by the parameters
 
app.get('/clear-cookie', (req, res) => { 
  // Set the cookie with an expired date to instruct the browser to clear it 
  res.cookie('myCookie', '', { 
    expires: new Date(0), 
    path: '/', 
    secure: true, 
    httpOnly: true, 
    domain: '.example.com', 
    partitioned: true 
  });

 res.send('Cookie cleared on the server.'); 
});
```

When clearing and updating cookies, ensure that the path, domain, and partitioned attribute match those used when the cookie was set. Mismatches can result in the cookie not being cleared.

By handling cookie clearing or modification on the backend, you bypass the limitations imposed on client-side scripts in iFrames and ensure a consistent approach across all user contexts and browsers.&#x20;

***

## Browser Support for Partitioned Cookies <a href="#browser-support-for-partitioned-cookies" id="browser-support-for-partitioned-cookies"></a>

The table below summarizes the current support for partitioned cookies across major browsers. If the browser does not support partitioned cookies they will be accessible at top level domains and can also be modified. In time this standard is expected to be adopted by all browsers, as cross-site and third-party cookies are fully phased out.

| **Google Chrome**     | Supported (since recent versions) | <img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/standard/caa27a19-fc09-4452-b2b4-a301552fd69c/64x64/274c.png" alt="cross mark" data-size="line">                                                                 | Stable support in current releases (e.g., Chrome 105+).     |
| --------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- |
| **Microsoft Edge**    | Supported (Chromium-based)        | <img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/standard/caa27a19-fc09-4452-b2b4-a301552fd69c/64x64/274c.png" alt="cross mark" data-size="line">                                                                 | Mirrors Chrome’s implementation.                            |
| **Opera**             | Supported (Chromium-based)        | <img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/standard/caa27a19-fc09-4452-b2b4-a301552fd69c/64x64/274c.png" alt="cross mark" data-size="line">                                                                 | Mirrors Chrome’s implementation.                            |
| **Mozilla Firefox**   | Not yet supported                 | <img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/standard/caa27a19-fc09-4452-b2b4-a301552fd69c/64x64/2705.png" alt="check mark button" data-size="line">                                                          | Support is under evaluation; check upcoming releases.       |
| **Safari**            | Coming Soon                       | <img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/standard/caa27a19-fc09-4452-b2b4-a301552fd69c/64x64/2705.png" alt="check mark button" data-size="line"> (Will not be supported when partitioned cookies rollout) | Expected to support partitioned cookies in future releases. |
| **Internet Explorer** | Not Supported                     | <img src="https://pf-emoji-service--cdn.us-east-1.prod.public.atl-paas.net/standard/caa27a19-fc09-4452-b2b4-a301552fd69c/64x64/2705.png" alt="check mark button" data-size="line">                                                          | Deprecated and no further updates are planned.              |

***

## What's Next

If you need additional context, revisit the plugin component topics to see how cookie management applies across different plugin surfaces.

<details>

<summary>Related Topics</summary>

* [Plugin Development](/docs/integrations-and-plugins/plugin-development.md)
* [Toolbar Items](/docs/integrations-and-plugins/plugin-development/toolbar-items.md)
* [Floating Frames](/docs/integrations-and-plugins/plugin-development/floating-frames.md)
* [Embedded Pages](/docs/integrations-and-plugins/plugin-development/embedded-pages.md)
* [Embedded Blocks](/docs/integrations-and-plugins/plugin-development/embedded-blocks.md)
* [Data Adornments](/docs/integrations-and-plugins/plugin-development/data-adornments.md)

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developer.kizen.com/docs/integrations-and-plugins/plugin-development/cookies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.