Reconsider `no-document-cookie` enabled by default
samualtnorman opened this issue · comments
no-document-cookie
is enabled by default.
The docs tell you to use the Cookie Store API, however this is a poor recommendation as it does not yet have wide browser support.
The docs' other suggestion is to use a cookie library which is a fine suggestion, however I am already using a cookie library. The rule seems to hard ban assigning to document.cookie
and the library I'm using is used in the form of:
document.cookie = setCookie(MyCookie, { foo: "baz" })
This is completely safe and is the intended usage but still trips the rule anyway.
If you would prefer to keep no-document-cookie
enabled by default, my other suggestion would be to instead make the rule smarter and allow assignments from a called imported function.
I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.
I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.
the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value)
api like the library you linked
I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.
the library I'm using is used on both backend and frontend which is why it doesn't have a simple
set(key, value)
api like the library you linked
Understandable, there is no document.cookie
in backend and likely there never will be because cookies need to be scoped per-origin and backend does not have a concept of an origin.
I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.
the library I'm using is used on both backend and frontend which is why it doesn't have a simple
set(key, value)
api like the library you linkedUnderstandable, there is no
document.cookie
in backend and likely there never will be because cookies need to be scoped per-origin and backend does not have a concept of an origin.
no but backends often have a concept of response.headers.set("set-cookie", string)
Yes, but as for the rule being the default, I'd still vote to keep it so users are aware of the problems of document.cookie
. In your case with the special isomorphic lib, I guess you should just disable the rule.
I wouldn't mind if this rule was a bit smarter and it could detect if document.cookie
was being assigned to from an imported function and didn't trigger in that case