HttpOnly cookies are exposed when cookies.getAll() is passed
colinclerk opened this issue · comments
The technique used in the demo is dangerous, since HttpOnly cookies will be written to the document body:
https://github.com/moshest/next-client-cookies/blob/main/demo/app/layout.tsx#L17
Instead, an explicit allowlist can be used to specify which cookie names get passed to the provider.
I guess we don't need to pass the cookies to the client. We just need a place to store then while rending on the server-side.
Fixed at v1.1.0-alpha.0