net/http: support Cookie "SameSite" attribute #15867

Open
haoxins opened this Issue May 28, 2016 · 4 comments

Projects

None yet

5 participants

@hkeide
hkeide commented Jun 4, 2016

Since this is already supported in Chrome 51, and it won't be in Go for a while yet, here is a simple workaround (tested to work in Chrome 51):

cs := w.Header().Get("Set-Cookie")
cs += "; SameSite=lax"
w.Header().Set("Set-Cookie", cs)
@quentinmit
Contributor
@quentinmit quentinmit added this to the Unplanned milestone Jun 17, 2016
@bradfitz bradfitz changed the title from http/cookie: support same-site attribute to net/http: support Cookie "SameSite" attribute Jun 25, 2016
@bradfitz
Member

This seems trivial, but it also seems like we should wait until there's more web consensus. Chrome can pull or modify support, but our Go 1 compatibility promise is stronger. It would be unfortunate if we added a SameSite bool field to net/http.Cookie and then they renamed it yet again before it became fully standardized.

@kardianos
Contributor

SameSite would probably need to be an const (Strict, Lax).

Would it make sense to serialize Cookie.Unparsed into the cookie string? Then I can just set Unparsed: []string {"SameSite=Strict"},.

@Unknwon Unknwon referenced this issue in gogits/gogs Feb 14, 2017
Open

Cookie security #3525

2 of 6 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment