Cookies and fetch() on servers

[mcollina]

The fetch() spec forbids to read and store cookies because of https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name.
How should handle cookies in server environments?

Most implementations have allow them in some way, however this changed between all the implementations:

• Cloudflare ahttps://developers.cloudflare.com/workers/runtime-apis/headers/ Use case for Headers getAll whatwg/fetch#973
• Deno (It seems it allows all the Forbidden Header names - @lucacasonato please edit this issue to confirm, possibly add a reference).
• node-fetch (https://www.npmjs.com/package/node-fetch#extract-set-cookie-header)

I think it would be a good way to create a shared standard for this behavior.

[mcollina]

In Node.js we need to handle this case yet. I would prefer we did not add yet another API for doing this but converge to what will be the standard.

[lucacasonato]

@mcollina Please see https://deno.land/manual/runtime/web_platform_apis#fetch-api for what Deno does:

The request and response header guards are implemented, but unlike browsers do not have any constraints on which header names are allowed.

[lucacasonato]

I think there are two distinct questions here:

What to do about forbidden request headers? (e.g cookie)

The request header guard should have no constraints on which names are allowed.

What to do about getting set-cookie headers from responses?

For this, see whatwg#1346.

[mcollina]

For this, see whatwg#1346.

Is this what Deno does? That's not what Cloudflare is doing.

[devsnek]

Just popping by to say I'm strongly in favor of the deno behavior for both cases.

[lucacasonato]

Is this what Deno does? That's not what Cloudflare is doing.

With the exception of the getSetCookie method (which is user polyfillable), yes. The addition of that method is just waiting on final upstream spec review.

[KhafraDev]

Undici now follows deno on the handling of forbidden/safe-listed headers. I'll also implement getSetCookie once it lands 😃

[KhafraDev]

Is it possible for wintercg to bypass the fetch spec and decide to implement getSetCookie? Since it's being held up by browser implementation interest it could be (even more) years until it lands.