• Fix cookie persistence for cross-origin requests involving private domains with large number of labels

• Ensure datadome cookies are saved with attributes when a native context syncs with a webview to avoid duplicates
• Add support for challenge responses with any HTTP status code

• Allow challenges to load from a first-party domain
• Maintain cookie persistence for cross-origin requests involving private domains (e.g. amazonaws.com)

• Remove dd_referrer query parameter from URL in Referer header to avoid passing it upstream to origin server when var.datadome_restore_referrer is enabled

• Add support for Next.js 16

In order to improve detection capabilities on Bot Protect, we will roll out a new serving endpoint for response pages (Device Check, CAPTCHA, Block).

Target date

Monday, January 26, 2026

Required change

If you are using the frame-src directive in your Content-Security-Policy headers with a direct reference to geo.captcha-delivery.com, you will need to proceed with the change below:

• ❎ Before: frame-src geo.captcha-delivery.com
• ✅ After: frame-src *.captcha-delivery.com

Without this change, some of your end users might experience issues with displaying response pages in case of false positives.

Reference documentation: JavaScript Tag

• Add support for array headers on fetch requests

• Fix URL evaluation to only include host and pathname

• Add all payload-related methods to the TurboModule interface

• Remove go-querystring dependency and reimplement URL encoding for payloads