CSRF middleware: Cookie will soon be rejected

[lu4p]

Firefox (84.0.1) produces the following warning for the default CSRF middleware (middleware.CSRF()) configuration.

Cookie “_csrf” will be soon rejected because it has the “SameSite” attribute set to
“None” or an invalid value, without the “secure” attribute. 
To know more about the “SameSite“ attribute, 
read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

[pafuent]

It's seems to be a duplicate of #1523 fixed in #1524
Please test it again with the latest changes on master and let us know if the issue is still present.

[lu4p]

I updated to master (v4.1.18-0.20210105101451-67263b5e4564) and this is issue is still present.

[pafuent]

Sorry I didn't read properly your first comment. The CSRF Middleware was updated to send "SameSite" attribute and also send "Secure" attribute when "SameSite" is None. In order to have that behavior you should use the middleware with a configuration that sets "SameSite" to your desired value.
If your want "SameSite" as None (this automatically will add the "Secure" attribute):

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{CookieSameSite: http.SameSiteNoneMode}))

The default CSRF was kept as it was to be backward compatible.

[lammel]

I think we just use this ticket to change the defaults for v5.