Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Don't set defaults when parsing cookies from headers #9908

Merged
merged 4 commits into from
May 12, 2023
Merged

fix: Don't set defaults when parsing cookies from headers #9908

merged 4 commits into from
May 12, 2023

Conversation

elliott-with-the-longest-name-on-github
Copy link
Contributor

Closes #9901

Bypasses setting Kit defaults on cookies parsed from fetch response headers. To illustrate what the problem was:

  • Set a cookie in +server.ts: cookies.set('foo', 'bar', { httpOnly: false })
  • fetch this endpoint from +page.server.ts
  • As part of fetch, parse the cookies from the headers
  • httpOnly isn't set (because false === unset)
  • Adding this cookie to the cookies causes the default httpOnly: true to be added

The better solution here is not to apply defaults to cookies we parse from fetch response headers. If these cookies were set through cookies.set in a +server.ts endpoint, we've already set the defaults, and if they're not, we shouldn't touch them anyway.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.

Tests

  • Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

  • If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

@changeset-bot
Copy link

changeset-bot bot commented May 11, 2023
edited
Loading

🦋 Changeset detected

Latest commit: b362baa

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@sveltejs/kit Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@Conduitry Conduitry mentioned this pull request May 11, 2023
Closed
Rich-Harris
Rich-Harris reviewed May 12, 2023
View reviewed changes
Copy link
Member

@Rich-Harris Rich-Harris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the right general approach, yeah (though I don't think we need with_defaults).

It does pain me somewhat to have an unexpected property on the cookies object. It may not be in the type definition but it's still visible to users, and people will abuse implementation details if we expose them. Can we instead return set_internal as a standalone function that is passed to create_fetch (like get_cookie_header)?

packages/kit/src/runtime/server/cookie.js Outdated Show resolved Hide resolved
@elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github marked this pull request as ready for review May 12, 2023 04:19
@dummdidumm dummdidumm merged commit 26d2b7f into master May 12, 2023
@dummdidumm dummdidumm deleted the elliott/9901-fix-cookie-overrides branch May 12, 2023 08:17
@github-actions github-actions bot mentioned this pull request May 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rich-Harris Rich-Harris Rich-Harris left review comments

@dummdidumm dummdidumm dummdidumm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cookies inside endpoints called from event.fetch are not correctly set
3 participants
@elliott-with-the-longest-name-on-github @Rich-Harris @dummdidumm