Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies and fetch() on servers #7

Open
mcollina opened this issue May 27, 2022 · 8 comments
Open

Cookies and fetch() on servers #7

mcollina opened this issue May 27, 2022 · 8 comments

Comments

@mcollina
Copy link

The fetch() spec forbids to read and store cookies because of https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name.
How should handle cookies in server environments?

Most implementations have allow them in some way, however this changed between all the implementations:

I think it would be a good way to create a shared standard for this behavior.
@mcollina
Copy link
Author

mcollina commented May 27, 2022
edited
Loading

In Node.js we need to handle this case yet. I would prefer we did not add yet another API for doing this but converge to what will be the standard.

@mcollina mcollina mentioned this issue May 27, 2022
Closed
@lucacasonato
Copy link
Member

@mcollina Please see https://deno.land/manual/runtime/web_platform_apis#fetch-api for what Deno does:

The request and response header guards are implemented, but unlike browsers do not have any constraints on which header names are allowed.

@lucacasonato
Copy link
Member

I think there are two distinct questions here:

What to do about forbidden request headers? (e.g cookie)

The request header guard should have no constraints on which names are allowed.

What to do about getting set-cookie headers from responses?

For this, see whatwg#1346.

@mcollina
Copy link
Author

For this, see whatwg#1346.

Is this what Deno does? That's not what Cloudflare is doing.

@devsnek
Copy link

devsnek commented May 27, 2022
edited
Loading

Just popping by to say I'm strongly in favor of the deno behavior for both cases.

@lucacasonato
Copy link
Member

Is this what Deno does? That's not what Cloudflare is doing.

With the exception of the getSetCookie method (which is user polyfillable), yes. The addition of that method is just waiting on final upstream spec review.

@KhafraDev KhafraDev mentioned this issue May 28, 2022
Merged
@KhafraDev
Copy link

KhafraDev commented May 30, 2022
edited
Loading

Undici now follows deno on the handling of forbidden/safe-listed headers. I'll also implement getSetCookie once it lands 😃

@mcollina mcollina mentioned this issue Aug 24, 2022
Closed
@KhafraDev
Copy link

Is it possible for wintercg to bypass the fetch spec and decide to implement getSetCookie? Since it's being held up by browser implementation interest it could be (even more) years until it lands.

@Ethan-Arrowood Ethan-Arrowood transferred this issue from another repository Jan 19, 2023
@chicoxyzzy chicoxyzzy mentioned this issue Aug 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mcollina @devsnek @lucacasonato @KhafraDev