Refused to set unsafe header "cookie"

[scottquested]

We are getting this error Refused to set unsafe header "cookie" only in chrome

Thought I would ask here first before opening an issue

[kettanaito]

Hey, @scottquested.

As the error suggests, it looks like you're setting the "cookie" header on your mocked response somewhere:

return res(ctx.set('cookie', 'value'))

If that's the case, please use ctx.cookie() to set a cookie on a mocked response. That utility is designed to emulate response cookie functionality without compromising the security behind the cookie header.

If that's not the case, could you please share your request handlers setup and describe in more detail when exactly this error happens (what kind of request are you making, what handlers do you have, do you expect this response to be mocked). Ideally, to resolve this issue quicker, I'd ask you for a minimal reproduction repository.

[scottquested]

Thanks for your prompt reply @kettanaito it's not actually happening on a mocked response. This happens even when we have no mocked responses.

// Browser file
import { setupWorker } from 'msw';
import { devHandlers } from './handlers';
// This configures a Service Worker with the given request handlers.
export const worker = setupWorker(...devHandlers);

// devHandlers file
import { rest } from 'msw';
export const devHandlers = [];

// App index file
if (
      process.env.NODE_ENV === 'development' &&
      process.env.REACT_APP_MOCK_API === 'true'
    ) {
      // eslint-disable-next-line global-require
      const { worker } = require('./mocks/browser');
      worker.start({
        warnOnUncaptured: false,
        waitUntilReady: true,
        onUnhandledRequest: () => {
          return false;
        },
      });
    }

[scottquested]

If we comment out the options it seems to run this error on each API that isn't mocked...

if (
      process.env.NODE_ENV === 'development' &&
      process.env.REACT_APP_MOCK_API === 'true'
    ) {
      // eslint-disable-next-line global-require
      const { worker } = require('./mocks/browser');
      worker.start({
        // warnOnUncaptured: false,
        // waitUntilReady: true,
        // onUnhandledRequest: () => {
        //   return false;
        // },
      });
    }

[scottquested]

Chrome Version 91.0.4472.114 (Official Build) (x86_64)

[scottquested]

Ok, we have found the issue. Because we are running locally non-https (in fallback mode) this was causing it. Perhaps cookies should not be set in fallback mode in Chrome. We added our url to the flag chrome://flags/#unsafely-treat-insecure-origin-as-secure which by passes this.

[kettanaito]

I think it's a valid point that bypassed XHR requests must not set the forbidden cookies. What's complicated is that it's the case only for the browser. As far as I know there's no such issue in Node.js. Definitely calls for a test in the "interceptors" library.

[kettanaito]

Opened an issue in the interceptors repo: mswjs/interceptors#141