fix: Allow multiple unmerged set-cookie headers.

restify · Nov 21, 2017 · ba7b78b · ba7b78b
1 parent c171968
commit ba7b78b
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 9 deletions.
diff --git a/lib/response.js b/lib/response.js
@@ -21,12 +21,10 @@ var InternalServerError = errors.InternalServerError;
 /**
  * @private
  * Headers that cannot be multi-values.
- * @see #779, don't use comma separated values for set-cookie
- * @see #986, don't use comma separated values for content-type
- * @see http://tools.ietf.org/html/rfc6265#section-3
+ * @see #779, multiple set-cookie values are allowed only as multiple headers.
+ * @see #986, multiple content-type values / headers disallowed.
  */
 var HEADER_ARRAY_BLACKLIST = {
-    'set-cookie': true,
     'content-type': true
 };
 
@@ -189,7 +187,7 @@ function patch(Response) {
      * // => { 'x-foo': ['a', 'b'] }
      * @example
      * <caption>
-     * Note that certain headers like `set-cookie` and `content-type`
+     * Note that certain headers like `content-type`
      * do not support multiple values, so calling `header()`
      * twice for those headers will
      * overwrite the existing value.

diff --git a/test/response.test.js b/test/response.test.js
@@ -620,3 +620,16 @@ test('GH-1429: setting code with res.status not respected', function(t) {
         t.end();
     });
 });
+
+test('should support multiple set-cookie headers', function(t) {
+    SERVER.get('/set-cookie', function(req, res, next) {
+        res.header('Set-Cookie', 'a=1');
+        res.header('Set-Cookie', 'b=2');
+        res.send(null);
+    });
+
+    CLIENT.get(join(LOCALHOST, '/set-cookie'), function(err, _, res) {
+        t.equal(res.headers['set-cookie'].length, 2);
+        t.end();
+    });
+});
diff --git a/test/server.test.js b/test/server.test.js
@@ -2030,11 +2030,14 @@ test('gh-779 set-cookie fields should never have commas', function(t) {
     CLIENT.get('/set-cookie', function(err, _, res) {
         t.ifError(err);
         t.equal(
-            res.headers['set-cookie'].length,
-            1,
-            'set-cookie header should only have 1 element'
+            res.rawHeaders.filter(function(keyOrValue) {
+                return keyOrValue === 'set-cookie';
+            }).length,
+            2,
+            'multiple set-cookie headers should not be merged'
         );
-        t.equal(res.headers['set-cookie'], 'bar');
+        t.equal(res.headers['set-cookie'][0], 'foo');
+        t.equal(res.headers['set-cookie'][1], 'bar');
         t.end();
     });
 });