[react-server] remove cookie pass through

[kvendrik]

Description

Passing through request cookies can crash the request in a case where they are very big. To see this in action run this command:

curl -XGET -L "https://shopify.com/tools/signage-maker" --cookie "master_device_id=e604f92a-432f-402a-b22f-4f24f5544bbc; _y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_fs=2019-10-04T13%3A52%3A50.351Z; _y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_fs=2019-10-04T13%3A52%3A50.351Z; _mkto_trk=id:932-KRM-548&token:_mch-shopify.com-1570475096620-29758; _gcl_au=1.1.2129217281.1570475097; _scid=24117474-842c-46cd-a1b7-199f8ef5d5ee; _fbp=fb.1.1570475096872.737558318; _biz_uid=153300fffe044608c61184d651041eda; __gads=ID=ce0e3f58911b98e2:T=1570642557:S=ALNI_Mbi0v0QtEgpfHCib4EvsXC3MBklYA; __utmc=262205262; optimizelyEndUserId=oeu1570650386070r0.8082889520333971; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%2C%22ViewThrough%22%3A%221%22%2C%22Mkto%22%3A%221%22%2C%22Frm%22%3A%221%22%7D; __distillery=dd0e75c_ddebc097-a466-4053-8981-21499e82492a-899f066ce-19b1a34d3f0a-e3d8; _ga=GA1.2.970b6a87-2C95-404F-0598-A763BB2EAC9F; secure_customer_sig=; _cb_ls=1; _cb=DfKB8mBIGRJuC3-sBs; __smToken=oQ8nKoixcGFPJwDHBnqO9t0X; ajs_group_id=null; ajs_anonymous_id=%2288ccfe43-bd6e-4b91-80f3-5dd4da427db5%22; __zlcmid=vNihlBP3nb7UbZ; __utmz=262205262.1575317754.4.2.utmcsr=data.shopify.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _parsely_visitor={%22id%22:%22pid=5e742a3e8f4641cbc12313a2cad917e2%22%2C%22session_count%22:1%2C%22last_session_ts%22:1580317069749}; _sctr=1|1581570000000; _shopify_country=Canada; driftt_aid=919f7d7a-b17c-4ff8-b1eb-42f3f206ea5a; ki_r=; __hstc=138892268.510ac9790a646c1417a0d61477e62d99.1582653738077.1582653738077.1582653738077.1; hubspotutk=510ac9790a646c1417a0d61477e62d99; __hssrc=1; _chartbeat2=.1572441392606.1582653738206.0000000000000001.DvlyreBTH1pvBnBcdHBUfPFhDqhpmV.1; DFTT_END_USER_PREV_BOOTSTRAPPED=true; rdt_uuid=dcd346aa-fba4-40ee-a2c5-27ca1fef307f; verdict_17739690375=%7B%22group%22%3A17743680267%2C%22created_at%22%3A%222020-04-13T17%3A41%3A49Z%22%7D; _plus_website_session=859XPhMMwIYl5oC0EHkJthfXyrBuXQBtS7lprBJa7S%2FxqJ92l%2FzkJiA4SvUo%2FCaNxAwgdGJRNl%2FPReNCmn1p88m3UDwoMsv76Jdf4cTX7nhViMeTDr6xEVFFwL0BtCMQTmkEZIg5z9956usmZXrsDI6epOsOasXIp2SfFRV%2BVe7NeMSBWa2rSMc9m%2FPxchPfAaMl15Wr%2FcClyQz1Wo9YLOsXORYVAx7E8RhSwg3ZyhULKoCSRR%2F6B4G2%2F74dQz4DfpSZCTlB9f32XgA%2F6uYiwlreV8DeSdUqAQGajompnsvD133nofl2kYlnTQnt9qL76FsyTicwqrgchCWaJg%2BFyJlq7pkA565zyN1XK8Ss9YFbztqJH7CLKBCwSujJ6zeHP%2BxbNjy5MwnDsOwj%2FoQfvWbVFX1jGaIwLLDA%2FHc2kT9ovjSuoLf9rUeEKanODGZKza0YKeNSDgxOopV8ZSUuU%2B6BZ35FE41j3pWqdfT1ukVO%2BeGNw%2FLry570y4HHZBpROF%2BlZgfXH0AsLLuKvvGmg8RObxp%2FnUh6TkCRUPoX1cdxjBocX9zszUjLJSFPZtnj3R2HtNQV1086sUqY1JtiX0rIXxqi%2FeHtvAc0Kz3XZMikRJlp1cYcWTjbHLoldsv4rLheib3viq8RFF4Oe9%2BDP28OXO%2BMoOjLxgiTy1lRlyNRmg6F0ytBEzQ4CVowzzJ5po7KUd8Prf%2FaXHOU%2BG8B7yfB6F2lzuPBRtpMCim64cmX%2FSgqQl%2FtaRPJm2tugDR2qbh54xRvcBAl4IpyViQgh6V7d4LoM2ppwvGSRSid%2F2HNi05fDGJGfs9Yj%2Bqb%2FgN%2F5DZZCNAFYt9JLN9gK0WVd%2BZFYxdlOpsI29j9X8v%2FZ88Rd9lL3blv4Ye2iSVvmITrcsgYWyXDd6rWPJt%2BhUnddlQl238mVIz%2BRWPzKTULWqQsDYbfI9YGMwzfmi8k6MQC7FmPjZpA0mckCEQ%2Fdmnl6%2BGZg92ytfUv6hqraPqDJmHwtJZ1urbR%2Bap0QhyBmPv8HhXu0zc11wNhcwhmk2Q2Ubs%2B3Ujuk0bgB2%2BaaAFAsrpCmEkKUIMVYi%2FLcSr01BQTj72HjXOL869flkEhorQxNqv%2BcB5hb86l%2F58nXV6Kgk57c6lCrODegwLjw3troyJe1bMeJxwtv2mnv8VMkHLwO7oKQq%2FD%2FnJsV2UtpkQyuJ6k83aeBc%2B8T0yS8qRpRt0Gg710tw6lxrwSUc%2FHL4JOogB9x0SokQ6RayiSmUb9CjvkrfHgcdi01LTvNEFHzeWjAjRdcGXQl5xOX16oSdZlNbIHiM1dCW3JLAMLzt4uGbfNR9JX113zyd7rSQlIC9w%2FF5UlcO4pgWkPohz2riElrm7Zr1yeNWSbatNYeuFr7Kp8FF2A6tfHrgOISZJp5GdCLmKaCfQEjIGmSmX%2BnjUgVW2AoXw%2FQVtc9Wlqph4syFyD%2Bn3VJOqdrwaZthqPuG%2FS8Fu4t81BanJzZXogXMBW98znM0zj1%2BU671EERVJVpUURA%2FQSPVfY3eyQjUsuPGGHS84sfghxtOlZ--JEn0Bj2QA4Aa9XFr--PYNy85LaEYhUXBzdeRgrOw%3D%3D; source=laura; source_url=https%3A%2F%2Fwww.shopify.com%2Fcourses%2Fdropshipping%2Foverview%3Fref%3Dlaura; source_url_referer=; __utma=262205262.534717462.1570475097.1590098797.1591108216.11; _rdt_uuid=1591132041872.dcd346aa-fba4-40ee-a2c5-27ca1fef307f; __cfduid=d77cdc393feb8160413ecd69ab85f03391591192439; _pin_unauth=dWlkPU1XWTFNelEzT0dFdE0yRTVNQzAwTUdSbUxUbG1NV1l0WlRFNE9UZGhNamhrTkRkbQ; _growth_tools_session=NUNKeHcrR24zMGxXRWxiWml0R3pFQTgvSzdqS2Y4eG9WajA4RWMxNlpsTmZEUXkwM3Qzc1pJWFZ4UHdoWGVUZ3BhRVpMNzhPRzZSYVZOeHBCUzNIdW9XZXdhcXFGa0JHYVZZU3NCUEZvZkU2OXVYK1ZaQTdFZmYrK0NLK1hPOEx2eVNSTDFWS3VqSU5QcFd6NUtsazVnPT0tLUpRSEExbzN3QjdXaWFLbjJZSC9GZWc9PQ%3D%3D--5fe5ef6168eb97b66ccebd2c7e8f0fed1ba0084f; shopifyInternal=; _careers_session=wjQzvjuLVIyafdDoKNt%2FdNpQqvkO5N%2BlDrx0eR%2BWBGWPHwpu%2BPr6W7WBSAZ1obwQs7G33DFHBWlicX%2FKymCb3iem5%2BrFyCnYud1YMyXf6n2SoycPczQ29NeiZRmLTDaUHYIux%2BcKXHsN6yKbBvx8d4BzxBBhdn1jWO8CStoGRkW%2Fj9crWVCl5vLhd06QZE5FrAkiVjJdmoJrueFDs5YKKU4W2P%2FSaXi%2BPwWL6mTM7w24O6qw1TSSlvarBddFkr9SwO3J8MVwqSzHBwLlQWxQK3LuaS4cvKmnlxby2%2Bub4ZG4jGUlldyFS1ghdpZCD%2F8wYPU1LvtKSp0IncY08Z17pW2MiQVNc7XPwACEWt1ZFUkby9HCcJsmpHRlhqKngOkh1bkqzCdQzkBpimn89wy1u0iJ1y8AHiSePFX%2Fuw%3D%3D--93nf27j050iUSemY--kh7R3gzCJa%2FsmDRNd8jCRA%3D%3D; _gid=GA1.2.1145718308.1591799996; ki_t=1582653738061%3B1591800007380%3B1591800007380%3B3%3B5; _sctr=1|1591848000000; utag_main=v_id:016da79c397b00025d296243cc8a03078001c07000c48$_sn:268$_se:1$_ss:1$_st:1591892495836$dc_group:68$ses_id:1591890695836%3Bexp-session$_pn:1%3Bexp-session; _uetsid=9d122cfd-ec5b-930e-bca8-688d34ab47a2; _uetvid=4a3d0802-65e6-9982-0469-58b25c150d09; _biz_nA=810; _biz_pendingA=%5B%5D; _derived_epik=dj0yJnU9WVNxUXR5d2VaUlBrOC1LSE5vWV9CbnZLcVZfS29wRG8mbj1odHotSmVVTm9Ebk43b0pwaURrbjJnJm09NyZ0PUFBQUFBRjdpVXd"

