- From: Luca Casonato <notifications@github.com>
- Date: Tue, 14 Jun 2022 02:43:09 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/973/1154958094@github.com>
Use counter results from Chromium are in: https://chromestatus.com/metrics/feature/timeline/popularity/4152 The % of pages that set a "set-cookie" header on an outbound `fetch` request hovers around 0.0003%. The data indicates that two popularish sites that set a "set-cookie" header on request headers. These domains are: - https://www.osgohome.com/ - https://mybees.ca/ and 14 localised domains from the same company For both of these sites the `"set-cookie"` header is set on an outbound API request that uses `fetch`. On the osgohome.com site, it is a syntactically invalid `set-cookie` header. The proposed changes in #1346 would make `"set-cookie"` a forbidden header name, thus causing the cookie to be silently ignored (no explicit error is raised). I have tested both sites using [a puppeteer script using request interception](https://gist.github.com/lucacasonato/a79497bc1b73dcaccd31a2d6f8980ea4) that removes all outbound "set-cookie" headers (essentially what #1346 would do). Both sites continue to work just fine, and the API endpoints continue to return 200 status codes, identical data, and identical response headers. As such I think we can safely make this change. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/973#issuecomment-1154958094 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/973/1154958094@github.com>
Received on Tuesday, 14 June 2022 09:43:21 UTC