Skip to content
This repository has been archived by the owner on Nov 30, 2024. It is now read-only.

Cookies and fetch() on servers #7

Open
mcollina opened this issue May 27, 2022 · 8 comments
Open

Cookies and fetch() on servers #7

mcollina opened this issue May 27, 2022 · 8 comments

Comments

@mcollina
Copy link

The fetch() spec forbids to read and store cookies because of https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name.
How should handle cookies in server environments?

Most implementations have allow them in some way, however this changed between all the implementations:

I think it would be a good way to create a shared standard for this behavior.

@mcollina
Copy link
Author

mcollina commented May 27, 2022

In Node.js we need to handle this case yet. I would prefer we did not add yet another API for doing this but converge to what will be the standard.

@lucacasonato
Copy link
Member

@mcollina Please see https://deno.land/manual/runtime/web_platform_apis#fetch-api for what Deno does:

The request and response header guards are implemented, but unlike browsers do not have any constraints on which header names are allowed.

@lucacasonato
Copy link
Member

I think there are two distinct questions here:

What to do about forbidden request headers? (e.g cookie)

The request header guard should have no constraints on which names are allowed.

What to do about getting set-cookie headers from responses?

For this, see whatwg#1346.

@mcollina
Copy link
Author

For this, see whatwg#1346.

Is this what Deno does? That's not what Cloudflare is doing.

@devsnek
Copy link

devsnek commented May 27, 2022

Just popping by to say I'm strongly in favor of the deno behavior for both cases.

@lucacasonato
Copy link
Member

Is this what Deno does? That's not what Cloudflare is doing.

With the exception of the getSetCookie method (which is user polyfillable), yes. The addition of that method is just waiting on final upstream spec review.

@KhafraDev
Copy link

KhafraDev commented May 30, 2022

Undici now follows deno on the handling of forbidden/safe-listed headers. I'll also implement getSetCookie once it lands 😃

@KhafraDev
Copy link

Is it possible for wintercg to bypass the fetch spec and decide to implement getSetCookie? Since it's being held up by browser implementation interest it could be (even more) years until it lands.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants