fix: do not re-escape cookies collected from fetch calls during SSR (#11904)

* fix: do not re-escape cookies collected from fetch calls during SSR

* add test

* add changeset

Author: Conduitry

.changeset/fair-suns-report.md

@@ -0,0 +1,5 @@
+---
+"@sveltejs/kit": patch
+---
+
+fix: avoid incorrectly un- and re-escaping cookies collected during a server-side `fetch`

packages/kit/src/runtime/server/fetch.js

@@ -132,13 +132,16 @@ export function create_fetch({ event, options, manifest, state, get_cookie_heade
 				const set_cookie = response.headers.get('set-cookie');
 				if (set_cookie) {
 					for (const str of set_cookie_parser.splitCookiesString(set_cookie)) {
-						const { name, value, ...options } = set_cookie_parser.parseString(str);
+						const { name, value, ...options } = set_cookie_parser.parseString(str, {
+							decodeValues: false
+						});
 
 						const path = options.path ?? (url.pathname.split('/').slice(0, -1).join('/') || '/');
 
 						// options.sameSite is string, something more specific is required - type cast is safe
 						set_internal(name, value, {
 							path,
+							encode: (value) => value,
 							.../** @type {import('cookie').CookieSerializeOptions} */ (options)
 						});
 					}

packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/+page.js

@@ -0,0 +1,10 @@
+import { browser } from '$app/environment';
+
+/** @type {import('@sveltejs/kit').Load}*/
+export async function load({ fetch }) {
+	if (!browser) {
+		// We don't want the client-side collected cookie to clobber the
+		// server-side collected cookie that we're actually testing.
+		await fetch('/cookies/collect-without-re-escaping/set-cookie');
+	}
+}

packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/+page.svelte

@@ -0,0 +1,5 @@
+<script>
+	import { browser } from '$app/environment';
+</script>
+
+<p>{browser && document.cookie}</p>

packages/kit/test/apps/basics/src/routes/cookies/collect-without-re-escaping/set-cookie/+server.js

@@ -0,0 +1,4 @@
+/** @type {import('@sveltejs/kit').RequestHandler} */
+export async function GET() {
+	return new Response(null, { headers: { 'set-cookie': 'cookie-special-characters="foo"' } });
+}

packages/kit/test/apps/basics/test/cross-platform/client.test.js

@@ -827,6 +827,11 @@ test.describe('cookies', () => {
 		await page.locator('button').click();
 		await expect(page.locator('p')).toHaveText('foo=bar');
 	});
+
+	test("fetch during SSR doesn't un- and re-escape cookies", async ({ page }) => {
+		await page.goto('/cookies/collect-without-re-escaping');
+		await expect(page.locator('p')).toHaveText('cookie-special-characters="foo"');
+	});
 });
 
 test.describe('Interactivity', () => {