HttpHeaders class discards multiple 'Set-Cookie' headers

[create-signal]

Which @angular/* package(s) are the source of the bug?

core

Is this a regression?

No

Description

When a valid HTTP response with multiple "Set-Cookie" headers is resolved by HTTPClient, only one of the headers will be defined in response.headers

Here's a simple reproduction:

const init: HeadersInit = [
    ['Set-Cookie', 'cookie1=foo'],
    ['Set-Cookie', 'cookie2=bar'],
];

const headers = new Headers(init);

const httpHeaders = new HttpHeaders(headers);

httpHeaders.getAll('set-cookie') // returns [ 'cookie2=bar' ]

The problem occurs line line 257 of packages/common/http/src/headers.ts. There is no check for an existing header with the same key before the line

this.headers.set(key, headerValues);

My interpretation is that this is a valid way to use the Set-Cookie header, due to the method getSetCookie() existing on the Headers API (https://developer.mozilla.org/en-US/docs/Web/API/Headers/getSetCookie)

The use case for this is an interceptor on the server side that acts as a proxy for cookies between the user and an API

export const headersInterceptor: HttpInterceptorFn = (
  req: HttpRequest<unknown>,
  next: HttpHandlerFn
): Observable<HttpEvent<unknown>> => {
  const request = inject(REQUEST, { optional: true });
  const response = inject(RESPONSE, { optional: true });
  const environment = inject(ENVIRONMENT);

  //? SSR Should forward cookies from the original request.
  if (request?.headers.cookie && req.url.startsWith(environment.apiUrl)) {
    req = req.clone({
      setHeaders: {
        cookie: request.headers.cookie,
      },
    });
  }

  return next(req).pipe(
    tap((res) => {
        //? SSR Should forward Set-Cookie headers to the client
      if (
        response &&
        res.type == HttpEventType.Response &&
        res.headers.get("set-cookie") &&
        req.url.startsWith(environment.apiUrl)
      ) {
        response.setHeader(
          "set-cookie",
          res.headers.getAll("set-cookie") || []
        );
      }
    })
  );
};

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 18.1.3
Node: 20.9.0
Package Manager: npm 10.1.0
OS: darwin arm64

Angular: 18.1.3
... animations, cdk, cli, common, compiler, compiler-cli, core
... forms, platform-browser, platform-browser-dynamic
... platform-server, router, ssr

Package                         Version
---------------------------------------------------------
@angular-devkit/architect       0.1801.3
@angular-devkit/build-angular   18.1.3
@angular-devkit/core            18.1.3
@angular-devkit/schematics      18.1.3
@schematics/angular             18.1.3
rxjs                            6.6.7
typescript                      5.4.5
zone.js                         0.14.10

Anything else?

No response

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}