SecureHeaders is not compatible with this change from Rack 3 as SH uses \n encoded cookies in flag_cookies!:
Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).
Rack will no longer transform this back into an array for you, and that joined string with \n gets all the way to Puma::Request#str_headers at which point it ignores it due to it being an illegal value.
Expected outcome
Describe what you expected to happen
I set multiple cookies
Those cookies are included in the response
Actual outcome
The response written to the socket does not include any cookies set before SH middleware gets them.
Bugs
SecureHeaders is not compatible with this change from Rack 3 as SH uses
\n
encoded cookies in flag_cookies!:Rack will no longer transform this back into an array for you, and that joined string with
\n
gets all the way to Puma::Request#str_headers at which point it ignores it due to it being an illegal value.Expected outcome
Describe what you expected to happen
Actual outcome