Re: [whatwg/fetch] Add special handling of `set-cookie` to Headers (PR #1346) from Luca Casonato on 2021-11-01 (public-webapps-github@w3.org from November 2021)

From: Luca Casonato <notifications@github.com>
Date: Mon, 01 Nov 2021 03:50:14 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1346/review/794082425@github.com>

@lucacasonato commented on this pull request.



> -`<code>Set-Cookie</code>` <a for=/>header</a>. In a way this is problematic as unlike all other
-headers `<code>Set-Cookie</code>` headers cannot be combined, but since `<code>Set-Cookie</code>`
-headers are not exposed to client-side JavaScript this is deemed an acceptable compromise.
-Implementations could choose the more efficient {{Headers}} object representation even for a
-<a for=/>header list</a>, as long as they also support an associated data structure for
+<p class=note>Unlike a <a for=/>header list</a>, a {{Headers}} object combines the values of
+multiple headers of the same name into a single header value. This is problematic for the
+`<code>Set-Cookie</code>` header, as unlike all other headers it can not be safely combined. For
+client-side JavaScript this is not very problematic, as the platform never exposes
+`<code>Set-Cookie</code>`. This can be problematic for server-side runtimes that do expose this
+header. Because of this there is some special handling for the `<code>Set-Cookie</code>` header in
+the implementation of the {{Headers}} interface: `<code>Set-Cookie</code>` headers are not
+concatenated when they are returned from the {{Headers}} iterator. This means that specifically for
+this header, multiple tuples of the same name can be returned. Implementations could choose the more
+efficient {{Headers}} object representation even for a <a for=/>header list</a>, as long as they
+also support an associated data structure for
 `<code>Set-Cookie</code>` headers.

> It's not true that client-side JavaScript never exposes Set-Cookie

Well the _platform_ never exposes a set-cookie header (because it is a forbidden header) if I understand correctly. Only ever user code.

I've updated the prose and removed the client-side & server-side comparison, and mentioned the HTTP spec does the same.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1346#discussion_r740121352

Received on Monday, 1 November 2021 10:50:27 UTC