cybercyst/go
1
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-05-18 22:04:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

net/http: make SameSiteDefaultMode behavior match the specification

Browse Source 
The current specification does not foresee a SameSite attribute without
a value. While the existing implementation would serialize SameSite in a
way that would likely be ignored by well-impelemented clients, it is
better to not rely on this kind of quirks.

Specification: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1

Fixes #36990

Change-Id: Ie51152741d7e84bab64d3e4e4f780286932acbde
Reviewed-on: https://go-review.googlesource.com/c/go/+/256498
Trust: Roberto Clapis <roberto@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Roberto Clapis 2020-09-22 17:57:06 +02:00
parent 5d1378143b
commit 542693e005
3 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/go1.16.html
View File

@ -286,6 +286,11 @@ Do not send CLs removing the interior tags from such phrases.
of the form <code>"Range": "bytes=--N"</code> where <code>"-N"</code> is a negative suffix length, for of the form <code>"Range": "bytes=--N"</code> where <code>"-N"</code> is a negative suffix length, for
example <code>"Range": "bytes=--2"</code>. It now replies with a <code>416 "Range Not Satisfiable"</code> response. example <code>"Range": "bytes=--2"</code>. It now replies with a <code>416 "Range Not Satisfiable"</code> response.
</p> </p>
<p><!-- CL 256498, golang.org/issue/36990 -->
Cookies set with <code>SameSiteDefaultMode</code> now behave according to the current
spec (no attribute is set) instead of generating a SameSite key without a value.
</p>
</dd> </dd>
</dl><!-- net/http --> </dl><!-- net/http -->

2
src/net/http/cookie.go
View File

@ -220,7 +220,7 @@ func (c *Cookie) String() string {
} }
switch c.SameSite { switch c.SameSite {
case SameSiteDefaultMode: case SameSiteDefaultMode:
b.WriteString("; SameSite") // Skip, default mode is obtained by not emitting the attribute.
case SameSiteNoneMode: case SameSiteNoneMode:
b.WriteString("; SameSite=None") b.WriteString("; SameSite=None")
case SameSiteLaxMode: case SameSiteLaxMode:

11
src/net/http/cookie_test.go
View File

@ -67,7 +67,7 @@ var writeSetCookiesTests = []struct {
}, },
{ {
&Cookie{Name: "cookie-12", Value: "samesite-default", SameSite: SameSiteDefaultMode}, &Cookie{Name: "cookie-12", Value: "samesite-default", SameSite: SameSiteDefaultMode},
"cookie-12=samesite-default; SameSite", "cookie-12=samesite-default",
}, },
{ {
&Cookie{Name: "cookie-13", Value: "samesite-lax", SameSite: SameSiteLaxMode}, &Cookie{Name: "cookie-13", Value: "samesite-lax", SameSite: SameSiteLaxMode},
@ -282,6 +282,15 @@ var readSetCookiesTests = []struct {
Raw: "samesitedefault=foo; SameSite", Raw: "samesitedefault=foo; SameSite",
}}, }},
}, },
{
Header{"Set-Cookie": {"samesiteinvalidisdefault=foo; SameSite=invalid"}},
[]*Cookie{{
Name: "samesiteinvalidisdefault",
Value: "foo",
SameSite: SameSiteDefaultMode,
Raw: "samesiteinvalidisdefault=foo; SameSite=invalid",
}},
},
{ {
Header{"Set-Cookie": {"samesitelax=foo; SameSite=Lax"}}, Header{"Set-Cookie": {"samesitelax=foo; SameSite=Lax"}},
[]*Cookie{{ []*Cookie{{