In which I survey CSRF countermeasures and existing Go libraries and propose we add CrossOriginForgeryHandler to net/http to solve this once and for all.
Turns out there is no need for tokens or keys in 2025! Browsers just send a This-Is-CSRF header now. (Sort of.)
https://github.com/golang/go/issues/73626
Filippo Valsorda :go: /
npub1wh…akn2m
2025-05-07 16:36:56
Author Public Key
npub1whzyg92c6fsvpjjcnn504z0a2pfwenctp872sgmedqg2np4drj8qwakn2mSeen on
wss://relay.mostr.pubPublished at
2025-05-07 16:36:56Event JSON
{
"id": "e67c3cbce0412e7a77e33553dc160fa43df8949fd5c2a49b5c788ebddf4d916f",
"pubkey": "75c4441558d260c0ca589ce8fa89fd5052eccf0b09fca823796810a986ad1c8e",
"created_at": 1746635816,
"kind": 1,
"tags": [
[
"proxy",
"https://abyssdomain.expert/users/filippo/statuses/114467524856484763",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "In which I survey CSRF countermeasures and existing Go libraries and propose we add CrossOriginForgeryHandler to net/http to solve this once and for all.\n\nTurns out there is no need for tokens or keys in 2025! Browsers just send a This-Is-CSRF header now. (Sort of.)\n\nhttps://github.com/golang/go/issues/73626",
"sig": "bbf72fe3b2fc9aad1828db9947f50cfee73205585a9006d62b30f723b74c0f0b693f67edeb5a3e0a548a4283c03e34b320010db8b72d23ccd810cb377b35a68f"
}