Merge pull request #16 from Crowdhandler/feature/cookie-scoping

Fix wildcard cookie domain for multi-label public suffixes (2.4.1)

Author: luke-owen-crowdhandler

dist/crowdhandler.cjs.js

@@ -774,14 +774,15 @@ var Gatekeeper = /** @class */ (function () {
             (0, logger_1.logger)(this.options.debug, "info", "Domain has trailing wildcard, cannot use root domain cookie");
             return { isWildcard: false };
         }
-        // Extract root domain (last two parts for cookie domain)
-        var parts = domainPart.split('.');
-        var rootDomain = parts.length >= 2
-            ? ".".concat(parts.slice(-2).join('.'))
-            : ".".concat(domainPart);
+        // Use the full domain captured after the wildcard. The integrator's
+        // wildcard placement defines the cookie scope: e.g. *.barbican.org.uk
+        // → .barbican.org.uk, *.example.com → .example.com. Avoid heuristics
+        // like "last two labels", which mis-handle multi-label public suffixes
+        // (.co.uk, .org.uk, .com.au) and would scope the cookie to a public
+        // suffix the browser then rejects.
         return {
             isWildcard: true,
-            rootDomain: rootDomain
+            rootDomain: ".".concat(domainPart)
         };
     };
     /**