-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OutgoingMessage.setHeaders(Headers)
doesn't handle Set-Cookie
headers properly.
#51599
Comments
Make it possible to invoke response.setHeaders() on response object from `node:http2` Fixes: nodejs#51573
Part of the reason is that |
|
BTW you can find how I deal with the problem here: https://github.com/danfuzz/lactoserv/blob/main/src/net-util/export/HttpHeaders.js Specifically, I have a variant of const entries = headers.entriesForVersion(req.httpVersion);
for (const [name, value] of entries) {
res.setHeader(name, value);
} |
PR-URL: nodejs#51649 Fixes: nodejs#51599 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
PR-URL: nodejs#51649 Fixes: nodejs#51599 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Version
21.4.0
Platform
Darwin chug.lan 22.6.0 Darwin Kernel Version 22.6.0: Tue Nov 7 21:42:27 PST 2023; root:xnu-8796.141.3.702.9~2/RELEASE_ARM64_T8103 arm64
Subsystem
http
What steps will reproduce the bug?
Run the following code, and use the
curl
commands as seen in the transcript under "what do you see instead."How often does it reproduce? Is there a required condition?
Always reproducible.
What is the expected behavior? Why is that the expected behavior?
In all three
case
s, the reported headers should include both header pairs in a way that the client can interpret them. In thesetHeaders/Headers
case, I would expect the result to be:What do you see instead?
In the
/setHeaders/Headers
case (firstcurl
command), theSet-Cookie
header is sent asa=b, c=d
which is incorrect.Additional information
Set-Cookie
headers are typically sent as multiple separate header lines, and specifically they cannot safely be joined with,
due to a conflict with the spec for theExpires
attribute onSet-Cookie
headers (which the spec requires a comma in). Technically,Set-Cookie
headers are allowed to be joined with;
, though in practice (AIUI) this would be an unusual implementation choice.See https://datatracker.ietf.org/doc/html/rfc6265 for the gruesome details.
The text was updated successfully, but these errors were encountered: