Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: net/http: support partitioned cookies #62490

Open
islishude opened this issue Sep 7, 2023 · 11 comments · May be fixed by #62499
Open

proposal: net/http: support partitioned cookies #62490

islishude opened this issue Sep 7, 2023 · 11 comments · May be fixed by #62499
Labels
Proposal
Milestone
Proposal

Comments

@islishude
Copy link

islishude commented Sep 7, 2023
edited

Since Chrome drops support for SameSite=None cookies, aka third-party cookies, net/http package needs to add Partitioned field to the type Cookie, and add a deprecated message for SameSiteNoneMode

ref:

https://developer.chrome.com/docs/privacy-sandbox/third-party-cookie-phase-out/
@gopherbot gopherbot added this to the Proposal milestone Sep 7, 2023
@ianlancetaylor
Copy link
Contributor

CC @neild @bradfitz

It would help a lot if you could say more about exactly what should change in the Go package. Thanks.

@islishude islishude changed the title proposal: net/http: deprecated SameSite=None cookies and add partitioned cookies proposal: net/http: deprecated third-party cookies and add partitioned cookies Sep 7, 2023
@islishude
Copy link
Author

Sure, updated.

islishude added a commit to islishude/go that referenced this issue Sep 7, 2023
@islishude
net/http: add paritioned attribute to cookie string if SameSite=none
463a071 
Fixes golang#62490
islishude added a commit to islishude/go that referenced this issue Sep 7, 2023
@islishude
net/http: add paritioned attribute to cookie type
8841714 
Fixes golang#62490
@islishude islishude linked a pull request Sep 7, 2023 that will close this issue
Open
@gopherbot
Copy link

Change https://go.dev/cl/526435 mentions this issue: net/http: add paritioned attribute to cookie type

@neild
Copy link
Contributor

neild commented Sep 7, 2023

We don't want a deprecation notice on SameSiteNoneMode. Browsers may not support it, but the net/http package should support sending SameSite=None if the user wants to.

Also, partitioned cookies use SameSite=None, so browsers haven't actually deprecated this value.

Adding a Partitioned field to http.Cookie seems reasonable:

type Cookie { // contains existing fields
  Partitioned bool
}

islishude added a commit to islishude/go that referenced this issue Sep 8, 2023
@islishude
net/http: add partitioned attribute to cookie type
4b03a0a 
Fixes golang#62490

net/http: fix test case for TestCookieValid

net/http: add missing continue for readSetCookies
@islishude
Copy link
Author

@neild I'm agree with you. my pr just adds a note for the SameSiteNoneMode.

@seankhliao seankhliao changed the title proposal: net/http: deprecated third-party cookies and add partitioned cookies proposal: net/http: support partitioned cookies Sep 10, 2023
@iamdlfl
Copy link

iamdlfl commented Oct 31, 2023

Any updates on this proposal? It would be useful for something I'm trying to work on.

@gregwebs
Copy link

gregwebs commented Nov 3, 2023

What more needs to be done to have this proposal accepted? The associated commit explains the changes clearly.

@gregwebs gregwebs mentioned this issue Nov 3, 2023
Open
@nightlyone
Copy link
Contributor

Supporting the partitioned cookie attribute without actually implementing the cookie jar changes implementing the semantics of the partitioning this attribute signals sounds at least incomplete or even dangerous from a security perspective to me.

So a more complete proposal should outline the full semantics and amount of changes to implement the support. Not only the encoding and decoding, but also creating the key to address the cookie jar elements and storing as well as accessing them in http.Client.Jar to reap all the benefits of such cookies.

@islishude
Copy link
Author

but also creating the key to address the cookie jar elements and storing as well as accessing them in http.Client.Jar to reap all the benefits of such cookies.

I can't understand why it's related to http.Client.Jar.

the cookies could be parsed by http.readSetCookies function

@gregwebs
Copy link

This proposal implements server-side support. Client-side support is intended for browsers to block cross-site tracking. It's unclear if this use case would be meaningful for a Go HTTP client. If someone made an end user web browser in Go there is a lot they would have to add on to the existing http client such as this and CORS.

@islishude
Copy link
Author

I think it's not feasible to add it to http.Client.Jar.

image

In the example above where https://support.chat.example is embedded on https://retail.example, the top-level URL is https://retail.example. https://developer.chrome.com/docs/privacy-sandbox/chips/

there should no scenes like above in the go http client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal
Projects
Proposals
Status: Incoming
Milestone
Proposal
Development

Successfully merging a pull request may close this issue.

net/http: add partitioned attribute to cookie type islishude/go
7 participants
@gregwebs @neild @nightlyone @ianlancetaylor @gopherbot @islishude @iamdlfl