net/http: make SameSiteDefaultMode behavior match the specification

The current specification does not foresee a SameSite attribute without a value. While the existing implementation would serialize SameSite in a way that would likely be ignored by well-impelemented clients, it is better to not rely on this kind of quirks. Specification: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1 Fixes #36990 Change-Id: Ie51152741d7e84bab64d3e4e4f780286932acbde Reviewed-on: https://go-review.googlesource.com/c/go/+/256498 Trust: Roberto Clapis <roberto@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org>
2024-11-11 21:10:21 -07:00 · 2020-09-22 17:57:06 +02:00 · 2020-09-22 17:57:06 +02:00 · 542693e005
commit 542693e005
parent 5d1378143b
3 changed files with 16 additions and 2 deletions
--- a/doc/go1.16.html
+++ b/doc/go1.16.html
@ -286,6 +286,11 @@ Do not send CLs removing the interior tags from such phrases.
     of the form <code>"Range": "bytes=--N"</code> where <code>"-N"</code> is a negative suffix length, for
     example <code>"Range": "bytes=--2"</code>. It now replies with a <code>416 "Range Not Satisfiable"</code> response.
    </p>
+
+    <p><!-- CL 256498, golang.org/issue/36990 -->
+    Cookies set with <code>SameSiteDefaultMode</code> now behave according to the current
+    spec (no attribute is set) instead of generating a SameSite key without a value.
+    </p>
  </dd>
 </dl><!-- net/http -->

--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@ -220,7 +220,7 @@ func (c *Cookie) String() string {
 	}
 	switch c.SameSite {
 	case SameSiteDefaultMode:
-		b.WriteString("; SameSite")
+		// Skip, default mode is obtained by not emitting the attribute.
 	case SameSiteNoneMode:
 		b.WriteString("; SameSite=None")
 	case SameSiteLaxMode:
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@ -67,7 +67,7 @@ var writeSetCookiesTests = []struct {
 	},
 	{
 		&Cookie{Name: "cookie-12", Value: "samesite-default", SameSite: SameSiteDefaultMode},
-		"cookie-12=samesite-default; SameSite",
+		"cookie-12=samesite-default",
 	},
 	{
 		&Cookie{Name: "cookie-13", Value: "samesite-lax", SameSite: SameSiteLaxMode},
@ -282,6 +282,15 @@ var readSetCookiesTests = []struct {
 			Raw:      "samesitedefault=foo; SameSite",
 		}},
 	},
+	{
+		Header{"Set-Cookie": {"samesiteinvalidisdefault=foo; SameSite=invalid"}},
+		[]*Cookie{{
+			Name:     "samesiteinvalidisdefault",
+			Value:    "foo",
+			SameSite: SameSiteDefaultMode,
+			Raw:      "samesiteinvalidisdefault=foo; SameSite=invalid",
+		}},
+	},
 	{
 		Header{"Set-Cookie": {"samesitelax=foo; SameSite=Lax"}},
 		[]*Cookie{{