bugfix: Don't set a default samesite for backwards compatibility (#132)

Also add a comment over SameSiteDefaultMode discouraging its use.

csrf.go

@@ -62,6 +62,9 @@ type SameSiteMode int
 
 // SameSite options
 const (
+	// SameSiteDefaultMode sets an invalid SameSite header which defaults to
+	// 'Lax' in most browsers, but may cause some browsers to ignore the cookie
+	// entirely.
 	SameSiteDefaultMode SameSiteMode = iota + 1
 	SameSiteLaxMode
 	SameSiteStrictMode

go.mod

@@ -4,3 +4,5 @@ require (
 	github.com/gorilla/securecookie v1.1.1
 	github.com/pkg/errors v0.8.0
 )
+
+go 1.13

options.go

@@ -152,9 +152,6 @@ func parseOptions(h http.Handler, opts ...Option) *csrf {
 	cs.opts.Secure = true
 	cs.opts.HttpOnly = true
 
-	// Default to blank to maintain backwards compatibility
-	cs.opts.SameSite = SameSiteDefaultMode
-
 	// Default; only override this if the package user explicitly calls MaxAge(0)
 	cs.opts.MaxAge = defaultAge
 

store_test.go

@@ -159,3 +159,33 @@ func TestSameSizeSet(t *testing.T) {
 		t.Fatalf("cookie incorrectly does not have the SameSite attribute set: got %q", cookie)
 	}
 }
+
+// TestSamesiteBackwardsCompat tests that the default set of options do not set
+// any SameSite attribute.
+func TestSamesiteBackwardsCompat(t *testing.T) {
+	s := http.NewServeMux()
+	s.HandleFunc("/", testHandler)
+
+	r, err := http.NewRequest("GET", "/", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rr := httptest.NewRecorder()
+	p := Protect(testKey)(s)
+	p.ServeHTTP(rr, r)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("middleware failed to pass to the next handler: got %v want %v",
+			rr.Code, http.StatusOK)
+	}
+
+	cookie := rr.Header().Get("Set-Cookie")
+	if cookie == "" {
+		t.Fatalf("cookie not get set-cookie header: got headers %v", rr.Header())
+	}
+
+	if strings.Contains(cookie, "SameSite") {
+		t.Fatalf("cookie should not contain the substring 'SameSite' by default, but did: %q", cookie)
+	}
+}