Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't set a default samesite for backwards compatibility #132

Merged
merged 1 commit into from
Apr 26, 2020
Merged

Don't set a default samesite for backwards compatibility #132

merged 1 commit into from
Apr 26, 2020

Conversation

euank
Copy link
Contributor

@euank euank commented Feb 3, 2020

Also add a comment over SameSiteDefaultMode discouraging its use.

The specific issue I ran into is that the default behaviour of gorilla/csrf is to include an invalid SameSite attribute on the cookie without doing any SameSite configuration.

This broke some users of the site in question because older versions of chrome (apparently the version shipped with android 8) treats an invalid samesite attribute as grounds to drop the cookie entirely rather than just default it to lax.

This updates it to use the zero-value by default for http.SameSite rather than SameSiteDefaultMode, which has different behaviour from the zero value.

xref golang/go#36990 which, when resolved, may inform this. I do think that no matter how that issue is resolved, the better default for opts.SameSite here is 0 though.

@euank
Don't set a default samesite for backwards compatibility
58a7677 
Also add a comment over SameSiteDefaultMode discouraging its use.
@elithrar elithrar self-assigned this Feb 9, 2020
@elithrar elithrar added the bug label Feb 9, 2020
@elithrar elithrar self-requested a review February 9, 2020 23:19
@elithrar elithrar mentioned this pull request Feb 9, 2020
Closed
@stale
Copy link

stale bot commented Apr 10, 2020

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

@stale stale bot added the stale label Apr 10, 2020
@elithrar elithrar removed the stale label Apr 10, 2020
@elithrar elithrar merged commit dbfab4e into gorilla:master Apr 26, 2020
@elithrar elithrar mentioned this pull request Apr 26, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elithrar elithrar elithrar approved these changes

Assignees

@elithrar elithrar

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@euank @elithrar