-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow setting cookies with special characters #978
base: main
Are you sure you want to change the base?
Conversation
|
@abhi12299 is attempting to deploy a commit to the Vercel Team on Vercel. A member of the Team first needs to authorize it. |
fbb3294
to
a294091
Compare
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Skipped Deployment
|
It's important for this particular framework that it adheres to the published RFC 6265 which requires that cookie values are URL encoded. We'd prefer in these cases to have the application throw an error during parsing if the cookie values can't be parsed rather than allowing un-encoded values from the cookie parser itself. If the issue is stemming from double-decoding I'd rather solve that specifically rather than have it silently fail decoding. |
as per my limited understanding of this codebase, i would assume that the headers being set for
i may be wrong, but the outbound headers still encode the cookie value - this issue stems from double decoding. Am i missing something obvious here? |
What is the purpose of calling decodeURIComponent when defining the new cookie object? The function parseCookie is already returning a new map with all values decoded. It seems redundant to me, or I'm missing something? |
This is a fix for vercel/next.js#70523
What?
Access the
ResponseCookie
object using theNextResponse
class in a nextjs middleware like so:You'll notice that the cookie being set crashes the application. The reason for this is explained below:
ResponseCookie
's constructor calls theparseSetCookie
method:edge-runtime/packages/cookies/src/response-cookies.ts
Lines 31 to 33 in 8312ccd
parseSetCookie
function calls theparseCookie
function:edge-runtime/packages/cookies/src/serialize.ts
Lines 54 to 59 in 8312ccd
parseCookie
calls thedecodeURIComponent
function on the cookie value:edge-runtime/packages/cookies/src/serialize.ts
Lines 42 to 44 in 8312ccd
parseSetCookie
function again calls thedecodeURIComponent
function on line 75:edge-runtime/packages/cookies/src/serialize.ts
Lines 73 to 76 in 8312ccd
This double invocation of
decodeURIComponent
throws an error and crashes the application if the cookie contains special characters.