New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: net/http: add constant for samesite cookie mode #39609
Comments
Why do we need a constant that has the same value as the zero value for that type? Why does explicitly saying "the thing isn't set" improve over just not setting it? |
Change https://golang.org/cl/237998 mentions this issue: |
@davecheney In my opinion it mainly improves code readability in some situations. The behavior is already there, but the name is not, so to invoke such behavior I need to pass 0. For example you can have a configuration with SameSite mode and you don't want to have multiple ways to construct a cookie (with or without the samesite attribute). For example see the ory/hydra#1908 commit. |
Thanks for the example. That API is pretty hard to use correctly, especially as there is no safe default for that parameter. Changing Go might be a solution to that, but there might be others which would lead to a more usable API. |
@davecheney Agreed, the cookie samesite API is hard to use and one of the small problems is that there is behavior that does not have a name, yet it is used. The other is that |
I'm a bit confused about SameSiteUnsetMode vs SameSiteDefaultMode vs SameSiteNoneMode. Also, based on the change made for #36990, the proposed SameSiteUnsetMode would be exactly the same as SameSiteDefaultMode, which is even more confusing. It's unfortunate that we now have 0 and 1 meaning the same thing, but since 1 has a name, it seems like we should leave it there and not name 0 as well. If you want to be explicit about nothing happening, you can use the named 1 instead of a named 0. |
@rsc Yes, the names are confusing, I'm currently discussing the changes for #36990. @FiloSottile proposed instead of The idea is to revert the #36990 change and deprecate the |
Closing, as the #36990 was settled by not reverting. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?not relevant
What did you do?
I wanted to specify cookie samesite mode that would indicate cookie without a samesite attribute while implementing ory/hydra#1908 that requires cookie without any samesite attribute.
What did you expect to see?
I expected to find the samesite mode const with such behavior in the net/http package
What did you see instead?
I had to use unnamed magic constant (0)
The text was updated successfully, but these errors were encountered: