apply set-cookie headers from page dependencies

[Rich-Harris]

fixes #1198. set-cookie headers from endpoints were being handled in a fairly naive way — if the response was read inside load, the set-cookie headers were merged with existing ones, but otherwise they were ignored.

With this PR, set-cookie headers are automatically parsed (not just if the response is read) using set-cookie-parser (which doesn't mind if multiple headers have been concatenated), and kept track of as load runs. This means that if two endpoints are fetched in load, cookies from the first response will be applied to the second request, and cookies from both responses are added to the page response.

Very possible that I've overlooked some nuance around domains or somesuch, so would be grateful for a sanity check.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpx changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: c8f71e3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR