diff --git a/lib/utils/call-server-endpoint.js b/lib/utils/call-server-endpoint.js --- a/lib/utils/call-server-endpoint.js +++ b/lib/utils/call-server-endpoint.js @@ -75,13 +75,6 @@ platformDetails?: PlatformDetails, }; -// If cookie is undefined, then we will defer to the underlying environment to -// handle cookies, and we won't worry about them. We do this on the web since -// our cookies are httponly to protect against XSS attacks. On the other hand, -// on native we want to keep track of the cookies since we don't trust the -// underlying implementations and prefer for things to be explicit, and XSS -// isn't a thing on native. Note that for native, cookie might be null -// (indicating we don't have one), and we will then set an empty Cookie header. async function callServerEndpoint( cookie: ?string, setNewSession: (sessionChange: ClientSessionChange, error: ?string) => void, @@ -146,14 +139,8 @@ json = await uploadBlobCallback(url, cookie, sessionID, input, options); } else { const mergedData: RequestData = { input }; - if (getConfig().setCookieOnRequest) { - // We make sure that if setCookieOnRequest is true, we never set cookie to - // undefined. null has a special meaning here: we don't currently have a - // cookie, and we want the server to specify the new cookie it will - // generate in the response body rather than the response header. See - // session-types.js for more details on why we specify cookies in the body - mergedData.cookie = cookie ? cookie : null; - } + mergedData.cookie = cookie ? cookie : null; + if (getConfig().setSessionIDOnRequest) { // We make sure that if setSessionIDOnRequest is true, we never set // sessionID to undefined. null has a special meaning here: we cannot diff --git a/lib/utils/config.js b/lib/utils/config.js --- a/lib/utils/config.js +++ b/lib/utils/config.js @@ -14,7 +14,6 @@ logInActionSource: LogInActionSource, getInitialNotificationsEncryptedMessage?: () => Promise, ) => Promise, - +setCookieOnRequest: boolean, +setSessionIDOnRequest: boolean, +calendarRangeInactivityLimit: ?number, +platformDetails: PlatformDetails, diff --git a/lib/utils/upload-blob.js b/lib/utils/upload-blob.js --- a/lib/utils/upload-blob.js +++ b/lib/utils/upload-blob.js @@ -17,14 +17,8 @@ options?: ?CallServerEndpointOptions, ): Promise { const formData = new FormData(); - if (getConfig().setCookieOnRequest) { - // We make sure that if setCookieOnRequest is true, we never set cookie to - // undefined. null has a special meaning here: we don't currently have a - // cookie, and we want the server to specify the new cookie it will generate - // in the response body rather than the response header. See - // session-types.js for more details on why we specify cookies in the body. - formData.append('cookie', cookie ? cookie : ''); - } + formData.append('cookie', cookie ? cookie : ''); + if (getConfig().setSessionIDOnRequest) { // We make sure that if setSessionIDOnRequest is true, we never set // sessionID to undefined. null has a special meaning here: we cannot diff --git a/native/config.js b/native/config.js --- a/native/config.js +++ b/native/config.js @@ -9,7 +9,6 @@ registerConfig({ resolveInvalidatedCookie, - setCookieOnRequest: true, setSessionIDOnRequest: false, calendarRangeInactivityLimit: 15 * 60 * 1000, platformDetails: { diff --git a/web/app.react.js b/web/app.react.js --- a/web/app.react.js +++ b/web/app.react.js @@ -84,7 +84,6 @@ // We can't securely cache credentials on web, so we have no way to recover // from a cookie invalidation resolveInvalidatedCookie: null, - setCookieOnRequest: true, setSessionIDOnRequest: true, // Never reset the calendar range calendarRangeInactivityLimit: null,