fetch icon indicating copy to clipboard operation
fetch copied to clipboard

Published 20 hours ago verified publisher icon whatwg

Add special handling of `set-cookie` to Headers

Open lucacasonato opened this issue 4 years ago • 6 comments
trafficstars

Towards #973

  • [ ] At least two implementers are interested (and none opposed):
    • Firefox (https://github.com/whatwg/fetch/issues/973#issuecomment-954815921)
    • Deno (https://github.com/whatwg/fetch/issues/973#issuecomment-902578584)
    • Cloudflare Workers
    • Node.js
  • [x] Tests are written and can be reviewed and commented upon at:
    • https://github.com/web-platform-tests/wpt/pull/31442
  • [ ] Implementation bugs are filed:
    • Chrome: …
    • Firefox: …
    • Safari: …
    • Deno: …

Preview | Diff

Preview | Diff

lucacasonato avatar Oct 29 '21 15:10 lucacasonato

Thanks for working on this, this looks quite promising to me. @yutakahirano @ricea @youennf thoughts?

annevk avatar Nov 01 '21 09:11 annevk

@jasnell @kentonv thoughts?

lucacasonato avatar Nov 04 '21 10:11 lucacasonato

I'm fine with this.

I have a weak opinion that, for server-side vendors, getAll() is slightly more flexible: If we have some big customer come along and say "We really need to access this legacy API, but it has a header that misuses commas, which we can't change," we can easily say "No problem, we'll just add your special weird header to the getAll() allow list." On the server side, implementing special requests for high-paying customers are not uncommon. Obviously, on the browser side, such special requests would be complete nonsense, since web sites don't get to choose which browser is used to open them.

But I have seen no evidence that any such headers exist in the wild, so it seems unlikely we'll ever get this exact sort of special request. So, whatever. :)

kentonv avatar Nov 04 '21 17:11 kentonv

It's more flexible, but it would also violate HTTP, as would any header that needs it (with the exception of Set-Cookie).

annevk avatar Nov 05 '21 07:11 annevk

I'm not opposed to adding this into node-fetch either. I will only be glad that we can unite on one unified api that works the same across all platform

jimmywarting avatar Nov 21 '21 16:11 jimmywarting

Node.js is ok in implementing this too.

mcollina avatar Jun 30 '22 17:06 mcollina

bump - I upgraded node and realized I can't because .raw() was removed and I need to query multiple set cookie headers and that was the only way I was able to.

shadiramadan avatar Dec 27 '22 18:12 shadiramadan

Hi. We're trying to bring this PR back to life and get it landed as part of the WinterCG effort. It seems like the semantics are clear and agreed upon, and that no more work is needed on that area. So it comes down to implementer interest.

@yutakahirano, @youennf. Is Firefox still interested, @smaug----?

andreubotella avatar Jan 18 '23 19:01 andreubotella

cc: @ricea for Chrome

yutakahirano avatar Jan 24 '23 08:01 yutakahirano

Chrome supports if there is consensus. I don't want to be the only browser implementing this.

ricea avatar Jan 26 '23 05:01 ricea

I've filed implementation bugs for all browsers:

  • Chromium: https://crbug.com/1409512
  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1812511
  • WebKit: https://bugs.webkit.org/show_bug.cgi?id=251194

I've also submitted implementations for Chromium and Firefox, and I'm currently working on one for WebKit.

andreubotella avatar Jan 26 '23 06:01 andreubotella

I won't object to this addition but I do not see a lot of value for web browsers to support this. Are there shims around Headers that have been deployed already?

youennf avatar Jan 26 '23 08:01 youennf

With the case of the keys() iterator here, would the intention of this PR be to make it so that set-cookie could appear multiple times? Or should the keys() iterator always only produce a unique set? The way this is currently defined, it would appear that the keys iterator could have set-cookie multiple times.

jasnell avatar Jan 31 '23 17:01 jasnell

With the case of the keys() iterator here, would the intention of this PR be to make it so that set-cookie could appear multiple times? Or should the keys() iterator always only produce a unique set? The way this is currently defined, it would appear that the keys iterator could have set-cookie multiple times.

That seems intentional in the way pair iteration works in WebIDL. That way, [...headers.keys()].length === [...headers.values()].length and the indices match.

Do you think this would break some existing code, though?

andreubotella avatar Feb 01 '23 09:02 andreubotella

I do think there's a risk of breaking existing code that may be relying on the iterator producing a unique set of keys.

jasnell avatar Feb 01 '23 16:02 jasnell

I do think there's a risk of breaking existing code that may be relying on the iterator producing a unique set of keys.

Deno's current implementation of headers.keys() will yield "set-cookie" repeatedly in such cases. @lucacasonato can probably speak more on it, but this doesn't seem to have caused any breakage.

andreubotella avatar Feb 01 '23 23:02 andreubotella

I have fixed this PR's merge conflicts, and rewritten and moved the Headers implementation note to be about header lists. PTAL.

andreubotella avatar Feb 06 '23 13:02 andreubotella