🍪 Hydrogen Cookie Migration for New Shopify Cookie Architecture

[frandiox]

🍪 Hydrogen Cookie Migration for New Shopify Cookie Architecture

Overview

This PR implements support for Shopify's new consolidated cookie architecture. The legacy _shopify_y and _shopify_s cookies are being sunset in 2026, with their functionality absorbed into the new http-only cookies: _shopify_analytics, _shopify_marketing, and _shopify_essential.

Main Changes

1. Storefront API Proxy

• Added a built-in SFAPI proxy in the Hydrogen server via the new createRequestHandler
• Allows same-origin requests from the browser, enabling http-only cookies to be properly set

2. New Tracking Utilities

• getTrackingValues(): Reads tracking values (uniqueToken/visitToken) from server-timing headers via the Performance API
• Falls back to deprecated _shopify_y/_shopify_s cookies during transition
• getShopifyCookies is deprecated and now works internally by calling getTrackingValues

3. Updated useShopifyCookies Hook

• New fetchTrackingValues option to fetch cookies from browser
• Now returns a boolean indicating when cookies are ready

4. Privacy/Consent Integration

• Updated to Consent Tracking API v0.2
• sameDomainForStorefrontApi option for proxy-aware consent libraries
• ShopifyProvider auto-detects SFAPI proxy availability via server-timing headers

5. Backward Compatibility

• During transition, we still write tracking values back to deprecated cookies
• Supports both new and legacy cookie systems concurrently

Migration Impact

Deployment Type	Action Required
Full-stack Hydrogen on Oxygen	Upgrade packages (automatic)
Hydrogen on other platforms	Update server.ts to use new createRequestHandler
hydrogen-react in custom frameworks	Manual server-side proxy implementation or custom cookies

E2E Testing

• Playwright now spins up a test server per spec. Each server can be connected to a different store.
• New Playwright test suite for cookie/privacy banner scenarios
• Tests for consent acceptance, decline, and migration flows

[shopify]

Oxygen deployed a preview of your fd-tracking-cookies-v4 branch. Details:

Storefront	Status	Preview link	Deployment details	Last update (UTC)
Skeleton (skeleton.hydrogen.shop)	✅ Successful (Logs)	Preview deployment	Inspect deployment	December 11, 2025 1:22 AM
third-party-queries-caching	✅ Successful (Logs)	Preview deployment	Inspect deployment	December 11, 2025 1:23 AM
sitemap	✅ Successful (Logs)	Preview deployment	Inspect deployment	December 11, 2025 1:23 AM
metaobjects	✅ Successful (Logs)	Preview deployment	Inspect deployment	December 11, 2025 1:23 AM
custom-cart-method	✅ Successful (Logs)	Preview deployment	Inspect deployment	December 11, 2025 1:23 AM

Learn more about Hydrogen's GitHub integration.

[kdaviduik]

Suggested change

	tracking?: boolean;
	shouldCollectTrackingInformation?: boolean;

or something like shouldCollectShopifyTrackingInformation

[frandiox]

Given the existing patterns (e.g. poweredByHeader: boolean), I think we can use collectTrackingInformation: boolean better?

[kdaviduik]

Why .length > 1? to confirm, this is just to confirm that we did indeed make a request to the server (rather than having this be returned from the cache), right? or is there something else I'm missing here?

[frandiox]

It seems _shopify_essential might be returned alone from SFAPI, and we can't be sure this means we got everything we needed (at least during the transition period). With this we just check at at least essential + another cookie comes back. Therefore, if we only have 1 cookie, we'll fire a request from the browser to get everything.
Will leave a comment around there 👍

[kdaviduik]

Why are we bothering to JSON.stringify the consent? We don't seem to actually be reading it anywhere

[frandiox]

This was one of the bug fixes added in the PR to existing Hydrogen behavior. It wasn't calling canTrack again after consent changed.

Basically, every time consent changes (the user clicks the banner, or shows the preferences banner and clicks) we should recalculate hasUserConsent, since writing or deleting cookies depend on that.

We use it below as a hook dependency, which means that whenever it changes that other hook will run (and will call canTrack()). This callback is fired multiple times from privacy-banner, and sometimes it doesn't really mean "consent collected" (a bug in my opinion but it will take longer to fix). With this, we can check if consent has changed across different calls because the stringified version would be different only if consent changes.

---

I was going to add something else here but there are already two comments where this is set and read:

        // Store consent to refresh local cookies after it changes
        setCollectedConsent(JSON.stringify(consent));

    // Make this value depend on collectedConsent to re-run `canTrack()` when consent changes
    [privacyReady, canTrack, collectedConsent],

[kdaviduik]

for all of these i'm assuming you double checked the customer privacy API to confirm that all of these are outdated/no longer exist?

[frandiox]

Yeah, they were deprecated some time ago, according to their changelog and code

[kdaviduik]

can we pick a more descriptive name here (or at least add a comment)? i imagine this is referring to the _cmp value?

[frandiox]

We can add comments but these names seem to be the convention in other areas 👍 (e.g. _cmp => "consent management platform", current cookie is called _tracking_consent -- which should go away eventually).

[kdaviduik]

(threading)

Bug: Cross-subdomain matching fails for sibling domains

Location: packages/hydrogen-react/src/tracking-utils.ts:75-79

The Problem

The current matching logic only handles:

1. Same origin (hydrogen.shop ↔ hydrogen.shop)
2. Checkout as subdomain of storefront (checkout.hydrogen.shop → hydrogen.shop)

But it fails when storefront and checkout are sibling subdomains under a shared parent:

Storefront: oldnavy.gapcanada.ca
Checkout:   secure-oldnavy.gapcanada.ca

// Current check:
'secure-oldnavy.gapcanada.ca'.endsWith('.oldnavy.gapcanada.ca')  // FALSE ❌

This means SFAPI responses from checkout are ignored, and we fall back to stale navigation entry values.

The Fix

Add a third condition that checks if both hosts share a common ancestor domain:

const isMatch =
  matchedHost === currentHost ||
  (sfapiPath && matchedHost?.endsWith(`.${currentHost}`)) ||
  (sfapiPath && hasCommonAncestorDomain(matchedHost, currentHost)); // ← Add this

Where hasCommonAncestorDomain finds the common suffix parts (e.g., gapcanada.ca) and requires at least 2 matching parts (or 3 for multi-part TLDs like .co.uk) to prevent matching unrelated domains.

Other affected merchants

This would also affect setups like:

• www.store.com + checkout.store.com
• shop.brand.co.uk + secure.brand.co.uk

[kdaviduik]

For this we decided we're okay leaving this as is, since this only affects merchants with sibling domains AND who aren't using the proxy. We will explicitly document this limitation instead of supporting it here

[kdaviduik]

🚀!!!!!