feat: Auto-enforce Secure=true for Partitioned cookies in Cookie()

darwin808 · darwin808 · commit 338dad15b471 · 2026-01-21T18:35:14.000+08:00
- Add Secure enforcement for Partitioned cookies per CHIPS spec
- Update test to reflect new auto-fix behavior
diff --git a/ctx_test.go b/ctx_test.go
@@ -1211,7 +1211,7 @@ func Test_Ctx_Cookie_Invalid(t *testing.T) {
 		{Name: "i", Value: "b", Domain: "2001:db8::1"},                                // ipv6 not allowed
 		{Name: "p", Value: "b", Path: "\x00"},                                         // invalid path byte
 		{Name: "e", Value: "b", Expires: time.Date(1500, 1, 1, 0, 0, 0, 0, time.UTC)}, // invalid expires
-		{Name: "s", Value: "b", Partitioned: true},                                    // partitioned but not secure
+		// Note: Partitioned without Secure is auto-fixed (Secure=true set automatically per CHIPS spec)
 	}
 
 	for _, invalid := range cases {
diff --git a/res.go b/res.go
@@ -249,6 +249,11 @@ func (r *DefaultRes) Cookie(cookie *Cookie) {
 		sameSite = http.SameSiteLaxMode
 	}
 
+	// Partitioned requires Secure=true per CHIPS spec
+	if cookie.Partitioned {
+		cookie.Secure = true
+	}
+
 	// create/validate cookie using net/http
 	hc := &http.Cookie{
 		Name:        cookie.Name,

Original file line number	Diff line number	Diff line change
`@@ -1211,7 +1211,7 @@ func Test_Ctx_Cookie_Invalid(t *testing.T) {`
`1211`	`1211`	`{Name: "i", Value: "b", Domain: "2001:db8::1"}, // ipv6 not allowed`
`1212`	`1212`	`{Name: "p", Value: "b", Path: "\x00"}, // invalid path byte`
`1213`	`1213`	`{Name: "e", Value: "b", Expires: time.Date(1500, 1, 1, 0, 0, 0, 0, time.UTC)}, // invalid expires`
`1214`		`- {Name: "s", Value: "b", Partitioned: true}, // partitioned but not secure`
	`1214`	`+ // Note: Partitioned without Secure is auto-fixed (Secure=true set automatically per CHIPS spec)`
`1215`	`1215`	`}`
`1216`	`1216`
`1217`	`1217`	`for _, invalid := range cases {`