MaxAge int
Secure bool
HttpOnly bool
+ SameSite SameSite
Raw string
Unparsed []string // Raw text of unparsed attribute-value pairs
}
+// SameSite allows a server define a cookie attribute making it impossible to
+// the browser send this cookie along with cross-site requests. The main goal
+// is mitigate the risk of cross-origin information leakage, and provides some
+// protection against cross-site request forgery attacks.
+//
+// See https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 for details.
+type SameSite int
+
+const (
+ SameSiteDefaultMode SameSite = iota + 1
+ SameSiteLaxMode
+ SameSiteStrictMode
+)
+
// readSetCookies parses all "Set-Cookie" values from
// the header h and returns the successfully parsed Cookies.
func readSetCookies(h Header) []*Cookie {
continue
}
switch lowerAttr {
+ case "samesite":
+ lowerVal := strings.ToLower(val)
+ switch lowerVal {
+ case "lax":
+ c.SameSite = SameSiteLaxMode
+ case "strict":
+ c.SameSite = SameSiteStrictMode
+ default:
+ c.SameSite = SameSiteDefaultMode
+ }
+ continue
case "secure":
c.Secure = true
continue
if c.Secure {
b.WriteString("; Secure")
}
+ switch c.SameSite {
+ case SameSiteDefaultMode:
+ b.WriteString("; SameSite")
+ case SameSiteLaxMode:
+ b.WriteString("; SameSite=Lax")
+ case SameSiteStrictMode:
+ b.WriteString("; SameSite=Strict")
+ }
return b.String()
}
&Cookie{Name: "cookie-11", Value: "invalid-expiry", Expires: time.Date(1600, 1, 1, 1, 1, 1, 1, time.UTC)},
"cookie-11=invalid-expiry",
},
+ {
+ &Cookie{Name: "cookie-12", Value: "samesite-default", SameSite: SameSiteDefaultMode},
+ "cookie-12=samesite-default; SameSite",
+ },
+ {
+ &Cookie{Name: "cookie-13", Value: "samesite-lax", SameSite: SameSiteLaxMode},
+ "cookie-13=samesite-lax; SameSite=Lax",
+ },
+ {
+ &Cookie{Name: "cookie-14", Value: "samesite-strict", SameSite: SameSiteStrictMode},
+ "cookie-14=samesite-strict; SameSite=Strict",
+ },
// The "special" cookies have values containing commas or spaces which
// are disallowed by RFC 6265 but are common in the wild.
{
Raw: "ASP.NET_SessionId=foo; path=/; HttpOnly",
}},
},
+ {
+ Header{"Set-Cookie": {"samesitedefault=foo; SameSite"}},
+ []*Cookie{{
+ Name: "samesitedefault",
+ Value: "foo",
+ SameSite: SameSiteDefaultMode,
+ Raw: "samesitedefault=foo; SameSite",
+ }},
+ },
+ {
+ Header{"Set-Cookie": {"samesitelax=foo; SameSite=Lax"}},
+ []*Cookie{{
+ Name: "samesitelax",
+ Value: "foo",
+ SameSite: SameSiteLaxMode,
+ Raw: "samesitelax=foo; SameSite=Lax",
+ }},
+ },
+ {
+ Header{"Set-Cookie": {"samesitestrict=foo; SameSite=Strict"}},
+ []*Cookie{{
+ Name: "samesitestrict",
+ Value: "foo",
+ SameSite: SameSiteStrictMode,
+ Raw: "samesitestrict=foo; SameSite=Strict",
+ }},
+ },
// Make sure we can properly read back the Set-Cookie headers we create
// for values containing spaces or commas:
{