Cookies

Ruby

• cdo.rb def canonical_hostname
• request.rb def shared_cookie_domain
• cookie_helpers.rb def environment_specific_cookie_name()
• steps.rb params[:domain] = '.code.org' # top level domain cookie
• dashboard_helpers.rb # sets the cookie for the top-level domain
• hoc_helper.rb set_cookie('hour_of_code', {domain: '.code.org'
• test_request.rb # Localhost subdomains are normalized to the "base"
• home_controller_test.rb domain=.code.org; path=/; expires=
• test_request.rb def test_shared_cookie_domain
• storage_id.rb domain: ".#{request.shared_cookie_domain}",

JS/TS

• utils.js
• cookieBanner.js
• songs.js "signed cloudfront cookies"
• user_header.haml // Share cookie with top-level domain.
• SIgnInOrAgeDialog.js cookies.remove(cookieName, {path: '/', domain: '.code.org'});

OneTrust

• application.html.haml
• onetrust_cookie_scripts.haml
• test_onetrust_cookie_scripts.rb

pegasus/sites.v3/____/themes/____.haml: sets up one trust cookie domain

• https://github.com/code-dot-org/code-dot-org/blob/3fb8b13c8a4e5aa07958c1909a12f6665046b334/pegasus/sites.v3/code.org/themes/default.haml/#L4-L5
• https://github.com/code-dot-org/code-dot-org/blob/3fb8b13c8a4e5aa07958c1909a12f6665046b334/pegasus/sites.v3/code.org/themes/responsive_full_width.haml/#L8-L9
• https://github.com/code-dot-org/code-dot-org/blob/3fb8b13c8a4e5aa07958c1909a12f6665046b334/pegasus/sites.v3/code.org/themes/responsive_wide.haml/#L4
• https://github.com/code-dot-org/code-dot-org/blob/3fb8b13c8a4e5aa07958c1909a12f6665046b334/pegasus/sites.v3/code.org/themes/responsive.haml
• https://github.com/code-dot-org/code-dot-org/blob/3fb8b13c8a4e5aa07958c1909a12f6665046b334/pegasus/sites.v3/hourofcode.com/themes/default.haml/#L4
• https://github.com/code-dot-org/code-dot-org/blob/3fb8b13c8a4e5aa07958c1909a12f6665046b334/pegasus/sites.v3/hourofcode.com/themes/how_to_guide.haml/#L4

Domains of interest

• localhost-studio.code.org => studio.code.org.localhost
• localhost.code.org => code.org.localhost
• localhost.codeprojects.org => codeprojects.org.localhost
• localhost.hourofcode.com => hourofcode.com.localhost
• Any domains missing?

Maybe don't need to work?

• localhost.csedweek.org => csedweek.org.localhost, doesn't seem to be on staging?
  

Wildcards:

• From def canonical_hostname in cdo.rb:
  -return "#{name}.#{domain}" if ['console', 'hoc-levels'].include?(name):
  • console.code.org?
  • hoc-levels.code.org?
  • return "localhost#{sep}#{domain}" if rack_env?(:development) || ci_webserver?
    • I think this means Drone uses localhost-studio.code.org?

Papercuts

On http://studio.code.org.localhost:3000/home:

• Font Awesome: what is https://dsco.code.org/assets/font-awesome-pro, an S3 bucket? CORS policy blocks it
• banner-progress-launch.png: old-style url => 403
• New Project->AppLab => old-style url

It's Alive!

Basic "mostly works" has been achieved. There's still broken URLs, missing assets, etc, but its mostly functional.

Pegasus works:

Dashboard works:

Cross-pegasus dashboard cookies work

I think? they have to for sign in right?

Cross Pegasus <=> Dashboard links seem to work, the ones I've tested:

Hour of Code works:

HTTPS works:

One failed unit test from ruby, its about shared cookies:

  test_shared_cookie_domain                                       FAIL (0.00s)
Minitest::Assertion:         Expected: "code.org"
          Actual: "code.org.localhost"
        /drone/src/pegasus/test/test_request.rb:22:in `block in test_shared_cookie_domain'
        /drone/src/pegasus/test/test_request.rb:20:in `each'
        /drone/src/pegasus/test/test_request.rb:20:in `test_shared_cookie_domain'

I just confirmed on Chrome, the way it works right now is most of our code.org cookies are set on the def shared_cookie_domain (request.rb on github).

Do any of these cookies need to be shared?

Notice how localhost-studio.code.org and code.org have exactly the same .code.org cookies? That's shared_cookie_domain at work:

hourofcode.com is basically alone in its own cookie world:

• hourofcode.com. ==> .hourofcode.com

But all these domains map to the same shared cookie domain .code.org:

• code.org ==> .code.org
• staging.code.org ==> .code.org
• test.code.org ==> .code.org
• levelbuilder.code.org ==> .code.org
• localhost.code.org ==> .code.org
• studio.code.org ==> .code.org
• test-studio.code.org ==> .code.org
• localhost-studio.code.org ==> .code.org

Do we actually want to share cookies between environments?

This test makes sure that happens, and it breaks because code.org.localhost cannot share a cookie domain with code.org. But.... isn't that a good thing? Notice we had to namespace our primary session cookies? Is this basically a vestigial complexification? Do we need to track google analytics users between test-studio.code.org and code.org? Between studio.code.org and localhost-studio.code.org? We're not using this feature.

In general I want as strong a boundary between my staging/test/prod as possible! This is an anti-feature, and we've gone out of way to enable it (it doesn't do this by default).

Proposal 1: (default) we use a non-sahred cookie for .localhost domains

Everything the same as above but:

boo.localhost ==> boo.localhost

Currently fixed this way by: 25ead00 and followup to simplify c5d1893

Proposal 2: we break away from shared cookies entirely

And fix this test to reflect it:

• code.org ==> .code.org # preserve sessions and tracking on code.org prod
• test.code.org ==> test.code.org
• levelbuilder.code.org ==> levelbuilder.code.org
• test-studio.code.org ==> test-studio.code.org
• studio.code.org.localhost ==> studio.code.org.localhost

I'm curious about the code.org.localhost vs code.localhost question. What's the reasoning for one over the other?

This works with Sauce Connect v5, but not with Sauce Connect v4, so this PR is now blocking on: #60333