feat: remove headers filtering

[KhafraDev]

Fixes #1463
Fixes #1262

@ronag's checklist here should be completed:

1. "A WinterCG issue" - Cookies and fetch() on servers wintercg/fetch#7
2. "It's clear in the code that all related logic is outside of spec and a reference motivating it." - Areas of the code where the spec mentioned "filtered" or "safelisted" headers has been commented.
3. "Clearly added to the README."
4. "Investigate what exactly deno, node-fetch and cloudflare does so that we don't introduce another variant with slight differences." -

• Cloudflare has a Headers.prototype.getAll method (deprecated & removed from the spec) that only works with set-cookie headers.
• Deno doesn't do this filtering at all (confirmed on my end, a Deno maintainer also mentions this in the wintercg issue).
• node-fetch has a Headers.prototype.raw method that returns the raw headers.

Clearly, following Deno is the best idea and closest to the spec itself. We aren't adding anything in, but simply removing constraints that don't apply to a server environment.

[codecov-commenter]

Codecov Report

Merging #1469 (f460eae) into main (a7669df) will increase coverage by 0.14%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #1469      +/-   ##
==========================================
+ Coverage   94.55%   94.70%   +0.14%     
==========================================
  Files          49       49              
  Lines        4276     4246      -30     
==========================================
- Hits         4043     4021      -22     
+ Misses        233      225       -8     

Impacted Files	Coverage Δ
lib/fetch/constants.js	100.00% <ø> (ø)
lib/fetch/response.js	93.33% <ø> (+4.37%)	⬆️
lib/fetch/headers.js	94.69% <100.00%> (-0.48%)	⬇️
lib/fetch/request.js	85.89% <100.00%> (-0.07%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a7669df...f460eae. Read the comment docs.

[mcollina]

lgtm

[ronag]

I'm still concerned about the 2 places where this PR diverges from the spec. However, I'm going on vacation tomorrow and won't have time to dig into it myself. Merge it if you wish but I'd be happy if you could resolve this before merging.

[KhafraDev]

@ronag Enjoy your vacation 😄, you were completely right - something was wrong with how the guard checks were being done now that the forbidden headers were no longer being checked as well (append and set were returning early so the headers weren't getting set). Only reason my changes worked was because new Headers(...) sets the guard to none by default, which doesn't have special behavior attached to it.

Everything follows the spec entirely now, and issues in the future should be easier now that I understand entirely what's happening!

---

Going to assume there was a pretty big performance improvement as well from removing the Proxy along with the forbidden header checks!

[dsine-de]

Should this be available already in a current Node.js version? I don't see a cookie header being set on a Node.js fetch request when following a redirect with a set-cookie response header in Node.js v.18.8.0, like in the browser or e.g. in the Postman client.

[KhafraDev]

Yes, this is bundled in the current node version. If you make an issue or have a minimal reproduction I'd be glad to look into it.

[dsine-de]

Ok thank you, I don't know what's the decision if this should work with Node.js native fetch, but it seems Postman and the browser fetch have something like a cookie jar and if they get a set-cookie header in a request which redirects, they save that cookie and add it as a cookie header when following the redirect.

If this should work the same with Node.js fetch, I'll make a minimal repro example & issue.