gorilla/csrf v1.7.0 Release Notes

Release Date: 2020-04-26 // almost 4 years ago
  • ๐Ÿ“ข This release of gorilla/csrf changes the default SameSite cookie attribute to address changes in the SameSite spec (see golang/go#36990)

    Previously : The SameSiteDefaultMode in csrf (prior to v1.7.0) would set SameSite on the cookie, which is not valid in some browsers, notably older versions of Chrome/Android. These browsers would not set cookies with this "invalid" attribute.
    Now : The default mode is SameSite=Lax, which is supported by Chrome v51, Firefox v60, Safari v13 and most recent browsers.

    ๐Ÿ“š If you're new to SameSite, read the MDN documentation for a great overview on why this attribute helps prevent cookies from being 'leaked' to third-party domains unintentionally.


    • 0๏ธโƒฃ Set SameSite=Lax by default (#136) @elithrar
    • 0๏ธโƒฃ Don't set a default samesite for backwards compatibility (#132) @euank

Previous changes from v1.6.2

  • Notable Changes

    ๐Ÿš€ ๐Ÿ†• This release adds support for SameSite cookies (how they work), introduced in Go v1.11+, which can better scope cookies to first-party requests only (instead of just same-origin).

    ๐Ÿ‘€ See the README for an example.