Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: net/http: add constant for samesite cookie mode #39609

Open
pjediny opened this issue Jun 16, 2020 · 5 comments · May be fixed by #39610
Open

proposal: net/http: add constant for samesite cookie mode #39609

pjediny opened this issue Jun 16, 2020 · 5 comments · May be fixed by #39610
Labels
Milestone

Comments

@pjediny
Copy link
Contributor

@pjediny pjediny commented Jun 16, 2020

What version of Go are you using (go version)?

$ go version
go version go1.14.4 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

not relevant

What did you do?

I wanted to specify cookie samesite mode that would indicate cookie without a samesite attribute while implementing ory/hydra#1908 that requires cookie without any samesite attribute.

What did you expect to see?

I expected to find the samesite mode const with such behavior in the net/http package

What did you see instead?

I had to use unnamed magic constant (0)

@pjediny pjediny linked a pull request that will close this issue Jun 16, 2020
@davecheney
Copy link
Contributor

@davecheney davecheney commented Jun 16, 2020

Why do we need a constant that has the same value as the zero value for that type? Why does explicitly saying "the thing isn't set" improve over just not setting it?

@gopherbot
Copy link

@gopherbot gopherbot commented Jun 16, 2020

Change https://golang.org/cl/237998 mentions this issue: net/http: add SameSiteUnsetMode const

@pjediny
Copy link
Contributor Author

@pjediny pjediny commented Jun 16, 2020

@davecheney In my opinion it mainly improves code readability in some situations. The behavior is already there, but the name is not, so to invoke such behavior I need to pass 0.

For example you can have a configuration with SameSite mode and you don't want to have multiple ways to construct a cookie (with or without the samesite attribute). For example see the ory/hydra#1908 commit.

@davecheney
Copy link
Contributor

@davecheney davecheney commented Jun 16, 2020

Thanks for the example. That API is pretty hard to use correctly, especially as there is no safe default for that parameter. Changing Go might be a solution to that, but there might be others which would lead to a more usable API.

@pjediny
Copy link
Contributor Author

@pjediny pjediny commented Jun 17, 2020

@davecheney Agreed, the cookie samesite API is hard to use and one of the small problems is that there is behavior that does not have a name, yet it is used. The other is that SameSiteDefaultMode is a name confusing people, as the mode is not a safe default, nor default, nor safe. The first one is easy to fix, but I'm not sure how to fix the other one without breaking the compatibility. You suggest there might be other ways to enhance the API, can you be more specific?

@andybons andybons changed the title net/http: missing constant for samesite cookie mode proposal: net/http: add constant for samesite cookie mode Jun 17, 2020
@gopherbot gopherbot added this to the Proposal milestone Jun 17, 2020
@gopherbot gopherbot added the Proposal label Jun 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.