Address edge cookie review blockers

Author: ChristianPavilonis

.github/actions/setup-integration-test-env/action.yml

@@ -81,6 +81,8 @@ runs:
         TRUSTED_SERVER__PUBLISHER__ORIGIN_URL: http://127.0.0.1:${{ inputs.origin-port }}
         TRUSTED_SERVER__PUBLISHER__PROXY_SECRET: integration-test-proxy-secret
         TRUSTED_SERVER__EC__PASSPHRASE: integration-test-ec-secret-padded-32
+        TRUSTED_SERVER__EC__PARTNERS: >-
+          [{"name":"Integration Test Partner","source_domain":"inttest.example.com","bidstream_enabled":true,"api_token":"integration-test-token-alpha-32-bytes-ok"},{"name":"Integration Test Partner 2","source_domain":"inttest2.example.com","bidstream_enabled":true,"api_token":"integration-test-token-bravo-32-bytes-ok"}]
         TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK: "false"
       run: cargo build --package trusted-server-adapter-fastly --release --target wasm32-wasip1
 

crates/integration-tests/tests/frameworks/scenarios.rs

@@ -7,6 +7,9 @@ use crate::common::runtime::{origin_port, TestError, TestResult};
 use error_stack::Report;
 use error_stack::ResultExt as _;
 
+const INTTEST_API_TOKEN: &str = "integration-test-token-alpha-32-bytes-ok";
+const INTTEST2_API_TOKEN: &str = "integration-test-token-bravo-32-bytes-ok";
+
 /// Standard test scenarios applicable to all frontend frameworks.
 ///
 /// Each scenario tests a core trusted-server behavior that should work
@@ -514,21 +517,21 @@ fn use_seeded_ec(client: &EcTestClient, ec_id: &str) -> String {
 
 /// Full lifecycle: seeded EC → batch sync → identify (Bearer auth) with scoped UID.
 ///
-/// Uses the `inttest` partner pre-configured in `trusted-server.toml`.
+/// Uses the `inttest` partner injected by the integration-test build.
 fn ec_full_lifecycle(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
     let seeded_ec_id = seeded_ec_id('a', "test01");
     let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC full lifecycle: using seeded EC ID = {ec_id}");
 
-    // 2. Batch sync writes partner UID (partner "inttest" is in config)
+    // 2. Batch sync writes partner UID (partner "inttest" is injected)
     let mappings = vec![BatchMapping {
         ec_id: ec_id.clone(),
         partner_uid: "user-uid-42".to_owned(),
         timestamp: 1_700_000_000,
     }];
-    let resp = batch_sync(&client, "inttest-api-key-1-32-bytes-minimum", &mappings)?;
+    let resp = batch_sync(&client, INTTEST_API_TOKEN, &mappings)?;
     let json = assert_json_response(resp, 200)
         .attach("EC full lifecycle: batch sync should return 200")?;
 
@@ -544,7 +547,7 @@ fn ec_full_lifecycle(base_url: &str) -> TestResult<()> {
     }
 
     // 3. Identify with Bearer auth should return the synced UID
-    let json = assert_json_response(identify(&client, "inttest-api-key-1-32-bytes-minimum")?, 200)
+    let json = assert_json_response(identify(&client, INTTEST_API_TOKEN)?, 200)
         .attach("EC full lifecycle: identify after batch sync")?;
 
     let source_domain = json.get("source_domain").and_then(|v| v.as_str());
@@ -596,11 +599,11 @@ fn ec_consent_withdrawal(base_url: &str) -> TestResult<()> {
 
     // 3. With consent still granted and the EC cookie revoked, identify should
     // now report no EC present.
-    let resp = identify(&client, "inttest-api-key-1-32-bytes-minimum")?;
+    let resp = identify(&client, INTTEST_API_TOKEN)?;
     assert_status(&resp, 204).attach("identify should return 204 after cookie revocation")?;
 
     // 4. With GPC still asserted, identify should reflect consent denial.
-    let resp = identify_with_headers(&client, "inttest-api-key-1-32-bytes-minimum", &[("sec-gpc", "1")])?;
+    let resp = identify_with_headers(&client, INTTEST_API_TOKEN, &[("sec-gpc", "1")])?;
     assert_status(&resp, 403)
         .attach("identify with GPC should return 403 after consent withdrawal")?;
 
@@ -613,7 +616,7 @@ fn ec_identify_without_ec(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
 
-    let resp = identify(&client, "inttest-api-key-1-32-bytes-minimum")?;
+    let resp = identify(&client, INTTEST_API_TOKEN)?;
     assert_status(&resp, 204)
         .attach("identify without EC cookie should return 204 when consent is granted")?;
 
@@ -631,7 +634,7 @@ fn ec_identify_consent_denied(base_url: &str) -> TestResult<()> {
     // Identify with GPC=1 — in the default US-CA test geo, GPC is an explicit
     // denial that must override the allow cookie. Per spec §11.4, consent is
     // evaluated after Bearer auth, so this must be 403 Forbidden.
-    let resp = identify_with_headers(&client, "inttest-api-key-1-32-bytes-minimum", &[("sec-gpc", "1")])?;
+    let resp = identify_with_headers(&client, INTTEST_API_TOKEN, &[("sec-gpc", "1")])?;
 
     let status = resp.status().as_u16();
     if status != 403 {
@@ -654,25 +657,25 @@ fn ec_concurrent_partner_syncs(base_url: &str) -> TestResult<()> {
     let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC concurrent syncs: using seeded EC = {ec_id}");
 
-    // Batch sync both partners (both are pre-configured in trusted-server.toml)
+    // Batch sync both partners injected by the integration-test build.
     let mappings_a = vec![BatchMapping {
         ec_id: ec_id.clone(),
         partner_uid: "uid-a".to_owned(),
         timestamp: 1_700_000_000,
     }];
-    let resp = batch_sync(&client, "inttest-api-key-1-32-bytes-minimum", &mappings_a)?;
+    let resp = batch_sync(&client, INTTEST_API_TOKEN, &mappings_a)?;
     assert_json_response(resp, 200).attach("batch sync inttest should succeed")?;
 
     let mappings_b = vec![BatchMapping {
         ec_id: ec_id.clone(),
         partner_uid: "uid-b".to_owned(),
         timestamp: 1_700_000_000,
     }];
-    let resp = batch_sync(&client, "inttest2-api-key-2-32-bytes-minimum", &mappings_b)?;
+    let resp = batch_sync(&client, INTTEST2_API_TOKEN, &mappings_b)?;
     assert_json_response(resp, 200).attach("batch sync inttest2 should succeed")?;
 
     // Identify as inttest → should see only inttest's UID
-    let json = assert_json_response(identify(&client, "inttest-api-key-1-32-bytes-minimum")?, 200)
+    let json = assert_json_response(identify(&client, INTTEST_API_TOKEN)?, 200)
         .attach("identify as inttest after dual sync")?;
     let uid = json.get("uid").and_then(|v| v.as_str());
     if uid != Some("uid-a") {
@@ -686,7 +689,7 @@ fn ec_concurrent_partner_syncs(base_url: &str) -> TestResult<()> {
     }
 
     // Identify as inttest2 → should see only inttest2's UID
-    let json = assert_json_response(identify(&client, "inttest2-api-key-2-32-bytes-minimum")?, 200)
+    let json = assert_json_response(identify(&client, INTTEST2_API_TOKEN)?, 200)
         .attach("identify as inttest2 after dual sync")?;
     let uid = json.get("uid").and_then(|v| v.as_str());
     if uid != Some("uid-b") {
@@ -705,21 +708,21 @@ fn ec_concurrent_partner_syncs(base_url: &str) -> TestResult<()> {
 
 /// Batch sync happy path: authenticated request writes UID, verify via identify.
 ///
-/// Uses the `inttest` partner pre-configured in `trusted-server.toml`.
+/// Uses the `inttest` partner injected by the integration-test build.
 fn ec_batch_sync_happy_path(base_url: &str) -> TestResult<()> {
     let client = EcTestClient::new(base_url);
     allow_ec_generation(&client);
     let seeded_ec_id = seeded_ec_id('e', "test05");
     let ec_id = use_seeded_ec(&client, &seeded_ec_id);
     log::info!("EC batch sync happy path: using seeded ec_id = {ec_id}");
 
-    // Batch sync writes a UID for this EC ID (partner "inttest" is in config)
+    // Batch sync writes a UID for this EC ID (partner "inttest" is injected)
     let mappings = vec![BatchMapping {
         ec_id: ec_id.clone(),
         partner_uid: "batch-uid-99".to_owned(),
         timestamp: 1_700_000_000,
     }];
-    let resp = batch_sync(&client, "inttest-api-key-1-32-bytes-minimum", &mappings)?;
+    let resp = batch_sync(&client, INTTEST_API_TOKEN, &mappings)?;
     let json = assert_json_response(resp, 200).attach("batch sync should return 200")?;
 
     let accepted = json.get("accepted").and_then(|v| v.as_u64());
@@ -734,7 +737,7 @@ fn ec_batch_sync_happy_path(base_url: &str) -> TestResult<()> {
     }
 
     // Verify via identify (Bearer auth, scoped response)
-    let json = assert_json_response(identify(&client, "inttest-api-key-1-32-bytes-minimum")?, 200)
+    let json = assert_json_response(identify(&client, INTTEST_API_TOKEN)?, 200)
         .attach("identify after batch sync")?;
 
     let uid = json.get("uid").and_then(|v| v.as_str());

crates/trusted-server-core/src/consent/mod.rs

@@ -473,9 +473,9 @@ pub fn gate_eids_by_consent<T>(
 ///   information on a device) must be explicitly consented. If no TCF data is
 ///   available under GDPR, consent is assumed absent and EC is blocked.
 /// - **US state privacy**: opt-out model — EC is allowed unless the user has
-///   explicitly opted out via the US Privacy string **or** Global Privacy
-///   Control. GPC is checked independently — it always blocks EC creation
-///   regardless of what the US Privacy string says.
+///   explicitly opted out via Global Privacy Control, GPP US sale opt-out, or
+///   the US Privacy string. Explicit US opt-out signals take precedence over
+///   TCF storage consent.
 /// - **Non-regulated**: EC is allowed (no consent requirement).
 /// - **Unknown**: fail-closed — jurisdiction cannot be determined so EC is
 ///   blocked as a precaution.
@@ -491,23 +491,34 @@ pub fn allows_ec_creation(ctx: &ConsentContext) -> bool {
         }
         jurisdiction::Jurisdiction::UsState(_) => {
             // GPC is an independent opt-out signal — it always blocks EC
-            // creation regardless of what the US Privacy string says.
+            // creation regardless of other consent signals.
             if ctx.gpc {
                 return false;
             }
-            // When a CMP uses TCF in the US (e.g. Didomi), respect the
-            // TCF Purpose 1 decision — this is an explicit opt-in signal.
-            // The Sourcepoint GPP design documents this precedence decision.
+            // Explicit US opt-out signals take precedence over TCF storage
+            // consent in US-state jurisdictions.
+            if ctx.gpp.as_ref().and_then(|gpp| gpp.us_sale_opt_out) == Some(true) {
+                return false;
+            }
+            if ctx
+                .us_privacy
+                .as_ref()
+                .is_some_and(|usp| usp.opt_out_sale == PrivacyFlag::Yes)
+            {
+                return false;
+            }
+            // When a CMP uses TCF in the US (e.g. Didomi), respect the TCF
+            // Purpose 1 decision if no explicit US opt-out signal is present.
             if let Some(tcf) = effective_tcf(ctx) {
                 return tcf.has_storage_consent();
             }
-            // Check GPP US section for sale opt-out.
+            // GPP US sale_opt_out=false is an explicit non-opt-out signal.
             if let Some(gpp) = &ctx.gpp {
                 if let Some(opted_out) = gpp.us_sale_opt_out {
                     return !opted_out;
                 }
             }
-            // Check US Privacy string for explicit opt-out.
+            // Check US Privacy string when no TCF decision is present.
             if let Some(usp) = &ctx.us_privacy {
                 return usp.opt_out_sale != PrivacyFlag::Yes;
             }
@@ -540,12 +551,20 @@ pub fn has_explicit_ec_withdrawal(ctx: &ConsentContext) -> bool {
             if ctx.gpc {
                 return true;
             }
-            if let Some(tcf) = effective_tcf(ctx) {
-                return !tcf.has_storage_consent();
+            if ctx.gpp.as_ref().and_then(|gpp| gpp.us_sale_opt_out) == Some(true) {
+                return true;
             }
-            ctx.us_privacy
+            if ctx
+                .us_privacy
                 .as_ref()
                 .is_some_and(|usp| usp.opt_out_sale == PrivacyFlag::Yes)
+            {
+                return true;
+            }
+            if let Some(tcf) = effective_tcf(ctx) {
+                return !tcf.has_storage_consent();
+            }
+            false
         }
         jurisdiction::Jurisdiction::NonRegulated | jurisdiction::Jurisdiction::Unknown => false,
     }
@@ -1145,7 +1164,7 @@ mod tests {
     }
 
     #[test]
-    fn ec_allowed_us_state_tcf_takes_priority_over_us_privacy() {
+    fn ec_blocked_us_state_us_privacy_opt_out_overrides_tcf() {
         let ctx = ConsentContext {
             jurisdiction: Jurisdiction::UsState("CA".to_owned()),
             tcf: Some(make_tcf_with_storage(true)),
@@ -1158,8 +1177,12 @@ mod tests {
             ..ConsentContext::default()
         };
         assert!(
-            allows_ec_creation(&ctx),
-            "TCF consent should take priority over US Privacy opt-out when both present"
+            !allows_ec_creation(&ctx),
+            "US Privacy opt-out should take priority over TCF consent"
+        );
+        assert!(
+            has_explicit_ec_withdrawal(&ctx),
+            "US Privacy opt-out should be treated as an explicit withdrawal"
         );
     }
 
@@ -1197,6 +1220,10 @@ mod tests {
             !allows_ec_creation(&ctx),
             "US state + GPP US sale_opt_out=true should block EC"
         );
+        assert!(
+            has_explicit_ec_withdrawal(&ctx),
+            "GPP US sale opt-out should be treated as an explicit withdrawal"
+        );
     }
 
