Skip to content

v1.7.0
Compare
Choose a tag to compare
@release-drafter release-drafter released this 26 Apr 17:18
v1.7.0
79c60d0
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

📢 This release of gorilla/csrf changes the default SameSite cookie attribute to address changes in the SameSite spec (see golang/go#36990)

Previously: The SameSiteDefaultMode in csrf (prior to v1.7.0) would set SameSite on the cookie, which is not valid in some browsers, notably older versions of Chrome/Android. These browsers would not set cookies with this "invalid" attribute.
Now: The default mode is SameSite=Lax, which is supported by Chrome v51, Firefox v60, Safari v13 and most recent browsers.

If you're new to SameSite, read the MDN documentation for a great overview on why this attribute helps prevent cookies from being 'leaked' to third-party domains unintentionally.

CHANGELOG

  • Set SameSite=Lax by default (#136) @elithrar
  • Don't set a default samesite for backwards compatibility (#132) @euank
Assets 2
Loading