Warn and fall back when cookieOptions.domain is a Public Suffix List entry

[pepeladeira]

Summary by CodeRabbit

• Bug Fixes

  • Analytics script now gracefully handles Public Suffix List domain limitations. When a restricted domain is detected, a warning is logged and cookie configuration falls back to the default hostname-derived domain.

• Documentation

  • Updated documentation to explain that certain hosted domain suffixes cannot be used for cookies; the script will fall back to the current hostname in such cases.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
analytics-nextjs-geolocation-script	Ready	Preview, Comment	May 8, 2026 8:56pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR guards cookie domain configuration against browser Public Suffix List (PSL) limitations by introducing a KNOWN_PSL_DOMAINS allowlist. When a configured domain matches a PSL entry, the script logs a warning and removes the domain, falling back to the default. Documentation updates explain the limitation to users.

Changes

Public Suffix List Cookie Domain Guard

Layer / File(s)	Summary
Type Documentation packages/web/src/types.ts	cookieOptions.domain docblock warns that PSL domains are rejected by browsers and the script falls back to the hostname-derived domain.
PSL Domains Allowlist packages/script/src/base.js	Introduces KNOWN_PSL_DOMAINS array containing known PSL domains like .vercel.app and .netlify.app that browsers silently reject for cookie writes.
Domain Validation & Fallback packages/script/src/base.js	During data-cookie-options parsing, domain values are validated against KNOWN_PSL_DOMAINS; matching domains trigger a console warning and are removed so cookies revert to the default hostname-derived domain.
User Documentation packages/web/README.md	README clarifies that PSL cookie domains are not usable in browsers; the script warns and falls back to the current hostname, and cross-subdomain sharing via PSL domains is not achievable.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A list of domains dark and deep,
That browsers guard from cookie sweep,
Now warnings bloom when bad domains creep—
The script steps back, the defaults keep.
Cross-subdomain dreams on PSL stay unmet,
But clear we've made what users get! 🍪✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and specifically describes the main change: adding a warning and fallback mechanism when cookieOptions.domain is a Public Suffix List entry.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch psl-cookie-domain-warning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/script/src/base.js`:
- Around line 44-47: The PSL membership check is case-sensitive so domains like
`.Vercel.App` bypass the warning; normalize the configured domain before lookup
by lowercasing (and trimming the leading dot as already done) so the
`KNOWN_PSL_DOMAINS.includes(bare)` check is consistent—update how `bare` is
derived from `parsedOpts.domain` (used in the `if (parsedOpts.domain)` branch)
to produce a normalized lowercase domain prior to calling
`KNOWN_PSL_DOMAINS.includes`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8b3c58ce-c9a8-47af-9a1f-92d0891d96b8

📥 Commits

Reviewing files that changed from the base of the PR and between 811e701 and 38bd809.

📒 Files selected for processing (3)

• packages/script/src/base.js
• packages/web/README.md
• packages/web/src/types.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Normalize configured domain before PSL lookup.

Line 45 currently checks PSL membership case-sensitively, so values like .Vercel.App bypass the warning/fallback path. Normalize input first to keep behavior consistent.

Suggested patch

-    if (parsedOpts.domain) {
-      const bare = parsedOpts.domain.replace(/^\./, '');
+    if (parsedOpts.domain) {
+      const bare = parsedOpts.domain.trim().replace(/^\./, '').toLowerCase();
       if (KNOWN_PSL_DOMAINS.includes(bare)) {
         console.warn(

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (parsedOpts.domain) {
	const bare = parsedOpts.domain.replace(/^\./, '');
	if (KNOWN_PSL_DOMAINS.includes(bare)) {
	console.warn(
	if (parsedOpts.domain) {
	const bare = parsedOpts.domain.trim().replace(/^\./, '').toLowerCase();
	if (KNOWN_PSL_DOMAINS.includes(bare)) {
	console.warn(

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/script/src/base.js` around lines 44 - 47, The PSL membership check
is case-sensitive so domains like `.Vercel.App` bypass the warning; normalize
the configured domain before lookup by lowercasing (and trimming the leading dot
as already done) so the `KNOWN_PSL_DOMAINS.includes(bare)` check is
consistent—update how `bare` is derived from `parsedOpts.domain` (used in the
`if (parsedOpts.domain)` branch) to produce a normalized lowercase domain prior
to calling `KNOWN_PSL_DOMAINS.includes`.