Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fetch requests don't expose `Set-Cookie` response header

See original GitHub issue

The following code behaves differently on miniflare VS on a deployed worker:

addEventListener('fetch', event => {
 * Respond with hello worker text
 * @param {Request} request
async function handleRequest(request) {
  const url = new URL(request.url);

  if (url.pathname === '/cookies') {
    return new Response(null, {
      headers: {
        'Set-Cookie': 'foo=bar'
  } else {
    const res = await fetch(`${url.origin}/cookies`);
    return new Response(JSON.stringify(res.headers.get('set-cookie')))

  • Visiting the /cookies URL returns a set-cookie header with the value foo=bar. Visiting any other URL does a sub-fetch to the /cookies path and returns the value of the set-cookie header in the response body.

In miniflare, this returns null… In a worker, this behaves as expected - the set-cookie header is exposed to the user.

The source of this is that undici follows the fetch spec closer than workers. The conflict source is undici/lib/fetch/response.js:370, the filterResponse function, which removes forbidden headers from the response such as set-cookie.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:9
  • Comments:7

github_iconTop GitHub Comments

hansedecommented, Mar 2, 2022

I also came to the same conclusion today. Unfortunately this is the last thing preventing me from deploying Miniflare as part of our development environment. When the set-cookie header fails to propagate, Django’s csrf_token can’t be set, so Django auth doesn’t work. This is notably different behavior from Cloudflare Workers.

joonacommented, Feb 22, 2022

I’m hitting the same problem while trying to integrate miniflare to our development process.

In our case, this happens when proxying API requests on path /api to our API Origin behind CF Access (Service Token authentication) without doing any modifications to the response. Request is cloned to be able to attach additional headers for service token authentication. However, the problem also happens when doing no header modifications at all and using IP whitelisting on CF Access side.

The same code works perfectly on Worker runtime.

Invocation on both environments is same-site with valid HTTPS and withCredentials on the client side, etc.

While doing my own digging, I also came to conclusion, that those headers are dropped due undici fetch implementation, but didn’t find any way to work around this.

Read more comments on GitHub >

github_iconTop Results From Across the Web

fetch() Not setting cookie despite `Set-Cookie` header
I can make a request to this route, and I do notice the Set-Cookie header is set on the response object within Chrome...
Read more >
Set-Cookie - HTTP - MDN Web Docs
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent...
Read more >
Cookie missing in HTTP request when using Fetch API
Server sends HTTP response with Set-Cookie: cookie=monster header, which sets the cookie in the browser. Every subsequent request the browser ...
Read more >
Fetch Standard
The Fetch standard defines requests, responses, and the process that ... A response will typically get its CORS-exposed header-name list set ...
Read more >
Set-Cookie - HTTP - UDN Web Docs: MDN Backup
Browsers block frontend JavaScript code from accessing the Set Cookie header, as required by the Fetch spec, which defines Set-Cookie as a forbidden...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found