proposal: net/http: add constant for samesite cookie mode #39609
Comments
Why do we need a constant that has the same value as the zero value for that type? Why does explicitly saying "the thing isn't set" improve over just not setting it? |
Change https://golang.org/cl/237998 mentions this issue: |
@davecheney In my opinion it mainly improves code readability in some situations. The behavior is already there, but the name is not, so to invoke such behavior I need to pass 0. For example you can have a configuration with SameSite mode and you don't want to have multiple ways to construct a cookie (with or without the samesite attribute). For example see the ory/hydra#1908 commit. |
Thanks for the example. That API is pretty hard to use correctly, especially as there is no safe default for that parameter. Changing Go might be a solution to that, but there might be others which would lead to a more usable API. |
@davecheney Agreed, the cookie samesite API is hard to use and one of the small problems is that there is behavior that does not have a name, yet it is used. The other is that |
I'm a bit confused about SameSiteUnsetMode vs SameSiteDefaultMode vs SameSiteNoneMode. Also, based on the change made for #36990, the proposed SameSiteUnsetMode would be exactly the same as SameSiteDefaultMode, which is even more confusing. It's unfortunate that we now have 0 and 1 meaning the same thing, but since 1 has a name, it seems like we should leave it there and not name 0 as well. If you want to be explicit about nothing happening, you can use the named 1 instead of a named 0. |
@rsc Yes, the names are confusing, I'm currently discussing the changes for #36990. @FiloSottile proposed instead of The idea is to revert the #36990 change and deprecate the |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?not relevant
What did you do?
I wanted to specify cookie samesite mode that would indicate cookie without a samesite attribute while implementing ory/hydra#1908 that requires cookie without any samesite attribute.
What did you expect to see?
I expected to find the samesite mode const with such behavior in the net/http package
What did you see instead?
I had to use unnamed magic constant (0)
The text was updated successfully, but these errors were encountered: