net/http: support Cookie "SameSite" attribute #15867

haoxins opened this Issue May 28, 2016 · 4 comments


None yet

5 participants

hkeide commented Jun 4, 2016

Since this is already supported in Chrome 51, and it won't be in Go for a while yet, here is a simple workaround (tested to work in Chrome 51):

cs := w.Header().Get("Set-Cookie")
cs += "; SameSite=lax"
w.Header().Set("Set-Cookie", cs)
@quentinmit quentinmit added this to the Unplanned milestone Jun 17, 2016
@bradfitz bradfitz changed the title from http/cookie: support same-site attribute to net/http: support Cookie "SameSite" attribute Jun 25, 2016

This seems trivial, but it also seems like we should wait until there's more web consensus. Chrome can pull or modify support, but our Go 1 compatibility promise is stronger. It would be unfortunate if we added a SameSite bool field to net/http.Cookie and then they renamed it yet again before it became fully standardized.


SameSite would probably need to be an const (Strict, Lax).

Would it make sense to serialize Cookie.Unparsed into the cookie string? Then I can just set Unparsed: []string {"SameSite=Strict"},.

@Unknwon Unknwon referenced this issue in gogits/gogs Feb 14, 2017

Cookie security #3525

2 of 6 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment