Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconsider no-document-cookie enabled by default #2301

Open
samualtnorman opened this issue Mar 26, 2024 · 7 comments
Open

Reconsider no-document-cookie enabled by default #2301

samualtnorman opened this issue Mar 26, 2024 · 7 comments

Comments

@samualtnorman
Copy link

no-document-cookie is enabled by default.
The docs tell you to use the Cookie Store API, however this is a poor recommendation as it does not yet have wide browser support.
The docs' other suggestion is to use a cookie library which is a fine suggestion, however I am already using a cookie library. The rule seems to hard ban assigning to document.cookie and the library I'm using is used in the form of:

document.cookie = setCookie(MyCookie, { foo: "baz" })

This is completely safe and is the intended usage but still trips the rule anyway.

If you would prefer to keep no-document-cookie enabled by default, my other suggestion would be to instead make the rule smarter and allow assignments from a called imported function.
@samualtnorman samualtnorman changed the title Reconisider no-document-cookie enabled by default Reconsisider no-document-cookie enabled by default Mar 26, 2024
@samualtnorman samualtnorman changed the title Reconsisider no-document-cookie enabled by default Reconsider no-document-cookie enabled by default Mar 26, 2024
@fisker
Copy link
Collaborator

fisker commented Mar 26, 2024

#695 (comment)

@silverwind
Copy link
Contributor

silverwind commented Mar 29, 2024
edited

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

@samualtnorman
Copy link
Author

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value) api like the library you linked

@silverwind
Copy link
Contributor

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value) api like the library you linked

Understandable, there is no document.cookie in backend and likely there never will be because cookies need to be scoped per-origin and backend does not have a concept of an origin.

@samualtnorman
Copy link
Author

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value) api like the library you linked

Understandable, there is no document.cookie in backend and likely there never will be because cookies need to be scoped per-origin and backend does not have a concept of an origin.

no but backends often have a concept of response.headers.set("set-cookie", string)

@silverwind
Copy link
Contributor

Yes, but as for the rule being the default, I'd still vote to keep it so users are aware of the problems of document.cookie. In your case with the special isomorphic lib, I guess you should just disable the rule.

@samualtnorman
Copy link
Author

I wouldn't mind if this rule was a bit smarter and it could detect if document.cookie was being assigned to from an imported function and didn't trigger in that case

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@silverwind @fisker @samualtnorman