x/website: 1.20 release notes should mention updated cookie validation

[wfernandes]

What version of Go are you using (go version)?

$ go version
go version go1.19.5 darwin/arm64

Does this issue reproduce with the latest release?

Yes. This issue is a difference in behavior between go1.19.5 and go 1.20

What operating system and processor architecture are you using (go env)?

go env Trimmed Output

$ go env
GO111MODULE=""
GOARCH="arm64"
GOBIN=""
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="arm64"
GOHOSTOS="darwin"
GOINSECURE=""
GOOS="darwin"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/homebrew/Cellar/go/1.19.5/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/homebrew/Cellar/go/1.19.5/libexec/pkg/tool/darwin_arm64"
GOVCS=""
GOVERSION="go1.19.5"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/34/g9npzgvx7fd1b09b88ljtdtw0000gn/T/go-build2978260838=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

package main

import (
	"fmt"
	"net/http"
)

func main() {

	c := &http.Cookie{Name: "valid"}
	if err := c.Valid(); err != nil {
		fmt.Println(err.Error())
		return
	}
	fmt.Println("valid cookie")
}

https://go.dev/play/p/Epzlq8U-v_N

Upon running the above example code in go1.20 we get the output of valid cookie however when we switch to the previous minor version go1.19, we get the error http: invalid Cookie.Expires.

What did you expect to see?

I expected to see the same behavior between versions since this behavior was not explicitly documented in the go1.20 release notes for net/http.

What did you see instead?

I saw a difference in behavior.
In go1.20 we check Cookie.Expires.IsZero however in go1.19 we don't perform that additional check.
https://github.com/golang/go/blob/release-branch.go1.20/src/net/http/cookie.go#L250
vs.
https://github.com/golang/go/blob/release-branch.go1.19/src/net/http/cookie.go#L249

[wfernandes]

Just to be clear, I think the go1.20 version does have the better behavior and I prefer it TBH. However, it would be nice to see the change documented in the go1.20 release notes if possible. Thanks.

[0xmohit]

Related: #52989

[seankhliao]

feel free to send a CL

[wfernandes]

@seankhliao Thanks for the feedback. I would love to make a CL! Could you point me to the repository where I could make this documentation change?

[seankhliao]

https://go.googlesource.com/website/+/refs/heads/master/_content/doc/go1.20.html

[prattmic]

cc @amitsaha @neild

[wfernandes]

@prattmic @seankhliao I created the above PR/CL to update the go1.20 release notes. Please let me know if there are any changes that are needed.

[wfernandes]

I think this issue can be closed since golang/website#193 has been merged.
Also see https://go-review.googlesource.com/c/website/+/468716.

Thanks for the help and direction.