net/http: add support for SameSite=None

Section 4.2 of the Internet-Draft for SameSite includes the possible
SameSite value of "None".

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00

Change-Id: I44f246024429ec175db13ff6b36bee465f3d233d
GitHub-Last-Rev: 170d24aaca4f00d750fca88740100f7c0b440d19
GitHub-Pull-Request: golang/go#31842
Reviewed-on: https://go-review.googlesource.com/c/go/+/175337
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/api/next.txt b/api/next.txt
index f671a36b4c291df21e7bc007b737644c0a6cfeec..d0feb7cd77a415ef5bc1ac8a000543ab5cba9d3a 100644 (file)
--- a/api/next.txt
+++ b/api/next.txt
@@ -180,6 +180,8 @@ pkg net, type ListenConfig struct, KeepAlive time.Duration
 pkg net/http, const StatusEarlyHints = 103
 pkg net/http, const StatusEarlyHints ideal-int
 pkg net/http, method (Header) Clone() Header
+pkg net/http, const SameSiteNoneMode = 4
+pkg net/http, const SameSiteNoneMode SameSite
 pkg net/http, type Server struct, BaseContext func(net.Listener) context.Context
 pkg net/http, type Server struct, ConnContext func(context.Context, net.Conn) context.Context
 pkg net/http, type Transport struct, ForceAttemptHTTP2 bool

diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go
index fd8c71c645cd95e4434c4553905f8f5b3d7b5acf..91ff544e79f2b558ef952362c6dc01476df469b3 100644 (file)
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -48,6 +48,7 @@ const (
        SameSiteDefaultMode SameSite = iota + 1
        SameSiteLaxMode
        SameSiteStrictMode
+       SameSiteNoneMode
 )
 
 // readSetCookies parses all "Set-Cookie" values from
@@ -105,6 +106,8 @@ func readSetCookies(h Header) []*Cookie {
                                        c.SameSite = SameSiteLaxMode
                                case "strict":
                                        c.SameSite = SameSiteStrictMode
+                               case "none":
+                                       c.SameSite = SameSiteNoneMode
                                default:
                                        c.SameSite = SameSiteDefaultMode
                                }
@@ -217,6 +220,8 @@ func (c *Cookie) String() string {
        switch c.SameSite {
        case SameSiteDefaultMode:
                b.WriteString("; SameSite")
+       case SameSiteNoneMode:
+               b.WriteString("; SameSite=None")
        case SameSiteLaxMode:
                b.WriteString("; SameSite=Lax")
        case SameSiteStrictMode:

diff --git a/src/net/http/cookie_test.go b/src/net/http/cookie_test.go
index bfaea46f8ca401ddcac9f72e08f1c7eb316dad32..9e8196ebce0f517883e26e4bbfea1e81f08b2606 100644 (file)
--- a/src/net/http/cookie_test.go
+++ b/src/net/http/cookie_test.go
@@ -77,6 +77,10 @@ var writeSetCookiesTests = []struct {
                &Cookie{Name: "cookie-14", Value: "samesite-strict", SameSite: SameSiteStrictMode},
                "cookie-14=samesite-strict; SameSite=Strict",
        },
+       {
+               &Cookie{Name: "cookie-15", Value: "samesite-none", SameSite: SameSiteNoneMode},
+               "cookie-15=samesite-none; SameSite=None",
+       },
        // The "special" cookies have values containing commas or spaces which
        // are disallowed by RFC 6265 but are common in the wild.
        {
@@ -296,6 +300,15 @@ var readSetCookiesTests = []struct {
                        Raw:      "samesitestrict=foo; SameSite=Strict",
                }},
        },
+       {
+               Header{"Set-Cookie": {"samesitenone=foo; SameSite=None"}},
+               []*Cookie{{
+                       Name:     "samesitenone",
+                       Value:    "foo",
+                       SameSite: SameSiteNoneMode,
+                       Raw:      "samesitenone=foo; SameSite=None",
+               }},
+       },
        // Make sure we can properly read back the Set-Cookie headers we create
        // for values containing spaces or commas:
        {