search

kwhitley / itty-router

A little router.
MIT License
1.69k stars 77 forks source link

createCors().corsify eats additional Set-Cookie headers #207

Closed etinquis closed 3 months ago

etinquis commented 6 months ago

Describe the Issue

When calling corsify on a response with multiple Set-Cookie headers, only one will be preserved.

Example Router Code

console.log('before', resp.headers.getSetCookie()); // has multiple cookies
const corsResp = cors.corsify(resp);
console.log('after', corsResp.headers.getSetCookie()); // has a single cookie

Expected Behavior

All Set-Cookie headers (and maybe any other duplicate headers?) should be preserved.

Actual Behavior

Only one Set-Cookie header is kept in the resulting response.

Environment (please complete the following information):

afonsocrg commented 4 months ago

I had the same issue. After checking the createCors implementation I found the lines that may be causing this issue:

// Return new response with CORS headers.
return new Response(body, {
  status,
  headers: {
    ...Object.fromEntries(headers),
    ...rHeaders,
    ...allowOrigin,
    'content-type': headers.get('content-type'),
  },
})

To add multiple headers with the same name I had to use the headers.append method, so I believe that those lines should use this function instead. Later today I might create a PR to fix this, but I cannot do that atm

kwhitley commented 3 months ago

This has been addressed in the upcoming cors rewrite #226. :)

Thanks for the investigation and discussion - it was hugely instrumental to make sure these edge cases were covered!

That said, it's a bit of a good-news/bad-news situation.

The Good

The Bad

Stay tuned!

kwhitley commented 3 months ago

This has been fully addressed in the v5 release! Thanks again all!