[BUG] v1.7.3 breaks reverse proxies that change Host

### Is there an existing issue for this?

- [x] I have searched the existing issues

### Current Behavior

If a same-origin request for example.com comes in with a valid token, and is then reverse proxied to backend.acme.example, it will be rejected by the new Origin header check, because the Host header was rewritten by the reverse proxy.

https://github.com/gorilla/csrf/blob/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb/csrf.go#L275-L277
https://github.com/gorilla/csrf/blob/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb/csrf.go#L288-L292

### Expected Behavior

Same-origin requests should be allowed even if the Host header is modified.

They can be reliably detected with the Sec-Fetch-Site header.

### Steps To Reproduce

N/A

### Anything else?

N/A

	if !sameOrigin(&requestURL, parsedOrigin) && !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host) {
	r = envError(r, ErrBadOrigin)
	cs.opts.ErrorHandler.ServeHTTP(w, r)
	return
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[BUG] v1.7.3 breaks reverse proxies that change Host #187

Is there an existing issue for this?

Current Behavior

Expected Behavior

Steps To Reproduce

Anything else?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	if requestURL.Host == "" {
	requestURL.Host = r.Host
	}

Uh oh!

[BUG] v1.7.3 breaks reverse proxies that change Host #187

Description

Is there an existing issue for this?

Current Behavior

Expected Behavior

Steps To Reproduce

Anything else?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions