net/http: support Cookie "SameSite" attribute

[ghost]

https://tools.ietf.org/html/draft-west-first-party-cookies-07
https://www.chromestatus.com/feature/4672634709082112

[hkeide]

Since this is already supported in Chrome 51, and it won't be in Go for a while yet, here is a simple workaround (tested to work in Chrome 51):

cs := w.Header().Get("Set-Cookie")
cs += "; SameSite=lax"
w.Header().Set("Set-Cookie", cs)

[quentinmit]

/cc @bradfitz @adg

[bradfitz]

This seems trivial, but it also seems like we should wait until there's more web consensus. Chrome can pull or modify support, but our Go 1 compatibility promise is stronger. It would be unfortunate if we added a SameSite bool field to net/http.Cookie and then they renamed it yet again before it became fully standardized.

[kardianos]

SameSite would probably need to be an const (Strict, Lax).

Would it make sense to serialize Cookie.Unparsed into the cookie string? Then I can just set Unparsed: []string {"SameSite=Strict"},.

[JaredWilliams]

Alternative hack allowing for multiple cookies.

type SameSite string

const (
    SameSiteLax    SameSite = "lax"
    SameSiteStrict          = "strict"
)

func SetCookie(w http.ResponseWriter, cookie *http.Cookie, sameSite SameSite) {
    if v := cookie.String(); v != "" {
        switch sameSite {
        case SameSiteLax:
            v = v + "; SameSite=lax"
        case SameSiteStrict:
            v = v + "; SameSite=strict"
        }
        w.Header().Add("Set-Cookie", v)
    }
}

[reedloden]

Keep in mind there are actually three different possible values here. SameSite, SameSite=Lax, and SameSite=Strict. SameSite without a value means the same as SameSite=Strict.

Updated spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

[akyoto]

It's been a year now and the name hasn't changed.
I believe it should be added to the standard lib.

[mbyczkowski]

It's still only supported by Chrome and Opera and the IETF draft (both, orignal and the updated spec) has expired last year. ¯\_(ツ)_/¯

[gopherbot]

Change https://golang.org/cl/79919 mentions this issue: net/http: Add support for SameSite cookie option

[kardianos]

I had to remove the samesite cookie attribute even for chrome due to https://bugs.chromium.org/p/chromium/issues/detail?id=626245 .

Until bugs like this are resolved in chrome, I don't see any viable implementation. Not one, zero.

[srenatus]

@kardianos oh that's a bummer. Maybe we should close the change then.

[kardianos]

@srenatus You can leave it open and put R=go1.11 in a comment line so it won't show up on a dashboard until then. If it does become a standard, the bug will eventually get fixed. It just might not be ready now. Go can't accept the change for now anyway as it is in a freeze.

[srenatus]

@kardianos done -- thanks 😃

[agnivade]

ping on this.

OAWSP site says

As of November 2017 the SameSite attribute is implemented in Chrome, Firefox, and Opera.

caniuse.com is still pretty red but FF and Chrome support is there.

[andybons]

60% usage globally is still pretty low given that Chrome is much more cavalier about removing features.

[bradfitz]

Still not in Edge or Safari, and still only a draft standard. I still think we should wait. There's no rush and people can't use string concatenation in the meantime.

[reedloden]

Firefox just announced support for this

https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

[bradrydzewski]

FYI this shipped in Edge 18 and in the Edge 17 June security patch
https://developer.microsoft.com/en-us/microsoft-edge/platform/status/samesitecookies/

[bradfitz]

If somebody wants to send a change for this for Go 1.12, that's fine.

[agnivade]

I believe CL 79919 is already there. Probably needs to be bumped to 1.12.

[ptman]

unless I'm interpreting something wrong the samesite code seems to be in 1.11, no need to wait for 1.12