Problem: I noticed the following error when sending a malformed cookie
TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["set-cookie"]
at storeHeader (_http_outgoing.js:411:5)
at processHeader (_http_outgoing.js:401:9)
at ServerResponse._storeHeader (_http_outgoing.js:312:9)
at ServerResponse.writeHead (_http_server.js:271:8)
at ClientRequest. (/Users/nyeung/Projects/corvette-frontend/node_modules/proxy-middleware/index.js:61:12)
at Object.onceWrapper (events.js:273:13)
at ClientRequest.emit (events.js:182:13)
at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:556:21)
at HTTPParser.parserOnHeadersComplete (_http_common.js:109:17)
at TLSSocket.socketOnData (_http_client.js:442:20).
Proposed Solution: We can either fix by discarding the malformed cookie within `myRes.headers. The browsers are handling malformed cookies as follow:
Chrome:
drops cookies containing \u0001 through \u0019
except \u0000 which is stripped
Firefox:
drops cookies containing \u0000 through \u0019
except \u0000 which terminates the header
except \u0009 (tab) which is retained
Safari:
truncates cookie at character containing \u0000 through \u0019
truncates cookie at character containing \u007f through \u00ff
except \u0009 (tab) which is retained
In index.js I propose we follow Chrome's implementation and add a method cleanHeaderOfMalformedCookies call on line 66 to drop cookies containing those characters. The method would do the following:
- drop cookies in [\u0000..\u0019]]
Problem: I noticed the following error when sending a malformed cookie
TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["set-cookie"]
at storeHeader (_http_outgoing.js:411:5)
at processHeader (_http_outgoing.js:401:9)
at ServerResponse._storeHeader (_http_outgoing.js:312:9)
at ServerResponse.writeHead (_http_server.js:271:8)
at ClientRequest. (/Users/nyeung/Projects/corvette-frontend/node_modules/proxy-middleware/index.js:61:12)
at Object.onceWrapper (events.js:273:13)
at ClientRequest.emit (events.js:182:13)
at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:556:21)
at HTTPParser.parserOnHeadersComplete (_http_common.js:109:17)
at TLSSocket.socketOnData (_http_client.js:442:20).
Proposed Solution: We can either fix by discarding the malformed cookie within `myRes.headers. The browsers are handling malformed cookies as follow:
In index.js I propose we follow Chrome's implementation and add a method cleanHeaderOfMalformedCookies call on line 66 to drop cookies containing those characters. The method would do the following: