The (*http.Cookie).String method used by SetCookie will silently discard
or sanitize any fields it deems invalid, making it difficult to tell
whether a cookie will be sent as expected.
This change introduces a new (*http.Cookie).Valid method which may be
used to check if any cookie fields will be discarded or sanitized prior
to calling (*http.Cookie).String.
Fixes#46370
Change-Id: I2db80078de190d267a9c675a9717c8be8acc8704
Reviewed-on: https://go-review.googlesource.com/c/go/+/338590
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Cherry Mui <cherryyz@google.com>
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
The current specification does not foresee a SameSite attribute without
a value. While the existing implementation would serialize SameSite in a
way that would likely be ignored by well-impelemented clients, it is
better to not rely on this kind of quirks.
Specification: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1Fixes#36990
Change-Id: Ie51152741d7e84bab64d3e4e4f780286932acbde
Reviewed-on: https://go-review.googlesource.com/c/go/+/256498
Trust: Roberto Clapis <roberto@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
The following corner cases for readCookiesTests are tested now:
- An extra cookie delimiter ";" at the end of a Cookie header
- An empty Cookie header
Change-Id: Id8028b448e4182613fb261bf0903efc98cbf4997
Reviewed-on: https://go-review.googlesource.com/c/go/+/164702
Reviewed-by: Volker Dobler <dr.volker.dobler@gmail.com>
Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
Run-TryBot: Emmanuel Odeke <emm.odeke@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The same-site cookie attribute prevents a cookie from being sent along with
cross-site requests. The main goal is mitigate the risk of cross-origin
information leakage and provides some protection against cross-site request
forgery attacks.
This change adds the option to http.Cookie so it can be stored and
passed to HTTP clients.
Spec: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00Fixes#15867
Based on
eb31a0f063
by Reed Loden <reed@hackerone.com>
Change-Id: I98c8a9a92358b2f632990576879759e3aff38cff
Reviewed-on: https://go-review.googlesource.com/79919
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
According to RFC 6255 a cookie value may contain neither spaces " "
nor commas ",". But browsers seem to handle these pretty well and such
values are not uncommon in the wild so we do allow spaces and commas
in cookie values too. Up to now we use the double-quoted wire format
only for cookie values with leading and/or trailing spaces and commas.
Values with internal spaces/commas are sent without the optional double
quotes. This seems to be a problem for some agents.
This CL changes the behaviour for cookie values with spaces or commas:
Such values are always sent in double quotes. This should not have
any impact on existing agents and the increases of data transmitted
is negligible.
Fixes#18627
Change-Id: I575a98d589e048aa39d976a3c984550daaca730a
Reviewed-on: https://go-review.googlesource.com/37328
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Following RFC 6265 Section 5.1.1.5, ensure that the minimum
year for which an Expires value is valid and can be included in
the cookie's string, is 1601 instead of the Epoch year 1970.
A detailed specification for parsing the Expiry field is at:
https://tools.ietf.org/html/rfc6265#section-5.2.1
I stumbled across this bug due to this StackOverflow answer
that recommends setting the Expiry to the Epoch:
http://stackoverflow.com/a/5285982Fixes#17632
Change-Id: I3c1bdf821d369320334a5dc1e4bf22783cbfe9fc
Reviewed-on: https://go-review.googlesource.com/32142
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This is a subset of https://golang.org/cl/20022 with only the copyright
header lines, so the next CL will be smaller and more reviewable.
Go policy has been single space after periods in comments for some time.
The copyright header template at:
https://golang.org/doc/contribute.html#copyright
also uses a single space.
Make them all consistent.
Change-Id: Icc26c6b8495c3820da6b171ca96a74701b4a01b0
Reviewed-on: https://go-review.googlesource.com/20111
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
John Kelly
Roberto Clapis
Vivek Sekhar
bronze1man
sergey
Stephan Renatus
Volker Dobler
Josh Chorlton
Cyrill Schumacher
Brad Fitzpatrick
Guobiao Mei
Nigel Tao
Russ Cox