You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi there, earlier today I ran into an issue automatically passing cookies into fetch requests, despite having credentials: 'include' set (which worked with browser fetch). Once I saw the JSDoc hint that I needed a sub-subdomain, I changed the endpoint and created this PR: #10421
However, I have a feeling this isn't actually expected behaviour. The source code in fetch.js has the following logic for including cookies:
if (`.${url.hostname}`.endsWith(`.${event.url.hostname}`) && credentials !== 'omit') {
const cookie = get_cookie_header(url, request.headers.get('cookie'));
if (cookie) request.headers.set('cookie', cookie);
}
This only checks if credentials !== 'omit', but does not differentiate 'include' from 'same-origin'. According to MDN, the cookies should be sent regardless of origin for 'include'.
I think the correct logic would look something like this:
The text was updated successfully, but these errors were encountered:
lachlancollins
changed the title
Server-side fetch function treats credentials: 'include' as credentials: 'same-origin'
Server-side fetch function treats credentials: 'include' the same as credentials: 'same-origin'Jul 22, 2023
I think that is a bug, yes, and the proposed change makes sense. The only thing I'm wondering is whether or not we need to manually filter out cookies with SameSite: strict or if the server/browser will take care of this for us automatically. You can amend your existing PR about docs with the fix, and hopefully we can solve the SameSite question along the way.
Describe the bug
Hi there, earlier today I ran into an issue automatically passing cookies into fetch requests, despite having
credentials: 'include'
set (which worked with browser fetch). Once I saw the JSDoc hint that I needed a sub-subdomain, I changed the endpoint and created this PR: #10421However, I have a feeling this isn't actually expected behaviour. The source code in fetch.js has the following logic for including cookies:
This only checks if
credentials !== 'omit'
, but does not differentiate'include'
from'same-origin'
. According to MDN, the cookies should be sent regardless of origin for'include'
.I think the correct logic would look something like this:
Reproduction
Very hard to share a reproduction - it would need a separate server...
Logs
No response
System Info
Severity
serious, but I can work around it
Additional Information
Logic initially implemented in #1847
The text was updated successfully, but these errors were encountered: