-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: support Cookie "SameSite" attribute #15867
Comments
Since this is already supported in Chrome 51, and it won't be in Go for a while yet, here is a simple workaround (tested to work in Chrome 51):
|
This seems trivial, but it also seems like we should wait until there's more web consensus. Chrome can pull or modify support, but our Go 1 compatibility promise is stronger. It would be unfortunate if we added a |
SameSite would probably need to be an const (Strict, Lax). Would it make sense to serialize Cookie.Unparsed into the cookie string? Then I can just set |
Alternative hack allowing for multiple cookies.
|
Keep in mind there are actually three different possible values here. Updated spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 |
The same-site cookie attribute prevents a cookie from being sent along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage and provides some protection against cross-site request forgery attacks. Spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 Fixes golang#15867 XXX: Write tests.
It's been a year now and the name hasn't changed. |
It's still only supported by Chrome and Opera and the IETF draft (both, orignal and the updated spec) has expired last year. ¯\_(ツ)_/¯ |
Note that upstream support is still pending [0] (and even when merged, this will require the latest Go version). So this adds a workaround to allow for setting SameSite on the cookies used, as per the draft [1]. Also changes the options_test TestCookieOptions calls to `t.Errorf`, since this will run all checks even if one fails. (`t.Fatal[f]` would stop test execution.) [0]: golang/go#15867 [1]: https://tools.ietf.org/html/draft-west-first-party-cookies-07 Signed-off-by: Stephan Renatus <srenatus@chef.io>
Change https://golang.org/cl/79919 mentions this issue: |
I had to remove the samesite cookie attribute even for chrome due to https://bugs.chromium.org/p/chromium/issues/detail?id=626245 . Until bugs like this are resolved in chrome, I don't see any viable implementation. Not one, zero. |
@kardianos oh that's a bummer. Maybe we should close the change then. |
@srenatus You can leave it open and put R=go1.11 in a comment line so it won't show up on a dashboard until then. If it does become a standard, the bug will eventually get fixed. It just might not be ready now. Go can't accept the change for now anyway as it is in a freeze. |
@kardianos done -- thanks 😃 |
ping on this. OAWSP site says
caniuse.com is still pretty red but FF and Chrome support is there. |
60% usage globally is still pretty low given that Chrome is much more cavalier about removing features. |
Still not in Edge or Safari, and still only a draft standard. I still think we should wait. There's no rush and people can't use string concatenation in the meantime. |
Firefox just announced support for this https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ |
FYI this shipped in Edge 18 and in the Edge 17 June security patch |
If somebody wants to send a change for this for Go 1.12, that's fine. |
I believe CL 79919 is already there. Probably needs to be bumped to 1.12. |
unless I'm interpreting something wrong the samesite code seems to be in 1.11, no need to wait for 1.12 |
https://tools.ietf.org/html/draft-west-first-party-cookies-07
https://www.chromestatus.com/feature/4672634709082112
The text was updated successfully, but these errors were encountered: