net/http: make SameSiteDefaultMode behavior match the specification

The current specification does not foresee a SameSite attribute without
a value. While the existing implementation would serialize SameSite in a
way that would likely be ignored by well-impelemented clients, it is
better to not rely on this kind of quirks.

Specification: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1

Fixes #36990

Change-Id: Ie51152741d7e84bab64d3e4e4f780286932acbde
Reviewed-on: https://go-review.googlesource.com/c/go/+/256498
Trust: Roberto Clapis <roberto@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

diff --git a/doc/go1.16.html b/doc/go1.16.html
index 2962448742f9ecf60fc70efff5aaf6723167aff1..720acc757a67e40d3c651a39691a2fef881fe5b3 100644 (file)
--- a/doc/go1.16.html
+++ b/doc/go1.16.html
@@ -286,6 +286,11 @@ Do not send CLs removing the interior tags from such phrases.
      of the form <code>"Range": "bytes=--N"</code> where <code>"-N"</code> is a negative suffix length, for
      example <code>"Range": "bytes=--2"</code>. It now replies with a <code>416 "Range Not Satisfiable"</code> response.
     </p>
+
+    <p><!-- CL 256498, golang.org/issue/36990 -->
+    Cookies set with <code>SameSiteDefaultMode</code> now behave according to the current
+    spec (no attribute is set) instead of generating a SameSite key without a value.
+    </p>
   </dd>
 </dl><!-- net/http -->
 

diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go
index d7a8f5e94e56ea7557461100ec8c7e12b61d0fa7..141bc947f6e960f327045895896d1321027b6075 100644 (file)
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -220,7 +220,7 @@ func (c *Cookie) String() string {
        }
        switch c.SameSite {
        case SameSiteDefaultMode:
-               b.WriteString("; SameSite")
+               // Skip, default mode is obtained by not emitting the attribute.
        case SameSiteNoneMode:
                b.WriteString("; SameSite=None")
        case SameSiteLaxMode:

diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go
index 9e8196ebce0f517883e26e4bbfea1e81f08b2606..959713a0dcf0a092e9cde35824517f89cecbb303 100644 (file)
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -67,7 +67,7 @@ var writeSetCookiesTests = []struct {
        },
        {
                &Cookie{Name: "cookie-12", Value: "samesite-default", SameSite: SameSiteDefaultMode},
-               "cookie-12=samesite-default; SameSite",
+               "cookie-12=samesite-default",
        },
        {
                &Cookie{Name: "cookie-13", Value: "samesite-lax", SameSite: SameSiteLaxMode},
@@ -282,6 +282,15 @@ var readSetCookiesTests = []struct {
                        Raw:      "samesitedefault=foo; SameSite",
                }},
        },
+       {
+               Header{"Set-Cookie": {"samesiteinvalidisdefault=foo; SameSite=invalid"}},
+               []*Cookie{{
+                       Name:     "samesiteinvalidisdefault",
+                       Value:    "foo",
+                       SameSite: SameSiteDefaultMode,
+                       Raw:      "samesiteinvalidisdefault=foo; SameSite=invalid",
+               }},
+       },
        {
                Header{"Set-Cookie": {"samesitelax=foo; SameSite=Lax"}},
                []*Cookie{{