parseHeaders fails with multiple set-cookie headers in Firefox

[diegodlh]

I'm using @maxlath's wikibase-edit module which depends on cross-fetch, which in turn depends on github/fetch.

I'm developing a plugin for Zotero, which runs on Firefox's runtime environment.

At some point, an XMLHttpRequest is sent, which returns a response with multiple "set-cookie" headers. For some reason, these headers are concatenated (by getAllResponseHeaders() and getResponseHeader()) with \n instead of with \n\t or ,. As a result, parseHeaders fails with Invalid character in header field name.

I tried running some test requests on a recent Firefox browser (v85.0). I used Firefox's Browser Toolbox to debug the browser's main process, because otherwise getAllResponseHeaders and getResponseHeader would ignore set-cookie headers. I set up an Apache web server to send duplicate set-cookie and MyHeader headers. In Apache config file:

  ...
  Header add set-cookie "value1"
  Header add set-cookie "value2"
  Header add MyHeader "value1"
  Header add MyHeader "value2"
  ...

Interestingly, whereas getResponseHeader('set-cookie') returns:

value1
value2

getResponseHeader('MyHeader') successfully returns value1, value2.

I don't know enough about the HTTP protocol to understand if this is a bug in Firefox, or if it is an accepted behavior and should be handled by github/fetch.

I understand this may be related to #489.

[BoussonKarel]

This suddenly introduces a new issue in our code:

Set-Cookie is a forbidden response-header name: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie https://fetch.spec.whatwg.org/#forbidden-response-header-name