gorilla/csrf v1.7.0 Release NotesRelease Date: 2020-04-26 // about 2 years ago
📢 This release of gorilla/csrf changes the default
SameSitecookie attribute to address changes in the SameSite spec (see golang/go#36990)
Previously : The
SameSiteDefaultModein csrf (prior to v1.7.0) would set
SameSiteon the cookie, which is not valid in some browsers, notably older versions of Chrome/Android. These browsers would not set cookies with this "invalid" attribute.
Now : The default mode is
SameSite=Lax, which is supported by Chrome v51, Firefox v60, Safari v13 and most recent browsers.
📚 If you're new to SameSite, read the MDN documentation for a great overview on why this attribute helps prevent cookies from being 'leaked' to third-party domains unintentionally.