I've noticed that including the PrismicPreview component wrapper in NextJs causes the io.prismic.preview cookie to be written for every visitor rather than just the ones that would be previewing data.
The cookie is empty but I'm getting around 20 of them set as around 7 get set for each domain as it goes up the sub domain tree for the sites domain and the prismic repos domain.
A request to .prismic.io/prismic-toolbar/4.0.9/iframe.html also appears to be being triggered despite not being in preview mode.
Is there any way to turn this off as it also bypasses cookie consent plugins?
After testing, I couldn't reproduce this issue with any of the browsers. Can you share more details like your browser settings, steps to reproduce the issue, and codebase as a zip file or a git repository so I can debug and provide assistance?
Preview data only appears for logged-in users on the browser; the preview script checks if users are logged in; if not, nothing is done, and nothing is stored in the user's browser.
This is what I experienced testing out the preview feature:
When in preview mode, there are multiple requests sent, the cookie is set once, and when I exit preview mode, a request is still sent for the preview iframe
When I tested in a browser that I wasn't logged in, there were no preview requests sent, and as I stated, the cookie wasn't set because I wasn't logged in
I commented out the preview component the request where not sent, and the cookie was not set
I contacted our team to share my experience, and they stated that this was the correct behavior.
So this means only users logged in to Prismic can see the cookie, but no worries, your regular website users won't see this.
This is the same site and repo as pasted above, which does not have any logic configured to enter preview mode. But the cookies are being set in both a new instance of Chrome running and a new incognito window.
The video also shows that deleting the cookies and refreshing the page results in them being set again.
The actual cookies have no value but are being set.
@tim5 I checked your video. The preview cookies you are seeing are only generated in your browser as a logged-in Primsic user. You can look at our client's site, and you will notice that you will not see any 'preview' cookies there, and your client wouldn't see any preview cookies either.
You can also check our general cookies policy here:
We have the exact same issue as @tim5 mentioned on different applications that we run with NextJS. one of many examples of ours can be found here: Geberit Actuator Plate Showroom
After a lot of investigating on our end we found the following:
The cookie "reponame.prismic.io" always gets loaded, also if you've never visited any prismic related page in your life.
We are not able to get rid of this cookie and are therefore also looking for a solution to this
To make matters worse: Once a user decides to visit prismic.io (for whatever reason and gives consent to Analytics cookies) and later on visits our page. All cookies from prismic.io are automatically loaded. Because loading/displaying these cookies cannot be prevented on our side and/or through our Cookie Consent Solution, this is a big issue for our legal department due to GDPR as it may cause an issue for us at one point.
While @racheal.orukele link to their client actually looks like it does not show this *.prismic.io cookie, you can still see that all Prismic Cookies are fully loaded through their own URL-Cookie that is visible in the Browser. So it seems that they were just able to mask this prismic.io Cookie somehow but the issue we have is still there
I didn't find a solution to this. When I look at the site @racheal.orukele referenced in a new private browsing session I see cookies for prismics site their too.
I reached out to our team to get more insight on this.
Prismic sets cookies on the .prismic.io domain, which also enables them for any Prismic subdomain. That includes: repository subdomains, the Prismic toolbar source URL, and images.prismic.io. For example, displaying an image using the Prismic image CDN will load .prismic.io cookies. However, only cookies set to the loading website’s domain will be accessible.
You can test this by logging document.cookies in the browser. If it was set, you might see a cookie for io.prismic.preview, but you shouldn’t see any other Prismic cookies. You will likely see other Prismic cookies in Chrome’s Application tab, which the website cannot access. To eliminate the io.prismic.preview cookie from being set or loaded, you can disable the Prismic toolbar on your production website.
Doing so will disable preview support, so should you disable the toolbar in production, we recommend deploying a separate preview-specific website that includes the Prismic toolbar.
If you are using Next.js, you can control whether or not the Prismic toolbar script is added using an environment variable and a ternary:
