# `react-doctor/cors-cookie-trust-risk`

Combining credentialed CORS with a wildcard or less-trusted origin, or scoping auth cookies to a parent domain, lets other sites or subdomains ride a user's session.

- **Category:** Security
- **Severity:** warn
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** production source files (.js/.ts/.tsx) or config/CI files; tests/build/docs/generated paths skipped

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires in production source or config/CI files on two shapes: (1) credentialed CORS — `Access-Control-Allow-Credentials: true` within ~700 chars of an `Access-Control-Allow-Origin` of `*`, `https://docs.`, or a `mintlify` host (combining credentials with a wildcard or less-trusted docs origin); or (2) a broad auth-cookie scope — a `session`/`auth`/`token`/`jwt` cookie string carrying `Domain=.` (a leading-dot parent-domain scope that shares the cookie across all subdomains). FALSE POSITIVE to suppress: an `Access-Control-Allow-Origin: *` endpoint that serves only PUBLIC, non-credentialed data (so the `Allow-Credentials: true` is a stale/unused header), or a `Domain=.` cookie that is intentionally non-sensitive (not a real session token despite a matching name) — confirm the cookie actually authenticates and that the wildcard origin is genuinely paired with credentials.

## Fix prompt

Use this once validation confirms the diagnostic is real.

Do not pair `Access-Control-Allow-Credentials: true` with a wildcard or less-trusted (docs/vendor) `Access-Control-Allow-Origin`; when credentials are required, reflect only an explicit allowlist of fully-trusted origins, and serve docs and marketing domains without credentialed CORS. Keep auth cookies host-only by dropping the leading-dot `Domain=.`, and set `HttpOnly`, `Secure`, and `SameSite`. Isolate documentation and custom domains from the app session so an XSS there cannot use app cookies.