echo icon indicating copy to clipboard operation
echo copied to clipboard

Published 20 hours ago verified publisher icon labstack

CSRF middleware: Cookie will soon be rejected

Open lu4p opened this issue 4 years ago • 4 comments

Firefox (84.0.1) produces the following warning for the default CSRF middleware (middleware.CSRF()) configuration.

Cookie “_csrf” will be soon rejected because it has the “SameSite” attribute set to
“None” or an invalid value, without the “secure” attribute. 
To know more about the “SameSite“ attribute, 
read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

lu4p avatar Dec 30 '20 01:12 lu4p

It's seems to be a duplicate of #1523 fixed in #1524 Please test it again with the latest changes on master and let us know if the issue is still present.

pafuent avatar Jan 05 '21 04:01 pafuent

I updated to master (v4.1.18-0.20210105101451-67263b5e4564) and this is issue is still present.

lu4p avatar Jan 07 '21 21:01 lu4p

Sorry I didn't read properly your first comment. The CSRF Middleware was updated to send "SameSite" attribute and also send "Secure" attribute when "SameSite" is None. In order to have that behavior you should use the middleware with a configuration that sets "SameSite" to your desired value. If your want "SameSite" as None (this automatically will add the "Secure" attribute):

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{CookieSameSite: http.SameSiteNoneMode}))

The default CSRF was kept as it was to be backward compatible.

pafuent avatar Jan 20 '21 04:01 pafuent

I think we just use this ticket to change the defaults for v5.

lammel avatar Mar 09 '21 12:03 lammel