net/http: add support for SameSite option in http.Cookie

The same-site cookie attribute prevents a cookie from being sent along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage and provides some protection against cross-site request forgery attacks. This change adds the option to http.Cookie so it can be stored and passed to HTTP clients. Spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 Fixes #15867 Based on https://github.com/reedloden/go/commit/eb31a0f063c80058bbb3abff4ca09b3565985500 by Reed Loden <reed@hackerone.com> Change-Id: I98c8a9a92358b2f632990576879759e3aff38cff Reviewed-on: https://go-review.googlesource.com/79919 Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
author: Stephan Renatus <srenatus@chef.io> 2017-11-27 12:41:10 +0100
committer: Brad Fitzpatrick <bradfitz@golang.org> 2018-07-09 19:58:29 +0000
commit: 3d5703babe9c5344252db3fb8e96f20cd036535a (patch)
tree: 9cebc822e60592dbde785bcb3fe3f390f1160f12 /src/net/http/cookie.go
parent: 4da84adc0c55d92f20b761d24a6ec0508e55dc7c (diff)
download: go-3d5703babe9c5344252db3fb8e96f20cd036535a.tar.xz
1 files changed, 34 insertions, 0 deletions
diff --git a/src/net/http/cookie.go b/src/net/http/cookie.go
index 09b8974862..b1a6cef6f7 100644
--- a/src/net/http/cookie.go
+++ b/src/net/http/cookie.go
@@ -31,10 +31,25 @@ type Cookie struct {
 	MaxAge   int
 	Secure   bool
 	HttpOnly bool
+	SameSite SameSite
 	Raw      string
 	Unparsed []string // Raw text of unparsed attribute-value pairs
 }
 
+// SameSite allows a server define a cookie attribute making it impossible to
+// the browser send this cookie along with cross-site requests. The main goal
+// is mitigate the risk of cross-origin information leakage, and provides some
+// protection against cross-site request forgery attacks.
+//
+// See https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00 for details.
+type SameSite int
+
+const (
+	SameSiteDefaultMode SameSite = iota + 1
+	SameSiteLaxMode
+	SameSiteStrictMode
+)
+
 // readSetCookies parses all "Set-Cookie" values from
 // the header h and returns the successfully parsed Cookies.
 func readSetCookies(h Header) []*Cookie {
@@ -83,6 +98,17 @@ func readSetCookies(h Header) []*Cookie {
 				continue
 			}
 			switch lowerAttr {
+			case "samesite":
+				lowerVal := strings.ToLower(val)
+				switch lowerVal {
+				case "lax":
+					c.SameSite = SameSiteLaxMode
+				case "strict":
+					c.SameSite = SameSiteStrictMode
+				default:
+					c.SameSite = SameSiteDefaultMode
+				}
+				continue
 			case "secure":
 				c.Secure = true
 				continue
@@ -184,6 +210,14 @@ func (c *Cookie) String() string {
 	if c.Secure {
 		b.WriteString("; Secure")
 	}
+	switch c.SameSite {
+	case SameSiteDefaultMode:
+		b.WriteString("; SameSite")
+	case SameSiteLaxMode:
+		b.WriteString("; SameSite=Lax")
+	case SameSiteStrictMode:
+		b.WriteString("; SameSite=Strict")
+	}
 	return b.String()
 }
author	Stephan Renatus <srenatus@chef.io>	2017-11-27 12:41:10 +0100
committer	Brad Fitzpatrick <bradfitz@golang.org>	2018-07-09 19:58:29 +0000
commit	3d5703babe9c5344252db3fb8e96f20cd036535a (patch)
tree	9cebc822e60592dbde785bcb3fe3f390f1160f12 /src/net/http/cookie.go
parent	4da84adc0c55d92f20b761d24a6ec0508e55dc7c (diff)
download	go-3d5703babe9c5344252db3fb8e96f20cd036535a.tar.xz