@formo/analytics 1.28.2 → 1.28.3

package/dist/cjs/src/storage/built-in/cookie.js

@@ -19,6 +19,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 var blueprint_1 = __importDefault(require("./blueprint"));
+var domain_1 = require("../../utils/domain");
 var CookieStorage = /** @class */ (function (_super) {
     __extends(CookieStorage, _super);
     function CookieStorage() {
@@ -31,10 +32,27 @@ var CookieStorage = /** @class */ (function (_super) {
         var expires = options === null || options === void 0 ? void 0 : options.expires;
         var maxAge = options === null || options === void 0 ? void 0 : options.maxAge;
         var path = (options === null || options === void 0 ? void 0 : options.path) || "/";
-        var domain = options === null || options === void 0 ? void 0 : options.domain;
+        var domain = (options === null || options === void 0 ? void 0 : options.domain) || "";
         var sameSite = options === null || options === void 0 ? void 0 : options.sameSite;
         var secure = (options === null || options === void 0 ? void 0 : options.secure) || false;
-        var cookie = "".concat(encodeURIComponent(this.getKey(key)), "=").concat(encodeURIComponent(value));
+        var encodedKey = encodeURIComponent(this.getKey(key));
+        // When writing a domain-wide cookie, expire any legacy host-only cookie
+        // on the current host so it doesn't shadow the domain-wide cookie in
+        // document.cookie reads. This only clears the cookie on the current host;
+        // host-only cookies on sibling hosts are not visible and cannot be cleared.
+        if (domain) {
+            document.cookie = "".concat(encodedKey, "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=").concat(path, ";");
+        }
+        else {
+            // When writing a host-only cookie (no domain), expire any previously
+            // written apex-domain cookie so it doesn't shadow the new host cookie.
+            // This handles the transition from crossSubdomainCookies: true to false.
+            var apexDomain = (0, domain_1.getApexDomain)();
+            if (apexDomain) {
+                document.cookie = "".concat(encodedKey, "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=").concat(path, "; domain=.").concat(apexDomain);
+            }
+        }
+        var cookie = "".concat(encodedKey, "=").concat(encodeURIComponent(value));
         if (maxAge) {
             cookie += "; max-age=" + maxAge;
         }
@@ -60,7 +78,15 @@ var CookieStorage = /** @class */ (function (_super) {
         return match ? decodeURIComponent(match[1]) : null;
     };
     CookieStorage.prototype.remove = function (key) {
-        document.cookie = "".concat(encodeURIComponent(this.getKey(key)), "=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT");
+        var encodedKey = encodeURIComponent(this.getKey(key));
+        // Always expire host-only cookie
+        document.cookie = "".concat(encodedKey, "=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT");
+        // Also expire apex-domain cookie if a valid apex domain exists,
+        // so that remove() works regardless of crossSubdomainCookies.
+        var domain = (0, domain_1.getApexDomain)();
+        if (domain) {
+            document.cookie = "".concat(encodedKey, "=; path=/; domain=.").concat(domain, "; expires=Thu, 01 Jan 1970 00:00:00 GMT");
+        }
     };
     return CookieStorage;
 }(blueprint_1.default));

package/dist/cjs/src/storage/cookiePolicy.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Returns the domain attribute string for identity cookies.
+ * - false → "" (no domain attribute, host-only)
+ * - true  → ".example.com" when a valid apex domain is detected,
+ *            or "" on localhost / IP / single-label hosts
+ *
+ * @param crossSubdomain Whether cookies should be shared across subdomains.
+ */
+export declare function getIdentityCookieDomain(crossSubdomain?: boolean): string;
+//# sourceMappingURL=cookiePolicy.d.ts.map

package/dist/cjs/src/storage/cookiePolicy.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getIdentityCookieDomain = getIdentityCookieDomain;
+/**
+ * Cookie domain policy — centralizes the decision of whether identity
+ * cookies should be host-scoped or apex-scoped.
+ *
+ * - true (default): domain set to .apexDomain → shared across subdomains
+ * - false: no domain attribute → cookie scoped to current host
+ */
+var domain_1 = require("../utils/domain");
+/**
+ * Returns the domain attribute string for identity cookies.
+ * - false → "" (no domain attribute, host-only)
+ * - true  → ".example.com" when a valid apex domain is detected,
+ *            or "" on localhost / IP / single-label hosts
+ *
+ * @param crossSubdomain Whether cookies should be shared across subdomains.
+ */
+function getIdentityCookieDomain(crossSubdomain) {
+    if (crossSubdomain === void 0) { crossSubdomain = true; }
+    if (!crossSubdomain)
+        return "";
+    var domain = (0, domain_1.getApexDomain)();
+    return domain ? ".".concat(domain) : "";
+}
+//# sourceMappingURL=cookiePolicy.js.map

package/dist/cjs/src/types/base.d.ts

@@ -144,6 +144,18 @@ export interface WagmiOptions {
 export interface Options {
     provider?: EIP1193Provider;
     tracking?: boolean | TrackingOptions;
+    /**
+     * When `true`, identity cookies (anonymous ID, user ID) are set on the
+     * apex/root domain (e.g. `.example.com`), enabling cross-subdomain identity
+     * sharing between app.example.com and www.example.com.
+     *
+     * When `false`, cookies are scoped to the current host only.
+     *
+     * Session cookies (wallet detection, current URL) always remain host-scoped.
+     * Consent cookies are always apex-scoped independently for compliance.
+     * @default true
+     */
+    crossSubdomainCookies?: boolean;
     /**
      * Control wallet event autocapture
      * - `false`: Disable all wallet autocapture

package/dist/cjs/src/utils/address.js

@@ -51,15 +51,13 @@ exports.getValidAddress = getValidAddress;
  * @returns true if the address is blocked, false otherwise
  */
 var isBlockedAddress = function (address) {
-    if (!address)
+    if (!address || typeof address !== 'string')
         return false;
-    var validAddress = (0, exports.getValidAddress)(address);
-    if (!validAddress)
+    var normalized = address.trim().toLowerCase();
+    if (!normalized || !normalized.startsWith('0x') || normalized.length !== 42)
         return false;
-    // Normalize to checksum format for comparison
-    var checksumAddress = (0, exports.toChecksumAddress)(validAddress);
     return constants_1.BLOCKED_ADDRESSES.some(function (blockedAddr) {
-        return (0, exports.toChecksumAddress)(blockedAddr) === checksumAddress;
+        return blockedAddr.toLowerCase() === normalized;
     });
 };
 exports.isBlockedAddress = isBlockedAddress;

package/dist/cjs/src/utils/domain.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Domain utilities for cross-subdomain cookie sharing.
+ *
+ * Uses a cookie-probe approach: tries setting a test cookie on progressively
+ * shorter domain candidates until the browser accepts one. This is
+ * self-maintaining — no hardcoded public suffix lists to keep up to date.
+ * The browser itself is the authority on which domains accept cookies.
+ */
+/**
+ * Extract the apex (registrable) domain for cookie sharing across subdomains.
+ *
+ * Walks up the hostname labels from shortest candidate to longest, probing
+ * with a test cookie. The shortest domain the browser accepts is the apex.
+ *
+ * Returns null for localhost, IP addresses, single-label hosts, SSR, or
+ * when no candidate domain accepts cookies (e.g. public suffix hosts like
+ * vercel.app or github.io).
+ *
+ * Results are cached for the lifetime of the page.
+ */
+export declare function getApexDomain(): string | null;
+/**
+ * Reset the cached apex domain. Exposed for testing only.
+ * @internal
+ */
+export declare function _resetApexDomainCache(): void;
+//# sourceMappingURL=domain.d.ts.map

package/dist/cjs/src/utils/domain.js

@@ -0,0 +1,74 @@
+"use strict";
+/**
+ * Domain utilities for cross-subdomain cookie sharing.
+ *
+ * Uses a cookie-probe approach: tries setting a test cookie on progressively
+ * shorter domain candidates until the browser accepts one. This is
+ * self-maintaining — no hardcoded public suffix lists to keep up to date.
+ * The browser itself is the authority on which domains accept cookies.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getApexDomain = getApexDomain;
+exports._resetApexDomainCache = _resetApexDomainCache;
+var TEST_COOKIE_NAME = '__formo_domain_probe';
+/** Cached result so we only probe once per page load. */
+var cachedApexDomain;
+/**
+ * Try to set a test cookie on the given domain. Returns true if the browser
+ * accepted it (i.e. the cookie is readable back).
+ */
+function canSetCookieOnDomain(domain) {
+    var cookieVal = 'probe';
+    document.cookie = "".concat(TEST_COOKIE_NAME, "=").concat(cookieVal, "; domain=.").concat(domain, "; path=/; max-age=10");
+    var accepted = document.cookie.indexOf("".concat(TEST_COOKIE_NAME, "=").concat(cookieVal)) !== -1;
+    // Clean up regardless of result
+    document.cookie = "".concat(TEST_COOKIE_NAME, "=; domain=.").concat(domain, "; path=/; max-age=0");
+    return accepted;
+}
+/**
+ * Extract the apex (registrable) domain for cookie sharing across subdomains.
+ *
+ * Walks up the hostname labels from shortest candidate to longest, probing
+ * with a test cookie. The shortest domain the browser accepts is the apex.
+ *
+ * Returns null for localhost, IP addresses, single-label hosts, SSR, or
+ * when no candidate domain accepts cookies (e.g. public suffix hosts like
+ * vercel.app or github.io).
+ *
+ * Results are cached for the lifetime of the page.
+ */
+function getApexDomain() {
+    if (typeof window === 'undefined')
+        return null;
+    if (cachedApexDomain !== undefined)
+        return cachedApexDomain;
+    var hostname = window.location.hostname;
+    if (hostname === 'localhost' || /^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+        cachedApexDomain = null;
+        return null;
+    }
+    var parts = hostname.split('.');
+    if (parts.length < 2) {
+        cachedApexDomain = null;
+        return null;
+    }
+    // Walk from the shortest candidate (last 2 labels) to the full hostname.
+    // The shortest domain the browser accepts is the apex domain.
+    for (var i = 2; i <= parts.length; i++) {
+        var candidate = parts.slice(-i).join('.');
+        if (canSetCookieOnDomain(candidate)) {
+            cachedApexDomain = candidate;
+            return candidate;
+        }
+    }
+    cachedApexDomain = null;
+    return null;
+}
+/**
+ * Reset the cached apex domain. Exposed for testing only.
+ * @internal
+ */
+function _resetApexDomainCache() {
+    cachedApexDomain = undefined;
+}
+//# sourceMappingURL=domain.js.map

package/dist/cjs/src/utils/generate.js

@@ -38,23 +38,35 @@ var __generator = (this && this.__generator) || function (thisArg, body) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.hash = hash;
 exports.generateNativeUUID = generateNativeUUID;
+var sha256_1 = require("ethereum-cryptography/sha256");
+var utils_1 = require("ethereum-cryptography/utils");
 function hash(input) {
     return __awaiter(this, void 0, void 0, function () {
-        var hashBuffer, byteArray;
+        var bytes, hashBytes;
         return __generator(this, function (_a) {
-            switch (_a.label) {
-                case 0: return [4 /*yield*/, crypto.subtle.digest("SHA-256", new TextEncoder().encode(input))];
-                case 1:
-                    hashBuffer = _a.sent();
-                    byteArray = new Uint8Array(hashBuffer);
-                    return [2 /*return*/, Array.from(byteArray)
-                            .map(function (byte) { return byte.toString(16).padStart(2, "0"); })
-                            .join("")];
-            }
+            bytes = (0, utils_1.utf8ToBytes)(input);
+            hashBytes = (0, sha256_1.sha256)(bytes);
+            return [2 /*return*/, (0, utils_1.bytesToHex)(hashBytes)];
         });
     });
 }
 function generateNativeUUID() {
-    return crypto.randomUUID();
+    if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+        return crypto.randomUUID();
+    }
+    // Fallback using crypto.getRandomValues (available in insecure contexts)
+    if (typeof crypto !== 'undefined' && typeof crypto.getRandomValues === 'function') {
+        var bytes = new Uint8Array(16);
+        crypto.getRandomValues(bytes);
+        bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
+        bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant 1
+        var hex = Array.from(bytes).map(function (b) { return b.toString(16).padStart(2, '0'); }).join('');
+        return "".concat(hex.slice(0, 8), "-").concat(hex.slice(8, 12), "-").concat(hex.slice(12, 16), "-").concat(hex.slice(16, 20), "-").concat(hex.slice(20));
+    }
+    // Last resort: Math.random (not cryptographically secure, but functional)
+    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
+        var r = (Math.random() * 16) | 0;
+        return (c === 'x' ? r : (r & 0x3) | 0x8).toString(16);
+    });
 }
 //# sourceMappingURL=generate.js.map

package/dist/cjs/src/validators/network.js

@@ -2,7 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.isNetworkError = isNetworkError;
 var objectToString = Object.prototype.toString;
-var isError = function (value) { return objectToString.call(value) === "[object Error]"; };
+var isError = function (value) {
+    var tag = objectToString.call(value);
+    return tag === "[object Error]" || tag === "[object DOMException]";
+};
+var errorNames = new Set(["TypeError", "TimeoutError", "NetworkError"]);
 var errorMessages = new Set([
     "network error", // Chrome
     "Failed to fetch", // Chrome
@@ -12,11 +16,12 @@ var errorMessages = new Set([
     "Network request failed", // `cross-fetch`
     "fetch failed", // Undici (Node.js)
     "terminated", // Undici (Node.js)
+    "The operation was aborted due to timeout", // AbortSignal.timeout()
 ]);
 function isNetworkError(error) {
     var isValid = error &&
         isError(error) &&
-        error.name === "TypeError" &&
+        errorNames.has(error.name) &&
         typeof error.message === "string";
     if (!isValid) {
         return false;

package/dist/cjs/src/version.d.ts

@@ -1,2 +1,2 @@
-export declare const version = "1.28.2";
+export declare const version = "1.28.3";
 //# sourceMappingURL=version.d.ts.map

package/dist/cjs/src/version.js

@@ -3,5 +3,5 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.version = void 0;
 // This file is auto-generated by scripts/update-version.js during npm version
 // Do not edit manually - it will be overwritten
-exports.version = '1.28.2';
+exports.version = '1.28.3';
 //# sourceMappingURL=version.js.map

package/dist/esm/src/FormoAnalytics.d.ts

@@ -45,6 +45,8 @@ export declare class FormoAnalytics implements IFormoAnalytics {
      * When true, EIP-1193 provider wrapping is skipped
      */
     private isWagmiMode;
+    /** Instance-level flag so multiple SDK instances don't interfere. */
+    private crossSubdomainCookies;
     config: Config;
     currentChainId?: ChainID;
     currentAddress?: Address;

package/dist/esm/src/FormoAnalytics.js

@@ -57,6 +57,7 @@ var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
 import { createStore } from "mipd";
 import { EVENTS_API_HOST, EventType, LOCAL_ANONYMOUS_ID_KEY, SESSION_CURRENT_URL_KEY, SESSION_USER_ID_KEY, CONSENT_OPT_OUT_KEY, } from "./constants";
 import { cookie, initStorageManager } from "./storage";
+import { getIdentityCookieDomain } from "./storage/cookiePolicy";
 import { EventManager } from "./event";
 import { EventQueue } from "./queue";
 import { logger, Logger } from "./logger";
@@ -81,7 +82,7 @@ var PROVIDER_SWITCH_REASONS = {
 var FormoAnalytics = /** @class */ (function () {
     function FormoAnalytics(writeKey, options) {
         if (options === void 0) { options = {}; }
-        var _a, _b;
+        var _a, _b, _c;
         this.writeKey = writeKey;
         this.options = options;
         // Per-chain namespace state — isolates EVM and Solana connection state
@@ -120,6 +121,9 @@ var FormoAnalytics = /** @class */ (function () {
         this.options = options;
         // Check if Wagmi mode is enabled
         this.isWagmiMode = !!options.wagmi;
+        this.crossSubdomainCookies = (_a = options.crossSubdomainCookies) !== null && _a !== void 0 ? _a : true;
+        // Normalize so downstream consumers (EventFactory) read the resolved value.
+        options.crossSubdomainCookies = this.crossSubdomainCookies;
         this.session = new FormoAnalyticsSession();
         this.currentUserId =
             cookie().get(SESSION_USER_ID_KEY) || undefined;
@@ -134,8 +138,8 @@ var FormoAnalytics = /** @class */ (function () {
         this.isAutocaptureEnabled = this.isAutocaptureEnabled.bind(this);
         // Initialize logger with configuration from options
         Logger.init({
-            enabled: ((_a = options.logger) === null || _a === void 0 ? void 0 : _a.enabled) || false,
-            enabledLevels: ((_b = options.logger) === null || _b === void 0 ? void 0 : _b.levels) || [],
+            enabled: ((_b = options.logger) === null || _b === void 0 ? void 0 : _b.enabled) || false,
+            enabledLevels: ((_c = options.logger) === null || _c === void 0 ? void 0 : _c.levels) || [],
         });
         this.eventManager = new EventManager(new EventQueue(this.config.writeKey, {
             apiHost: options.apiHost || EVENTS_API_HOST,
@@ -505,7 +509,7 @@ var FormoAnalytics = /** @class */ (function () {
      */
     FormoAnalytics.prototype.identify = function (params, properties, context, callback) {
         return __awaiter(this, void 0, void 0, function () {
-            var _i, _a, providerDetail, provider, address_1, validAddress_1, err_1, address, providerName, userId, rdns, validAddress, isAlreadyIdentified, e_1;
+            var _i, _a, providerDetail, provider, address_1, validAddress_1, err_1, address, providerName, userId, rdns, validAddress, domain, isAlreadyIdentified, e_1;
             var _b, _c;
             return __generator(this, function (_d) {
                 switch (_d.label) {
@@ -584,7 +588,8 @@ var FormoAnalytics = /** @class */ (function () {
                         }
                         if (userId) {
                             this.currentUserId = userId;
-                            cookie().set(SESSION_USER_ID_KEY, userId);
+                            domain = getIdentityCookieDomain(this.crossSubdomainCookies);
+                            cookie().set(SESSION_USER_ID_KEY, userId, __assign({ path: "/" }, (domain ? { domain: domain } : {})));
                         }
                         isAlreadyIdentified = this.session.isWalletIdentified(validAddress, rdns || "");
                         logger.debug("Identify: Checking deduplication", {

package/dist/esm/src/FormoAnalyticsProvider.js

@@ -95,6 +95,7 @@ var InitializedAnalytics = function (_a) {
         var serializableOptions = {
             tracking: options.tracking,
             autocapture: options.autocapture,
+            crossSubdomainCookies: options.crossSubdomainCookies,
             apiHost: options.apiHost,
             flushAt: options.flushAt,
             flushInterval: options.flushInterval,

package/dist/esm/src/consent/index.js

@@ -7,6 +7,7 @@
  * Formo projects on the same domain.
  */
 import { secureHash } from '../utils/hash';
+import { getApexDomain } from '../utils/domain';
 /**
  * Generate a project-specific cookie key to avoid conflicts between different Formo projects
  * Uses hashed writeKey for privacy and security
@@ -36,7 +37,14 @@ export function setConsentFlag(projectId, key, value) {
         var expires = new Date(Date.now() + 365 * 24 * 60 * 60 * 1000).toUTCString(); // 1 year (GDPR compliant)
         var isSecure = ((_a = window === null || window === void 0 ? void 0 : window.location) === null || _a === void 0 ? void 0 : _a.protocol) === 'https:';
         // Enhanced privacy settings: Secure (HTTPS), SameSite=Strict for consent cookies
-        document.cookie = "".concat(projectSpecificKey, "=").concat(encodeURIComponent(value), "; expires=").concat(expires, "; path=/; SameSite=Strict").concat(isSecure ? '; Secure' : '');
+        var domain = getApexDomain();
+        var domainAttr = domain ? "; domain=.".concat(domain) : '';
+        // Expire any legacy host-only cookie (pre-domain-attribute versions) so it
+        // doesn't shadow the new domain-wide cookie in document.cookie reads.
+        if (domain) {
+            document.cookie = "".concat(projectSpecificKey, "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;");
+        }
+        document.cookie = "".concat(projectSpecificKey, "=").concat(encodeURIComponent(value), "; expires=").concat(expires, "; path=/").concat(domainAttr, "; SameSite=Strict").concat(isSecure ? '; Secure' : '');
     }
 }
 /**
@@ -83,15 +91,9 @@ function deleteCookieDirectly(cookieName) {
     // Clear from current domain/path
     document.cookie = "".concat(cookieName, "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;");
     // Try to clear from parent domain if it's a proper multi-level domain
-    if (typeof window !== 'undefined') {
-        var hostname = window.location.hostname;
-        var parts = hostname.split('.');
-        // Only try parent domain deletion for proper domains with multiple parts
-        // Skip localhost and single-level domains
-        if (parts.length >= 2 && hostname !== 'localhost') {
-            var domain = parts.slice(-2).join('.');
-            document.cookie = "".concat(cookieName, "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=.").concat(domain, ";");
-        }
+    var domain = getApexDomain();
+    if (domain) {
+        document.cookie = "".concat(cookieName, "=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=.").concat(domain, ";");
     }
 }
 //# sourceMappingURL=index.js.map

package/dist/esm/src/event/EventFactory.js

@@ -289,22 +289,22 @@ var EventFactory = /** @class */ (function () {
         return __awaiter(this, void 0, void 0, function () {
             var commonEventData, eventChainId, validAddress, processedEvent;
             var _a;
-            var _b;
-            return __generator(this, function (_c) {
-                switch (_c.label) {
+            var _b, _c;
+            return __generator(this, function (_d) {
+                switch (_d.label) {
                     case 0:
                         _a = {};
                         return [4 /*yield*/, this.generateContext(context)];
                     case 1:
-                        commonEventData = (_a.context = _c.sent(),
+                        commonEventData = (_a.context = _d.sent(),
                             _a.original_timestamp = getCurrentTimeFormatted(),
                             _a.user_id = formoEvent.user_id,
                             _a.type = formoEvent.type,
                             _a.channel = CHANNEL,
                             _a.version = VERSION,
                             _a);
-                        commonEventData.anonymous_id = generateAnonymousId(LOCAL_ANONYMOUS_ID_KEY);
-                        eventChainId = (_b = formoEvent.properties) === null || _b === void 0 ? void 0 : _b.chainId;
+                        commonEventData.anonymous_id = generateAnonymousId(LOCAL_ANONYMOUS_ID_KEY, (_b = this.options) === null || _b === void 0 ? void 0 : _b.crossSubdomainCookies);
+                        eventChainId = (_c = formoEvent.properties) === null || _c === void 0 ? void 0 : _c.chainId;
                         validAddress = this.validateEventAddress(formoEvent.address, eventChainId);
                         commonEventData.address = validAddress;
                         processedEvent = mergeDeepRight(formoEvent, commonEventData);

package/dist/esm/src/event/utils.d.ts

@@ -1,5 +1,4 @@
 import { AnonymousID } from "../types";
-declare const generateAnonymousId: (key: string) => AnonymousID;
-declare function getCookieDomain(hostname?: string): string;
-export { generateAnonymousId, getCookieDomain };
+declare const generateAnonymousId: (key: string, crossSubdomainCookies?: boolean) => AnonymousID;
+export { generateAnonymousId };
 //# sourceMappingURL=utils.d.ts.map

package/dist/esm/src/event/utils.js

@@ -1,29 +1,30 @@
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
 import { generateNativeUUID } from "../utils";
 import { cookie } from "../storage";
-var generateAnonymousId = function (key) {
+import { getIdentityCookieDomain } from "../storage/cookiePolicy";
+var generateAnonymousId = function (key, crossSubdomainCookies) {
     var storedAnonymousId = cookie().get(key);
-    if (storedAnonymousId && typeof storedAnonymousId === "string")
-        return storedAnonymousId;
-    var newAnonymousId = generateNativeUUID();
-    cookie().set(key, newAnonymousId, {
-        maxAge: Date.now() + 1000 * 60 * 60 * 24 * 365, // 1 year
-        domain: getCookieDomain(),
-        path: "/",
-    });
-    return newAnonymousId;
+    var anonymousId = (storedAnonymousId && typeof storedAnonymousId === "string"
+        ? storedAnonymousId
+        : generateNativeUUID());
+    var domain = getIdentityCookieDomain(crossSubdomainCookies);
+    // Re-set the cookie with the configured scope. When crossSubdomainCookies
+    // is true, this migrates legacy host-only cookies on the current host to the apex
+    // domain. Note: host-only cookies on other hosts (e.g. a cookie set on
+    // example.com is not visible from app.example.com) cannot be migrated
+    // until the user revisits that host.
+    cookie().set(key, anonymousId, __assign({ expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365).toUTCString(), path: "/" }, (domain ? { domain: domain } : {})));
+    return anonymousId;
 };
-function getCookieDomain(hostname) {
-    if (hostname === void 0) { hostname = window.location.hostname; }
-    // Special cases
-    if (hostname.includes("localhost") ||
-        /^\d{1,3}(\.\d{1,3}){3}$/.test(hostname)) {
-        // Localhost or IP address
-        return "";
-    }
-    var parts = hostname.split(".");
-    if (parts.includes("www"))
-        parts.splice(parts.indexOf("www"), 1);
-    return ".".concat(parts.join("."));
-}
-export { generateAnonymousId, getCookieDomain };
+export { generateAnonymousId };
 //# sourceMappingURL=utils.js.map

package/dist/esm/src/queue/EventQueue.d.ts

@@ -28,7 +28,7 @@ export declare class EventQueue implements IEventQueue {
     constructor(writeKey: string, options: Options);
     private generateMessageId;
     enqueue(event: IFormoEvent, callback?: (...args: any) => void): Promise<void>;
-    flush(callback?: (...args: any) => void): Promise<void | IFormoEventFlushPayload[]>;
+    flush(callback?: (...args: any) => void, drainAll?: boolean): Promise<void | IFormoEventFlushPayload[]>;
     /**
      * Returns the UTF-8 byte length of a string. The browser's keepalive limit
      * is enforced on the wire (UTF-8 bytes), not on JS string length (UTF-16