net/http: support Cookie "SameSite" attribute

https://tools.ietf.org/html/draft-west-first-party-cookies-07
https://www.chromestatus.com/feature/4672634709082112

[hkeide]

Since this is already supported in Chrome 51, and it won't be in Go for a while yet, here is a simple workaround (tested to work in Chrome 51):

cs := w.Header().Get("Set-Cookie")
cs += "; SameSite=lax"
w.Header().Set("Set-Cookie", cs)

[quentinmit]

/cc @bradfitz @adg

[bradfitz]

This seems trivial, but it also seems like we should wait until there's more web consensus. Chrome can pull or modify support, but our Go 1 compatibility promise is stronger. It would be unfortunate if we added a SameSite bool field to net/http.Cookie and then they renamed it yet again before it became fully standardized.

[kardianos]

SameSite would probably need to be an const (Strict, Lax).

Would it make sense to serialize Cookie.Unparsed into the cookie string? Then I can just set Unparsed: []string {"SameSite=Strict"},.

[JaredWilliams]

Alternative hack allowing for multiple cookies.

type SameSite string

const (
    SameSiteLax    SameSite = "lax"
    SameSiteStrict          = "strict"
)

func SetCookie(w http.ResponseWriter, cookie *http.Cookie, sameSite SameSite) {
    if v := cookie.String(); v != "" {
        switch sameSite {
        case SameSiteLax:
            v = v + "; SameSite=lax"
        case SameSiteStrict:
            v = v + "; SameSite=strict"
        }
        w.Header().Add("Set-Cookie", v)
    }
}

[reedloden]

Keep in mind there are actually three different possible values here. SameSite, SameSite=Lax, and SameSite=Strict. SameSite without a value means the same as SameSite=Strict.

Updated spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

[akyoto]

It's been a year now and the name hasn't changed.
I believe it should be added to the standard lib.

[mbyczkowski]

It's still only supported by Chrome and Opera and the IETF draft (both, orignal and the updated spec) has expired last year. ¯\_(ツ)_/¯