Invalid characters in cookie signature throws a DOMException #13846
Description
I'm using React Router as a...
framework
Reproduction
https://github.com/rossipedia/rr-bad-cookie-signature
Reproduction steps are in the repo's README
System Info
System:
OS: macOS 15.5
CPU: (16) arm64 Apple M4 Max
Memory: 16.66 GB / 64.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.16.0 - ~/.local/state/fnm_multishells/43183_1750521524408/bin/node
Yarn: 1.22.22 - ~/.local/state/fnm_multishells/43183_1750521524408/bin/yarn
npm: 10.9.2 - ~/.local/state/fnm_multishells/43183_1750521524408/bin/npm
pnpm: 10.12.1 - ~/.local/state/fnm_multishells/43183_1750521524408/bin/pnpm
Browsers:
Chrome: 137.0.7151.105
Safari: 18.5Used Package Manager
pnpm
Expected Behavior
The cookie should be treated as unset, the same as if an invalid signature is encountered that is valid base64.
I would expect that, in all cases, if the cookie signature cannot be validated, regardless of reason, the cookie.parse() call would return null.
Actual Behavior
A InvalidCharaterError DOMException is thrown, as outlined by MDN here. How this actually manifests is dependent on how the app handles thrown errors in loaders, but in the repo I linked above it looks like this in a resource route:
HTTP/1.1 500 Internal Server Error
Vary: Origin
content-type: text/plain
Date: Sat, 21 Jun 2025 15:59:50 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked
Unexpected Server Error
InvalidCharacterError: Invalid characterThe inconsistent behavior is what I'm considering a bug:
- missing signature, or valid base64 string that decodes to an invalid signature results in
cookie.parse()returningnull - an invalid base64 string used for the cookie signature:
DOMExceptionthrown