SameSite is not set in the default path

[martinlindhe]

The SameSite patch in #165 and #170 forgot to initialize SameSite to a value in the default path.

I think the intent was to initialize it to http.SameSiteDefaultMode.

Currently this results in the following error in Firefox Developer Tools

Cookie “id” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

[stale[bot]]

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

[bharat-rajani]

@martinlindhe The http.SameSiteDefaultMode would still result in cookie being dropped because default mode will not add SameSite.

I am leaning towards defaulting SameSite to http.SameSiteLaxMode inside cookie store initializer (NewCookieStore). Along with this it should be clearly documented through an example that this option is configurable.

References for my above opinions:

• https://github.com/golang/go/issues/36990
• https://github.com/httpwg/http-extensions/issues/389

Expired draft: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-3.1 Currenty active: https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05#section-4.1.1