go: net/http: SameSiteDefaultMode adds an incorrect 'Set-Cookie' attribute

Problem

Currently, http.SameSite offers the http.SameSiteDefaultMode option.

This is handled by code here:

https://github.com/golang/go/blob/07ccdeb1927c77ede1d56ac6f1c1871183761ea4/src/net/http/cookie.go#L220-L229

For SameSiteDefaultMode, it adds SameSite (as a bare key, no =, no value) to the cookie.

On older versions of chrome, this results in the cookie being dropped entirely.

The draft specification for same-site makes it clear now that dropping the entire cookie is incorrect, but previously it implied this was correct behavior, so I wouldn’t be surprised if this issue existed elsewhere too.

If the current draft spec is implemented correctly, SameSite would be parsed as an unrecognised value, and would then result in the samesite attribute it being ignored entirely (that is to say, being treated the same as http.SameSite(0) where nothing is added to the Set-Cookie header).

It seems a bit silly to include an option in the http library to generate an invalid cookie attribute which the browser should just ignore.

Possible Solutions

The 2 solutions that make sense to me are the following:

Do nothing. We can document this possible issue with SameSiteDefaultMode and recommend not using it at all.
Have SameSiteDefaultMode be the same as http.SameSite(0), where no SameSite attribute is included at all (which causes the browser to default to None or Lax, depending on version/browser).

I think option 2 ends up most closely matching what people would expect SameSiteDefaultMode to do. Technically it’s a backwards incompatible change, which is the only reason I think we may wish to go with option 1 instead.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 30 (28 by maintainers)

Commits related to this issue

Updated default same site behaviour to not write SameSite attribute to cookie at all. See https://github.com/golang/go/issues/36990 — committed to jbwtan/vouch-proxy by jbwtan 4 years ago
Updated default same site behaviour to not write SameSite attribute to cookie at all. See https://github.com/golang/go/issues/36990 — committed to vouch/vouch-proxy by jbwtan 4 years ago

Most upvoted comments

Thank you and I hope I did not waste too much of your time.

You definitely didn’t waste anyone’s time, thank you for the discussion, it helped make sure we all understood what was going on, even if we did not end up agreeing on the exact same outcome.

FiloSottile on Dec 9, 2020

‘Lax’ on some browsers (newer chrome/ff I think), ‘None’ on other browsers (older chrome/ff), ‘strict’ on other browsers (apparently ios), and silently drop the cookie on yet other browsers (some older chrome/android)

I don’t see why anyone would ever want this behavior, and I don’t think we need to support it.

We should definitely update the spec reference in the docs.

Deprecating SameSiteDefaultMode is also a good idea, but we are not going to remove it. Deprecation is how we tell applications they need to actively move away from something.

A name for the zero value also sounds good. I’d call it SameSiteUnset, without Mode.

When parsing we should do what modern browsers do. What is that?

FiloSottile on Oct 16, 2020