Re: [whatwg/fetch] [Feature request] Add a `CookieStore` option to `Request` & `Response` (Issue #1384) from Val on 2022-02-17 (public-webapps-github@w3.org from February 2022)

From: Val <notifications@github.com>
Date: Thu, 17 Feb 2022 08:27:35 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1384/1043152555@github.com>

Hey there! :wave: [fetch-cookie](https://github.com/valeriangalliat/fetch-cookie) maintainer here :)

We do support redirects (although I'm currently working on improving that part as it's not perfectly compliant), but only for the node-fetch specific wrapper `require('fetch-cookie/node-fetch')`. As far as I can remember, when the redirect logic was contributed years ago, node-fetch allowed `redirect: 'manual'` but I don't think such a mechanism was part of the official spec yet, and I didn't want to tie the library specifically to node-fetch.

I realized recently that `redirect: 'manual'` is now officially supported so I'm gonna make handling cookies in redirects the default in the next major version.

That being said, fetch-cookie cannot currently work with undici because the `set-cookie` header is not exposed by the `fetch` API (as per [spec](https://fetch.spec.whatwg.org/#forbidden-response-header-name)) so in reality fetch-cookie can only be used alongside node-fetch for now.

If the Node.js implementation ever allows userland code to read the `set-cookie` header then it should work seamlessly with future fetch-cookie versions including redirects.

**That being said I do support the feature request in the original message.** I wrote fetch-cookie 7 years ago as what I thought would be a "temporary workaround" and now hundreds of people depend on it. Anything that makes it obsolete would make me more than happy, and that `CookieStore` proposition would definitely help.

> So, realistically, I'd expect that most cookie-needing Node apps will rely on an (as yet unwritten?) library that wraps `fetch` and handles cookies and redirects. Hopefully this library will not have security or perf problems!

The main issue I have with a `fetch` wrapper is that the redirect logic must be re-implemented. [node-fetch does a fantastic job at handling redirects](https://github.com/node-fetch/node-fetch/blob/5e78af3ba7555fa1e466e804b2e51c5b687ac1a2/src/index.js#L169) and I'm pretty sure undici does too, so it makes me sad to have to bypass that upstream redirect implementation in order to re-implement it in the wrapper. This is error prone and requires duplicated efforts in maintenance.

One thing that I've been dreaming about recently that would help with that is a way to properly wrap `fetch`. Typically `fetch` implementations are recursive when following redirects (e.g. [in node-fetch](https://github.com/node-fetch/node-fetch/blob/5e78af3ba7555fa1e466e804b2e51c5b687ac1a2/src/index.js#L231)) and if we had a way to recurse through the wrapper, we would be able to have cookies in redirects without requiring the wrapper to set `redirect: 'manual'` and re-implementing the whole redirect logic. I'm not sure if that's something desirable for the `fetch` spec itself but that would certainly help making a reliable wrapper where the redirect logic would be guaranteed to be consistent with the upstream implementation.

--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1384#issuecomment-1043152555
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1384/1043152555@github.com>

Received on Thursday, 17 February 2022 16:27:48 UTC