Reconsider `no-document-cookie` enabled by default

Question

Reconsider `no-document-cookie` enabled by default

samualtnorman opened this issue 2 months ago · comments

no-document-cookie is enabled by default.
The docs tell you to use the Cookie Store API, however this is a poor recommendation as it does not yet have wide browser support.
The docs' other suggestion is to use a cookie library which is a fine suggestion, however I am already using a cookie library. The rule seems to hard ban assigning to document.cookie and the library I'm using is used in the form of:

document.cookie = setCookie(MyCookie, { foo: "baz" })

This is completely safe and is the intended usage but still trips the rule anyway.

If you would prefer to keep no-document-cookie enabled by default, my other suggestion would be to instead make the rule smarter and allow assignments from a called imported function.

fisker Cheung · Answer 1 · Wed Mar 27 2024 04:01:34 GMT+0800 (China Standard Time)

#695 (comment)

silverwind · Answer 2 · Fri Mar 29 2024 23:18:49 GMT+0800 (China Standard Time)

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

Samual Norman · Answer 3 · Fri Mar 29 2024 23:21:59 GMT+0800 (China Standard Time)

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value) api like the library you linked

silverwind · Answer 4 · Fri Mar 29 2024 23:29:00 GMT+0800 (China Standard Time)

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value) api like the library you linked

Understandable, there is no document.cookie in backend and likely there never will be because cookies need to be scoped per-origin and backend does not have a concept of an origin.

Samual Norman · Answer 5 · Fri Mar 29 2024 23:40:12 GMT+0800 (China Standard Time)

I'd just use https://github.com/js-cookie/js-cookie personally and it seems that rule agrees, so I'd say working as intended.

the library I'm using is used on both backend and frontend which is why it doesn't have a simple set(key, value) api like the library you linked

Understandable, there is no document.cookie in backend and likely there never will be because cookies need to be scoped per-origin and backend does not have a concept of an origin.

no but backends often have a concept of response.headers.set("set-cookie", string)

silverwind · Answer 6 · Fri Mar 29 2024 23:43:08 GMT+0800 (China Standard Time)

Yes, but as for the rule being the default, I'd still vote to keep it so users are aware of the problems of document.cookie. In your case with the special isomorphic lib, I guess you should just disable the rule.

Samual Norman · Answer 7 · Fri Mar 29 2024 23:46:40 GMT+0800 (China Standard Time)

I wouldn't mind if this rule was a bit smarter and it could detect if document.cookie was being assigned to from an imported function and didn't trigger in that case