Join GitHub today
net/http: SameSiteDefaultMode adds an incorrect 'Set-Cookie' attribute #36990
This is handled by code here:
On older versions of chrome, this results in the cookie being dropped entirely.
The draft specification for same-site makes it clear now that dropping the entire cookie is incorrect, but previously it implied this was correct behavior, so I wouldn't be surprised if this issue existed elsewhere too.
If the current draft spec is implemented correctly,
It seems a bit silly to include an option in the http library to generate an invalid cookie attribute which the browser should just ignore.
The 2 solutions that make sense to me are the following:
I think option 2 ends up most closely matching what people would expect
I've reverted the title change because
No matter what version of the spec we're going off,
I took a look at https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-3.1
As you can see a single "SameSite" was okay.
But you are right it seems as if this was changed in https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1 :
So it does matter which spec we try to implement.
Is far as I understand the Chromium sources and the spec 6265bis-05 a "naked"
So we a) should document the issue with SameSiteDefaultMode but b) we do not need to change how SameSiteDefaultMode is serialized (as it will be treated as None).
Yeah, that version sorta implies it's okay, but then section 4.1 makes it clear that it expects a
I think overall what you've said makes sense, though with two additional caveats:
The reason I became aware of this issue in the first place is that we had users that ran into cookie issues with our site due to an incidental use of
Because of the above, it seems like serializing it as nothing, rather than as
I think the best thing to do is add a comment indicating you should never use that const, and should rather use
I'm happy to open a CR for that if it sounds good.