Release notes from csrf

v1.7.3

2025-04-14T02:56:35Z

This Release fixes the following:

CVE-2025-24358

Full Changelog: v1.7.2...v1.7.3

Release v1.7.2

2023-11-05T02:10:02Z

What's Changed

Remove pkg/errors dependency by @husio in #161
Update README.md by @coreydaley in #164
[GPT-96] Update go version & add verification/testing tools by @apoorvajagtap in #166
updated licence by @apoorvajagtap in #167
Update issues.yml by @coreydaley in #168
issues/158/examples for working api with javascript frontend by @francoposa in #162
updating github action workflows by @coreydaley in #169
Updating gorilla/securecookie to v1.1.2 by @coreydaley in #170

New Contributors

@husio made their first contribution in #161
@coreydaley made their first contribution in #164
@apoorvajagtap made their first contribution in #166
@francoposa made their first contribution in #162

Full Changelog: v1.7.1...v1.7.2

v1.7.1

2021-07-29T17:38:45Z

v1.7.1 is a minor maintenance release. It improves documentation, and fixes a bug (#149) that caused missing tokens to not provide a clear error message back to the client.

CHANGELOG

bugfix: Not providing any token in requests results in wrong error message (#149)
Add a note about secrecy of CSRF token in the README.md (#154) @maxximino
Add note about csrf.Path option (#147) @karelbilek
build: use build matrix; drop Go <= 1.10 (#142) @elithrar
docs: change TrustedOrigin to TrustedOrigins in README (#140) @mittonface
docs: add TOC to README (#137) @elithrar

v1.7.0

2020-04-26T17:53:16Z

📢 This release of gorilla/csrf changes the default SameSite cookie attribute to address changes in the SameSite spec (see golang/go#36990)

Previously: The SameSiteDefaultMode in csrf (prior to v1.7.0) would set SameSite on the cookie, which is not valid in some browsers, notably older versions of Chrome/Android. These browsers would not set cookies with this "invalid" attribute.
Now: The default mode is SameSite=Lax, which is supported by Chrome v51, Firefox v60, Safari v13 and most recent browsers.

If you're new to SameSite, read the MDN documentation for a great overview on why this attribute helps prevent cookies from being 'leaked' to third-party domains unintentionally.

CHANGELOG

Set SameSite=Lax by default (#136) @elithrar
Don't set a default samesite for backwards compatibility (#132) @euank

SameSite Support

2019-11-21T14:29:27Z

Notable Changes

🆕 This release adds support for SameSite cookies (how they work), introduced in Go v1.11+, which can better scope cookies to first-party requests only (instead of just same-origin).

See the README for an example.

CHANGELOG

SameSite option (#123) @tflyons

v1.6.1

2019-08-26T00:46:48Z

Notable Changes

🆕 This release introduces the TrustedOrigins option, which allows a user to explicitly trust specific Referers. This simplifies the use of this library when the backend domain (issuing the cookie) does not match the front-end domain, such as in Single Page Application architectures.

🐞 This release also fixes a regression to applying the default cookie MaxAge (cookies were only session cookies). This would typically have been unnoticed by most users as the CSRF middleware resets the cookie on each request.

CHANGELOG

bugfix: correctly set a defaultMaxAge when MaxAge isn't called (#120) @elithrar
Create release-drafter.yml (#118) @elithrar
Add trusted origins feature (#117) @fjorgemota
Add CircleCI status badge to README (#113) @elithrar

v1.6.0

2019-06-26T01:23:16Z

Notable Changes

We've removed support for versions of Go prior to v1.7 - v1.6 was released over 3.5 years ago (@kisielk making me feel old!)
As a result, we've also removed gorilla/context as a dependency, since Go 1.7+ has its own http.Request.Context() implementation
Moved our CI to CircleCI - you can see the build dashboard here

CHANGELOG

38c9e46 Remove gorilla/context as part of pre-1.7 support (#114)
3719438 (elithrar/go-mod) [build] Add CircleCI config (#112)
d162037 [docs] Improve JS header/form instructions (#103)
40703b8 Update and rename stale to stale.yml (#102)
1db7df7 Merge pull request #101 from gorilla/stalebot
472e852 [docs] Add a "Reviewed by Hound" badge (#98)
abcfd25 (origin/stalebot) Add stalebot config
f903b4e README.md: Update site URL
10bfafc [docs] Note that developers should check the HTTP method (#91)
d690280 Merge pull request #88 from gorilla/elithrar/corporate-overlords

v1.5.1

2018-05-22T06:17:56Z

gorilla/csrf defines a go.mod file and correctly defines a SemVer version (v1.5.1) to support versioning in upcoming releases of Go.

v1.5

2017-01-08T19:57:01Z

Uses the new request.Context from Go 1.7 for Go 1.7 automatically. Note that gorilla/context is incompatible with Go 1.7.

6958173 [doc] Fixed readme mux path prefix (#51)
10e8fd1 [docs] Fix a few minor typos in examples. (#54)
fdae182 docs: fix minor typo (#50)
7f54448 [docs] Fix incorrect function name in docs (#49)
bbe6687 [docs] Fix syntax typo (#48)
0ff6a2c [docs] Improve commented code (#46)
a8abe8a [docs] Mentions passing csrf.Secure(false) in local dev environments.
a9c30ae [bugfix] Remove dependency on gorilla/context for go1.7+ (#42)
4642ecf [bugfix] Support a cookie MaxAge of 0. (#39)
101aaa4 Merge branch 'master' of github.com:gorilla/csrf
2a06c32 [ci] Add 1.6; skip install block; don't simplify.
0bb4971 [deps] Move from errors -> github.com/pkg/errors
dd1bce8 [deps] Move from errors -> github.com/pkg/errors

v1.4

2016-06-02T03:55:41Z

With Go 1.7's net/http package growing support for context.Context as part of http.Request, gorilla/csrf now uses the context to pass CSRF tokens and other metadata alongside the request instead of gorilla/context.
NOTE: There is a minor breaking change with UnsafeSkipCheck - it now returns a *http.Request. Existing applications will "fail closed" (i.e. CSRF will be enforced again). Since this was a relatively new feature (less than a week old) the impact of this should be very minor.