Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
With 9dd6af1 csrf.Protect went from only checking tokens, to also enforcing same-origin requests, unless the Origin header (which is always present in modern browsers) is also listed in TrustedOrigins.
I don't disagree that this should be the default, and maybe also that it's worth a security-motivated breaking change, since tokens can be bypassed by same-site origins (including plaintext HTTP ones) by cookie tossing (unless using the __Host- prefix, which also enforces same-origin requests), but a breaking change in v1.0.0 should be prominently communicated.
The ship has sailed, I'm opening this issue to give folks something to refer to if they see breakage, and to hint at the solution (adding allowed origins to TrustedOrigins).
(Tangentially, a robust same-origin check makes tokens redundant, so if enforcing same-origin requests is acceptable this package can be greatly simplified!)
Expected Behavior
N/A
Steps To Reproduce
N/A
Anything else?
#185 looks like it's reporting breakage, and tailscale/tailscale#14872 and tailscale/tailscale#15065 are related.