Now try pinging /tools which runs on Rails

curl -XGET -L "https://shopify.com/tools" --cookie "master_device_id=e604f92a-432f-402a-b22f-4f24f5544bbc; _y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_fs=2019-10-04T13%3A52%3A50.351Z; _y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_y=970b6a87-2C95-404F-0598-A763BB2EAC9F; _shopify_fs=2019-10-04T13%3A52%3A50.351Z; _mkto_trk=id:932-KRM-548&token:_mch-shopify.com-1570475096620-29758; _gcl_au=1.1.2129217281.1570475097; _scid=24117474-842c-46cd-a1b7-199f8ef5d5ee; _fbp=fb.1.1570475096872.737558318; _biz_uid=153300fffe044608c61184d651041eda; __gads=ID=ce0e3f58911b98e2:T=1570642557:S=ALNI_Mbi0v0QtEgpfHCib4EvsXC3MBklYA; __utmc=262205262; optimizelyEndUserId=oeu1570650386070r0.8082889520333971; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%2C%22ViewThrough%22%3A%221%22%2C%22Mkto%22%3A%221%22%2C%22Frm%22%3A%221%22%7D; __distillery=dd0e75c_ddebc097-a466-4053-8981-21499e82492a-899f066ce-19b1a34d3f0a-e3d8; _ga=GA1.2.970b6a87-2C95-404F-0598-A763BB2EAC9F; secure_customer_sig=; _cb_ls=1; _cb=DfKB8mBIGRJuC3-sBs; __smToken=oQ8nKoixcGFPJwDHBnqO9t0X; ajs_group_id=null; ajs_anonymous_id=%2288ccfe43-bd6e-4b91-80f3-5dd4da427db5%22; __zlcmid=vNihlBP3nb7UbZ; __utmz=262205262.1575317754.4.2.utmcsr=data.shopify.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _parsely_visitor={%22id%22:%22pid=5e742a3e8f4641cbc12313a2cad917e2%22%2C%22session_count%22:1%2C%22last_session_ts%22:1580317069749}; _sctr=1|1581570000000; _shopify_country=Canada; driftt_aid=919f7d7a-b17c-4ff8-b1eb-42f3f206ea5a; ki_r=; __hstc=138892268.510ac9790a646c1417a0d61477e62d99.1582653738077.1582653738077.1582653738077.1; hubspotutk=510ac9790a646c1417a0d61477e62d99; __hssrc=1; _chartbeat2=.1572441392606.1582653738206.0000000000000001.DvlyreBTH1pvBnBcdHBUfPFhDqhpmV.1; DFTT_END_USER_PREV_BOOTSTRAPPED=true; rdt_uuid=dcd346aa-fba4-40ee-a2c5-27ca1fef307f; verdict_17739690375=%7B%22group%22%3A17743680267%2C%22created_at%22%3A%222020-04-13T17%3A41%3A49Z%22%7D; _plus_website_session=859XPhMMwIYl5oC0EHkJthfXyrBuXQBtS7lprBJa7S%2FxqJ92l%2FzkJiA4SvUo%2FCaNxAwgdGJRNl%2FPReNCmn1p88m3UDwoMsv76Jdf4cTX7nhViMeTDr6xEVFFwL0BtCMQTmkEZIg5z9956usmZXrsDI6epOsOasXIp2SfFRV%2BVe7NeMSBWa2rSMc9m%2FPxchPfAaMl15Wr%2FcClyQz1Wo9YLOsXORYVAx7E8RhSwg3ZyhULKoCSRR%2F6B4G2%2F74dQz4DfpSZCTlB9f32XgA%2F6uYiwlreV8DeSdUqAQGajompnsvD133nofl2kYlnTQnt9qL76FsyTicwqrgchCWaJg%2BFyJlq7pkA565zyN1XK8Ss9YFbztqJH7CLKBCwSujJ6zeHP%2BxbNjy5MwnDsOwj%2FoQfvWbVFX1jGaIwLLDA%2FHc2kT9ovjSuoLf9rUeEKanODGZKza0YKeNSDgxOopV8ZSUuU%2B6BZ35FE41j3pWqdfT1ukVO%2BeGNw%2FLry570y4HHZBpROF%2BlZgfXH0AsLLuKvvGmg8RObxp%2FnUh6TkCRUPoX1cdxjBocX9zszUjLJSFPZtnj3R2HtNQV1086sUqY1JtiX0rIXxqi%2FeHtvAc0Kz3XZMikRJlp1cYcWTjbHLoldsv4rLheib3viq8RFF4Oe9%2BDP28OXO%2BMoOjLxgiTy1lRlyNRmg6F0ytBEzQ4CVowzzJ5po7KUd8Prf%2FaXHOU%2BG8B7yfB6F2lzuPBRtpMCim64cmX%2FSgqQl%2FtaRPJm2tugDR2qbh54xRvcBAl4IpyViQgh6V7d4LoM2ppwvGSRSid%2F2HNi05fDGJGfs9Yj%2Bqb%2FgN%2F5DZZCNAFYt9JLN9gK0WVd%2BZFYxdlOpsI29j9X8v%2FZ88Rd9lL3blv4Ye2iSVvmITrcsgYWyXDd6rWPJt%2BhUnddlQl238mVIz%2BRWPzKTULWqQsDYbfI9YGMwzfmi8k6MQC7FmPjZpA0mckCEQ%2Fdmnl6%2BGZg92ytfUv6hqraPqDJmHwtJZ1urbR%2Bap0QhyBmPv8HhXu0zc11wNhcwhmk2Q2Ubs%2B3Ujuk0bgB2%2BaaAFAsrpCmEkKUIMVYi%2FLcSr01BQTj72HjXOL869flkEhorQxNqv%2BcB5hb86l%2F58nXV6Kgk57c6lCrODegwLjw3troyJe1bMeJxwtv2mnv8VMkHLwO7oKQq%2FD%2FnJsV2UtpkQyuJ6k83aeBc%2B8T0yS8qRpRt0Gg710tw6lxrwSUc%2FHL4JOogB9x0SokQ6RayiSmUb9CjvkrfHgcdi01LTvNEFHzeWjAjRdcGXQl5xOX16oSdZlNbIHiM1dCW3JLAMLzt4uGbfNR9JX113zyd7rSQlIC9w%2FF5UlcO4pgWkPohz2riElrm7Zr1yeNWSbatNYeuFr7Kp8FF2A6tfHrgOISZJp5GdCLmKaCfQEjIGmSmX%2BnjUgVW2AoXw%2FQVtc9Wlqph4syFyD%2Bn3VJOqdrwaZthqPuG%2FS8Fu4t81BanJzZXogXMBW98znM0zj1%2BU671EERVJVpUURA%2FQSPVfY3eyQjUsuPGGHS84sfghxtOlZ--JEn0Bj2QA4Aa9XFr--PYNy85LaEYhUXBzdeRgrOw%3D%3D; source=laura; source_url=https%3A%2F%2Fwww.shopify.com%2Fcourses%2Fdropshipping%2Foverview%3Fref%3Dlaura; source_url_referer=; __utma=262205262.534717462.1570475097.1590098797.1591108216.11; _rdt_uuid=1591132041872.dcd346aa-fba4-40ee-a2c5-27ca1fef307f; __cfduid=d77cdc393feb8160413ecd69ab85f03391591192439; _pin_unauth=dWlkPU1XWTFNelEzT0dFdE0yRTVNQzAwTUdSbUxUbG1NV1l0WlRFNE9UZGhNamhrTkRkbQ; _growth_tools_session=NUNKeHcrR24zMGxXRWxiWml0R3pFQTgvSzdqS2Y4eG9WajA4RWMxNlpsTmZEUXkwM3Qzc1pJWFZ4UHdoWGVUZ3BhRVpMNzhPRzZSYVZOeHBCUzNIdW9XZXdhcXFGa0JHYVZZU3NCUEZvZkU2OXVYK1ZaQTdFZmYrK0NLK1hPOEx2eVNSTDFWS3VqSU5QcFd6NUtsazVnPT0tLUpRSEExbzN3QjdXaWFLbjJZSC9GZWc9PQ%3D%3D--5fe5ef6168eb97b66ccebd2c7e8f0fed1ba0084f; shopifyInternal=; _careers_session=wjQzvjuLVIyafdDoKNt%2FdNpQqvkO5N%2BlDrx0eR%2BWBGWPHwpu%2BPr6W7WBSAZ1obwQs7G33DFHBWlicX%2FKymCb3iem5%2BrFyCnYud1YMyXf6n2SoycPczQ29NeiZRmLTDaUHYIux%2BcKXHsN6yKbBvx8d4BzxBBhdn1jWO8CStoGRkW%2Fj9crWVCl5vLhd06QZE5FrAkiVjJdmoJrueFDs5YKKU4W2P%2FSaXi%2BPwWL6mTM7w24O6qw1TSSlvarBddFkr9SwO3J8MVwqSzHBwLlQWxQK3LuaS4cvKmnlxby2%2Bub4ZG4jGUlldyFS1ghdpZCD%2F8wYPU1LvtKSp0IncY08Z17pW2MiQVNc7XPwACEWt1ZFUkby9HCcJsmpHRlhqKngOkh1bkqzCdQzkBpimn89wy1u0iJ1y8AHiSePFX%2Fuw%3D%3D--93nf27j050iUSemY--kh7R3gzCJa%2FsmDRNd8jCRA%3D%3D; _gid=GA1.2.1145718308.1591799996; ki_t=1582653738061%3B1591800007380%3B1591800007380%3B3%3B5; _sctr=1|1591848000000; utag_main=v_id:016da79c397b00025d296243cc8a03078001c07000c48$_sn:268$_se:1$_ss:1$_st:1591892495836$dc_group:68$ses_id:1591890695836%3Bexp-session$_pn:1%3Bexp-session; _uetsid=9d122cfd-ec5b-930e-bca8-688d34ab47a2; _uetvid=4a3d0802-65e6-9982-0469-58b25c150d09; _biz_nA=810; _biz_pendingA=%5B%5D; _derived_epik=dj0yJnU9WVNxUXR5d2VaUlBrOC1LSE5vWV9CbnZLcVZfS29wRG8mbj1odHotSmVVTm9Ebk43b0pwaURrbjJnJm09NyZ0PUFBQUFBRjdpVXd"

What is happening here is that request cookies get passed from Node to the client which is something Rails doesn't do. Example:

react-server endpoint on Signage

Rails endpoint on Signage

This fix removes that logic which makes the behaviour match Rails:

CURL used in screenshots

curl -IXGET "https://www.shopify.com/tools/signage-maker" --cookie "_cookieA=this%2Bhas%2Ba%2Bplus; _cookieB=" --silent | grep "_cookieA\|_cookieB"

An additional argument for this fix is that Web doesn't pass through the cookies either.

It does however seem to have been added for a reason so it might need a tiny bit more investigation to see if this is a safe change. #1002

Type of change

@shopify/react-server bug fix

Checklist

• I have added a changelog entry, prefixed by the type of change noted above (Documentation fix and Test update does not need a changelog as we do not publish new version)