Fiber: 🐛 CSRF cookie is SameSite=Lax

Thanks for reporting this. I'll make a PR soon. For anyone wondering

Lax
Cookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.

Strict
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

If the SameSite attribute is set to Strict, then the browser will not include the cookie in any requests that originate from another site. This is the most defensive option, but it can impair the user experience, because if a logged-in user follows a third-party link to a site, then they will appear not to be logged in, and will need to log in again before interacting with the site in the normal way. See more here: https://portswigger.net/web-security/csrf/samesite-cookies

I made a PR https://github.com/gofiber/fiber/compare/master...Fenny:master#diff-a1d2da43df7c00f48723bb4751a6c393 that allows you to override the default SameSite attribute in the csrf middleware. Will be shipped with the next tag v2.0.3

app.Use(csrf.New(csrf.Config{
    Cookie: &fiber.Cookie{
        SameSite: "Strict",
    }
}))

if a logged-in user follows a third-party link to a site, then they will appear not to be logged in, and will need to log in again before interacting with the site in the normal way.

CSRF cookie's SameSite value shoudn't affect the other cookies. So the session cookie should independently have the different SameSite value.

@falsandtru you are right, I went over it too quickly and forgot about that. I will make a PR so the csrf mw will default to Strict 👍

Why not fixed? Lax can't prevent clickjacking.

Looks like the source code is fixed but the release note is wrong.

https://github.com/gofiber/fiber/releases/tag/v2.0.3

csrf middleware now sets SameSite=Lax by default #825