     #[test]
@@ -1219,7 +1246,7 @@ mod tests {
     }
 
     #[test]
-    fn ec_us_state_tcf_takes_priority_over_gpp_us() {
+    fn ec_us_state_gpp_us_opt_out_overrides_tcf() {
         let ctx = ConsentContext {
             jurisdiction: Jurisdiction::UsState("TN".to_owned()),
             tcf: Some(make_tcf_with_storage(true)),
@@ -1232,13 +1259,17 @@ mod tests {
             ..ConsentContext::default()
         };
         assert!(
-            allows_ec_creation(&ctx),
-            "TCF consent should take priority over GPP US opt-out"
+            !allows_ec_creation(&ctx),
+            "GPP US opt-out should take priority over TCF consent"
+        );
+        assert!(
+            has_explicit_ec_withdrawal(&ctx),
+            "GPP US opt-out should be treated as an explicit withdrawal"
         );
     }
 
     #[test]
-    fn ec_us_state_gpp_us_takes_priority_over_us_privacy() {
+    fn ec_us_state_us_privacy_opt_out_overrides_gpp_non_opt_out() {
         let ctx = ConsentContext {
             jurisdiction: Jurisdiction::UsState("TN".to_owned()),
             gpp: Some(GppConsent {
@@ -1256,8 +1287,12 @@ mod tests {
             ..ConsentContext::default()
         };
         assert!(
-            allows_ec_creation(&ctx),
-            "GPP US should take priority over us_privacy opt-out"
+            !allows_ec_creation(&ctx),
+            "US Privacy opt-out should block EC even when GPP US has no sale opt-out"
+        );
+        assert!(
+            has_explicit_ec_withdrawal(&ctx),
+            "US Privacy opt-out should be treated as an explicit withdrawal"
         );
     }
 

crates/trusted-server-core/src/proxy.rs

@@ -147,7 +147,7 @@ fn rebuild_response_with_body(
         if name == header::CONTENT_ENCODING && !preserve_encoding {
             continue;
         }
-        resp.set_header(name, value);
+        resp.append_header(name, value);
     }
     resp.set_header(header::CONTENT_TYPE, HeaderValue::from_static(content_type));
     resp.set_body(body);
@@ -1167,8 +1167,8 @@ mod tests {
     use super::{
         copy_proxy_forward_headers, handle_first_party_click, handle_first_party_proxy,
         handle_first_party_proxy_rebuild, handle_first_party_proxy_sign, is_host_allowed,
-        reconstruct_and_validate_signed_target, redirect_is_permitted, ProxyRequestConfig,
-        SUPPORTED_ENCODINGS,
+        rebuild_response_with_body, reconstruct_and_validate_signed_target, redirect_is_permitted,
+        ProxyRequestConfig, SUPPORTED_ENCODINGS,
     };
     use crate::error::{IntoHttpResponse, TrustedServerError};
     use crate::test_support::tests::create_test_settings;
@@ -1878,6 +1878,44 @@ mod tests {
         );
     }
 
+    #[test]
+    fn rebuild_response_with_body_preserves_multiple_set_cookie_headers() {
+        let mut beresp = Response::from_status(StatusCode::OK);
+        beresp.append_header(header::SET_COOKIE, "first=1; Path=/; HttpOnly");
+        beresp.append_header(header::SET_COOKIE, "second=2; Path=/; Secure");
+        beresp.set_header(header::CONTENT_TYPE, "text/plain");
+        beresp.set_header(header::CONTENT_LENGTH, "999");
+
+        let rebuilt = rebuild_response_with_body(
+            &beresp,
+            "text/html; charset=utf-8",
+            b"rewritten".to_vec(),
+            false,
+        );
+
+        let set_cookie_values: Vec<&str> = rebuilt
+            .get_headers()
+            .filter(|(name, _)| *name == header::SET_COOKIE)
+            .map(|(_, value)| value.to_str().expect("should be valid Set-Cookie"))
+            .collect();
+        assert_eq!(
+            set_cookie_values,
+            vec!["first=1; Path=/; HttpOnly", "second=2; Path=/; Secure"],
+            "should preserve multiple Set-Cookie headers"
+        );
+        assert_eq!(
+            rebuilt
+                .get_header(header::CONTENT_TYPE)
+                .and_then(|value| value.to_str().ok()),
+            Some("text/html; charset=utf-8"),
+            "should set rewritten Content-Type"
+        );
+        assert!(
+            rebuilt.get_header(header::CONTENT_LENGTH).is_none(),
+            "should not preserve stale Content-Length"
+        );
+    }
+
     #[test]
     fn html_uncompressed_response_is_processed_without_encoding() {
         let settings = create_test_settings();