Proposal: Safe SameSite=None JWT bridge for cross-domain WooCommerce login & checkout

[Maysker]

Hi Woo team

While integrating an external Angular frontend with a WooCommerce webshop, we encountered a recurring issue:
SameSite=None + CORS restrictions break JWT-based authentication and prevent WordPress cookies from being set when using cross-domain checkout or embedded iframes.

To address this, I built a small open-source plugin — JWT Login Cookie Bridge — a lightweight PHP bridge (~200 lines) that safely exchanges a verified JWT for native WordPress cookies (SameSite=None; Secure; HttpOnly) under a strict CORS whitelist, with optional iframe support.

It enables:

• secure cross-domain login between SPA apps and WooCommerce,
• seamless order-pay / checkout flows inside embedded web apps,
• real cookies & sessions without OAuth or admin-level access.

I’m sharing it here as a proof-of-concept and wondering:

• whether this pattern (JWT → WP cookies with SameSite=None) could be standardized within Woo’s Store API,
• or if similar approaches are already being discussed in the Woo core.

Repo: https://github.com/Maysker/jwt-login-cookie-bridge
License: GPLv3

Would love your thoughts and feedback 🙏