ENG-1933: Add support for cookie deletion using wildcards

[guncha]

Ticket ENG-1933

Description Of Changes

This PR adds support for deleting cookies using wildcards which will typically be the form of prefix[id] or rarely [id]suffix. The removeCookiesFromBrowser function will now detect these, turn them into a regex pattern and use it to match cookies to be deleted. The attributes are ignored in this implementation since js-cookie doesn't return them when getting all of the cookies, but this could be worked around with some additional complexity.

For these changes to be useful, there needs to be some backend support to return the cookies with wildcards in the first place. Not clear if that's already in place or just being planned - need to track this down. The changes to Fides are pending - will link to a ticket from here when one is available.

Code Changes

• Update removeCookiesFromBrowser function

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  potential for performance impact or unexpected regression) that should be flagged
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
• No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Jan 8, 2026 4:54pm
fides-privacy-center	Ignored		Jan 8, 2026 4:54pm

[greptile-apps]

Greptile Overview

Greptile Summary

Adds support for deleting cookies using wildcard patterns (e.g., _ga[id] to match _ga123, _ga456). The implementation separates wildcard cookies from regular cookies, builds a regex pattern by escaping special characters and replacing [id] with .*?, then matches and removes all matching cookies.

Key changes:

• Added isWildcardCookie helper to detect cookies containing [id] placeholder
• Modified removeCookiesFromBrowser to handle wildcard cookies separately using regex matching
• Comprehensive test coverage including special characters and multiple wildcards

Issue found: The regex pattern uses .*? (zero or more characters) for wildcard matching, which would incorrectly match cookies where the wildcard portion is empty (e.g., _ga[id] would match both _ga123 and _ga). Should use .+? (one or more characters) instead.

Confidence Score: 3/5

• This PR has a logical issue that could cause unintended cookie deletions
• The wildcard regex pattern uses .*? which matches zero or more characters, potentially matching cookies without the expected ID portion. This could lead to deleting cookies that don't match the intended pattern (e.g., _ga[id] matching _ga exactly). Tests don't cover this edge case.
• clients/fides-js/src/lib/cookie.ts needs attention for the regex pattern logic

Important Files Changed

File Analysis

Filename	Score	Overview
clients/fides-js/src/lib/cookie.ts	4/5	Added wildcard cookie detection and removal logic for cookies with [id] placeholder patterns
clients/fides-js/tests/lib/cookie.test.ts	5/5	Added comprehensive test coverage for wildcard cookie functionality including edge cases

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[gilluminate]

Regular cookies are removed with { path: cookie.path ?? "/", domain: domainToUse } and optionally subdomain removal. Wildcard cookies are removed with no options at all. This could fail to remove cookies set on specific paths or domains.

[guncha]

I was wondering how this works.. I guess I'll dig into the library some more to see what the actual behavior is, i.e., are attributes required to remove the cookies or not.

[gilluminate]

can probably just use removeCookiesFromBrowser from a few lines up :)

[guncha]

Okay, js-cookie remove() function is a thin wrapper around document.cookie = "foo=..." with a past-due expiration which requires (name, path, domain) to match, but the library doesn't return the attributes and so is no help at all. I think the best way to handle this will depend on the backend support which may or may not provide the required attributes. Since that's TBD, we can pause here.

[gilluminate]

"pause here" as in stop reviewing this PR, or "pause here" as in this is ok for now?

[guncha]

@gilluminate ready for another look! The cookies on the notice that are coming from the website monitor will have the domain field so we can always use that, unless the domain overrides are enabled. The cookies will not have path though and will default to /, but not when doing the subdomain cookie deletion? I don't know, that was the existing behavior so I didn't want to change it.

[gilluminate]

Approved with one very minor nitpick to prefer arrow functions