SecureHeaders middleware erases all cookies in Rack 3 due to \n joining

[collinsauve]

Bugs

SecureHeaders is not compatible with this change from Rack 3 as SH uses \n encoded cookies in flag_cookies!:

Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).

Rack will no longer transform this back into an array for you, and that joined string with \n gets all the way to Puma::Request#str_headers at which point it ignores it due to it being an illegal value.

Expected outcome

Describe what you expected to happen

1. I set multiple cookies
2. Those cookies are included in the response

Actual outcome

1. The response written to the socket does not include any cookies set before SH middleware gets them.

[collinsauve]

I've put together a minimum-viable reproduction of the issue:
https://github.com/collinsauve/secure-headers-issue-514