goadesign · raphael · Oct 23, 2023 · Oct 22, 2023 · Oct 22, 2023 · Oct 22, 2023
diff --git a/dsl/http.go b/dsl/http.go
@@ -591,6 +591,34 @@ func CookieHTTPOnly() {
 	cookieAttribute("http-only", "HttpOnly")
 }
 
+// CookieSameSite initializes the "same-site" attribute of a HTTP response
+// cookie with "CookieSameSiteStrict", "CookieSameSiteLax", "CookieSameSiteNone",
+// or "CookieSameSiteDefault".
+//
+// CookieSameSite must appear in a Cookie expression.
+//
+// Example:
+//
+//	var _ = Service("account", func() {
+//	    Method("create", func() {
+//	        Result(Account)
+//	        HTTP(func() {
+//	            Response(StatusCreated, func() {
+//	                Cookie("session:SID", String)
+//	                CookieSameSite(CookieSameSiteStrict)
+//	            })
+//	        })
+//	    })
+//	})
+func CookieSameSite(s expr.CookieSameSiteValue) {
+	_, ok := eval.Current().(*expr.HTTPResponseExpr)
+	if !ok {
+		eval.IncompatibleDSL()
+		return
+	}
+	cookieAttribute("same-site", string(s))
+}
+
 // Params groups a set of Param expressions. It makes it possible to list
 // required parameters using the Required function.
 //

diff --git a/expr/attribute.go b/expr/attribute.go
@@ -102,6 +102,10 @@ type (
 	// ValidationFormat is the type used to enumerate the possible string
 	// formats.
 	ValidationFormat string
+
+	// CookieSameSiteValue is the type used to enumerate the possible cookie
+	// SameSite values.
+	CookieSameSiteValue string
 )
 
 const (
@@ -148,6 +152,13 @@ const (
 	FormatRFC1123 = "rfc1123"
 )
 
+const (
+	CookieSameSiteStrict  CookieSameSiteValue = "strict"
+	CookieSameSiteLax     CookieSameSiteValue = "lax"
+	CookieSameSiteNone    CookieSameSiteValue = "none"
+	CookieSameSiteDefault CookieSameSiteValue = "default"
+)
+
 // EvalName returns the name used by the DSL evaluation.
 func (*AttributeExpr) EvalName() string {
 	return "attribute"

diff --git a/expr/http_cookie_test.go b/expr/http_cookie_test.go
@@ -23,6 +23,7 @@ func TestHTTPResponseCookie(t *testing.T) {
 		{"path", testdata.CookiePathDSL, Props{"cookie:path": testdata.CookiePathValue}},
 		{"secure", testdata.CookieSecureDSL, Props{"cookie:secure": "Secure"}},
 		{"http-only", testdata.CookieHTTPOnlyDSL, Props{"cookie:http-only": "HttpOnly"}},
+		{"same-site", testdata.CookieSameSiteDSL, Props{"cookie:same-site": testdata.CookieSameSiteValue}},
 	}
 	for _, c := range cases {
 		t.Run(c.Name, func(t *testing.T) {

diff --git a/expr/testdata/cookie_dsls.go b/expr/testdata/cookie_dsls.go
@@ -2,6 +2,7 @@ package testdata
 
 import (
 	. "goa.design/goa/v3/dsl"
+	"goa.design/goa/v3/expr"
 )
 
 var CookieObjectResultDSL = func() {
@@ -124,3 +125,22 @@ var CookieHTTPOnlyDSL = func() {
 		})
 	})
 }
+
+const CookieSameSiteValue = expr.CookieSameSiteStrict
+
+var CookieSameSiteDSL = func() {
+	Service("CookieSvc", func() {
+		Method("Method", func() {
+			Result(func() {
+				Attribute("cookie", String)
+			})
+			HTTP(func() {
+				POST("/")
+				Response(StatusOK, func() {
+					Cookie("cookie")
+					CookieSameSite(CookieSameSiteValue)
+				})
+			})
+		})
+	})
+}
diff --git a/http/codegen/client.go b/http/codegen/client.go
@@ -486,6 +486,9 @@ func {{ .RequestEncoder }}(encoder func(*http.Request) goahttp.Encoder) func(*ht
 				{{- if .HTTPOnly }}
 				HttpOnly: true,
 				{{- end }}
+				{{- if .SameSite }}
+				SameSite: {{ .SameSite }},
+				{{- end }}
 			})
 		}
 		{{- end }}

diff --git a/http/codegen/server.go b/http/codegen/server.go
@@ -1352,6 +1352,9 @@ const responseT = `{{ define "response" -}}
 			{{- if .HTTPOnly }}
 			HttpOnly: true,
 			{{- end }}
+			{{- if .SameSite }}
+			SameSite: {{ printf "%q" .SameSite }},
+			{{- end }}
 		})
 		{{- if or $checkNil $initDef }}
 	}

diff --git a/http/codegen/service_data.go b/http/codegen/service_data.go
@@ -506,6 +506,8 @@ type (
 		Secure bool
 		// HTTPOnly sets the cookie "http-only" attribute to "HttpOnly" if true.
 		HTTPOnly bool
+		// SameSite sets the cookie "same-site" attribute to the given value.
+		SameSite http.SameSite
 	}
 
 	// TypeData contains the data needed to render a type definition.
@@ -2534,6 +2536,17 @@ func extractCookies(a *expr.MappedAttributeExpr, svcAtt *expr.AttributeExpr, svc
 				c.Secure = v[0] == "Secure"
 			case "cookie:http-only":
 				c.HTTPOnly = v[0] == "HttpOnly"
+			case "cookie:same-site":
+				switch v[0] {
+				case string(expr.CookieSameSiteLax):
+					c.SameSite = http.SameSiteLaxMode
+				case string(expr.CookieSameSiteStrict):
+					c.SameSite = http.SameSiteStrictMode
+				case string(expr.CookieSameSiteNone):
+					c.SameSite = http.SameSiteNoneMode
+				case string(expr.CookieSameSiteDefault):
+					c.SameSite = http.SameSiteDefaultMode
+				}
 			}
 		}
 		cookies = append(cookies, c)