sveltejs · eltigerchino · Apr 12, 2024 · Feb 27, 2024 · Apr 12, 2024 · Apr 12, 2024
diff --git a/.changeset/fair-suns-report.md b/.changeset/fair-suns-report.md
@@ -0,0 +1,5 @@
+---
+"@sveltejs/kit": patch
+---
+
+fix: avoid incorrectly un- and re-escaping cookies collected during a server-side `fetch`
diff --git a/packages/kit/src/runtime/server/fetch.js b/packages/kit/src/runtime/server/fetch.js
@@ -132,13 +132,16 @@ export function create_fetch({ event, options, manifest, state, get_cookie_heade
 				const set_cookie = response.headers.get('set-cookie');
 				if (set_cookie) {
 					for (const str of set_cookie_parser.splitCookiesString(set_cookie)) {
-						const { name, value, ...options } = set_cookie_parser.parseString(str);
+						const { name, value, ...options } = set_cookie_parser.parseString(str, {
+							decodeValues: false
+						});
 
 						const path = options.path ?? (url.pathname.split('/').slice(0, -1).join('/') || '/');
 
 						// options.sameSite is string, something more specific is required - type cast is safe
 						set_internal(name, value, {
 							path,
+							encode: (value) => value,
 							.../** @type {import('cookie').CookieSerializeOptions} */ (options)
 						});
 					}

diff --git a/packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/+page.js b/packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/+page.js
@@ -0,0 +1,10 @@
+import { browser } from '$app/environment';
+
+/** @type {import('@sveltejs/kit').Load}*/
+export async function load({ fetch }) {
+	if (!browser) {
+		// We don't want the client-side collected cookie to clobber the
+		// server-side collected cookie that we're actually testing.
+		await fetch('/cookies/collect-without-re-escaping/set-cookie');
+	}
+}
diff --git a/packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/+page.svelte b/packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/+page.svelte
@@ -0,0 +1,5 @@
+<script>
+	import { browser } from '$app/environment';
+</script>
+
+<p>{browser && document.cookie}</p>
diff --git a/...kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/set-cookie/+server.js b/...kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/set-cookie/+server.js
@@ -0,0 +1,4 @@
+/** @type {import('@sveltejs/kit').RequestHandler} */
+export async function GET() {
+	return new Response(null, { headers: { 'set-cookie': 'cookie-special-characters="foo"' } });
+}
diff --git a/packages/kit/test/apps/basics/test/cross-platform/client.test.js b/packages/kit/test/apps/basics/test/cross-platform/client.test.js
@@ -417,7 +417,7 @@
 		await expect(page.locator('input')).toBeFocused();
 	});

 	test('scroll positions are recovered on reloading the page', async ({
 		page,
 		app,
 		browserName
@@ -827,6 +827,11 @@
 		await page.locator('button').click();
 		await expect(page.locator('p')).toHaveText('foo=bar');
 	});
+
+	test("fetch during SSR doesn't un- and re-escape cookies", async ({ page }) => {
+		await page.goto('/cookies/collect-without-re-escaping');
+		await expect(page.locator('p')).toHaveText('cookie-special-characters="foo"');
+	});
 });
 
 test.describe('Interactivity', () => {