Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not re-escape cookies collected from fetch calls during SSR #11904

Merged
merged 4 commits into from
Apr 12, 2024
Merged

fix: do not re-escape cookies collected from fetch calls during SSR #11904

merged 4 commits into from
Apr 12, 2024

Conversation

Conduitry
Copy link
Member

@Conduitry Conduitry commented Feb 27, 2024
edited
Loading

Fixes #11687. We want cookies set by APIs called by fetch during SSR loads to be carried over as-is into the browser. We do this by telling set-cookie-parser to not attempt to URL decode the cookies set in the external API, and then telling cookie to not URL encode the cookie as it's constructing the outgoing header.

This appeared to work in my manual tests, but I was struggling with Playwright and haven't written formal tests yet. I'll try to do so in the morning.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

  • Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 27, 2024
edited
Loading

🦋 Changeset detected

Latest commit: e6e53e5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@Conduitry
Copy link
Member Author

Finally got around to pushing a test. This test fails on main as the cookie value ends up being %22foo%22 instead of "foo". Note that the test also skips the fetch during the client-side load, as this would overwrite the (previously incorrect) value from SSR with a correct value from the browser's fetch.

eltigerchino
eltigerchino approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@eltigerchino eltigerchino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@eltigerchino eltigerchino merged commit bbab296 into sveltejs:main Apr 12, 2024
12 checks passed
@github-actions github-actions bot mentioned this pull request Apr 12, 2024
Merged
@Conduitry Conduitry deleted the gh-11687 branch April 12, 2024 17:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eltigerchino eltigerchino eltigerchino approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cookies set on server are improperly escaped
2 participants
@Conduitry @eltigerchino