The CSRF cookie is not set when opening a page through an iframe

[pr0head]

Issue Description

There is no way to change SameSite mode when setting CSRF cookies.

Checklist

• Dependencies installed
• No typos
• Searched existing issues and docs

Expected behaviour

Successfully setting CSRF cookie when opening a page through an iframe.

Actual behaviour

Cannot install CSRF via iframe. The browser reports an error:
This set-cookie didn't specify a SameSite attribute and was defaulted to SameSite=Lax and broke the same rules specified in the SameSiteLax value.

Steps to reproduce

Activate the SameSite experimental mode in Google Chrome (which will be turned on by default soon) and try to open the page through the iframe.

How to enable: https://www.chromium.org/updates/same-site/test-debug
What is a problem: https://web.dev/samesite-cookies-explained/

Working code to debug

server.Echo.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
	TokenLookup: "header:X-XSRF-TOKEN",
	CookieName:  "_csrf",
}))

Version/commit

v4.1.15

[fullfs]

Having the same problem

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[segevfiner]

I'm hitting this too, this should be reopened... It's likely it was just not even looked at and got closed by the stale bot. God I hate auto close issues and PR bots, always feels like a way to just ignore issues so they go away and should really only apply to issues/PRs where the owner of them disappeared

[ensarturko]

I have the same problem as well

[PatrLind]

Firefox now gives this warning:

Some cookies are misusing the recommended “SameSite“ attribute

Cookie “_csrf” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite