third_party_cookie.js

const express = require('express');
const PORT = process.env.PORT || 4000;

const app = express();

app.use(express.json());

app.use((req, res, next) => {

	let origin = req.headers.referer || req.headers.origin || '';

	if (origin?.endsWith('/')) {
		// Remove trailing slash if present
		origin = origin.slice(0, -1);
	}

	res.header("Access-Control-Allow-Origin", origin);
	res.header("Access-Control-Allow-Credentials", "true");
	next();
})

app.use((req, res, next) => {
	const splat = req.params.splat;
	res.cookie('token', 'your_jwt_token_here', {
		httpOnly: true,
		secure: true,
		sameSite: 'none',
		maxAge: 24 * 60 * 60 * 1000,
	});
	res.json({ message: `You requested the splat: ${splat}` });
});

app.listen(PORT, () => {
	console.log(`Server is running on port ${PORT}`);
})

As we know, setting a cookie with SameSite: 'None' and Secure: true requires CORS requests to include credentials: 'include' on the client side. However, when the server uses Access-Control-Allow-Origin: *, it cannot be combined with Access-Control-Allow-Credentials: true — which is required for sending cookies.

To work around this limitation, we can use a dynamic CORS origin echo strategy:

This allows us to:
• Dynamically reflect the request’s Origin or Referer as the Access-Control-Allow-Origin value
• Bypass the * restriction
• Successfully send SameSite=None cookies with cross-origin requests when credentials: 'include' is set on the client

As a result, any frontend calling the API with credentials: true will have its cookies automatically sent, enabling persistent sessions and tracking.