[Golang/CVE] Why Your Playwright Tests Might Fail After Updating gorilla/csrf to Fix CVE-2024-24787
After updating the github.com/gorilla/csrf package in your Go backend from v1.7.2 to v1.7.3, you might suddenly notice that your Playwright tests start failing — specifically with 403 Forbidden responses. What Changed? This update addresses a security vulnerability: CVE-2024-24787. It’s a Golang backend issue, not related to WebSocket libraries like ws, despite what some GitHub advisory titles might misleadingly suggest. In v1.7.3, gorilla/csrf now strictly enforces same-site origin checks using the Origin and Referer headers. If these headers are missing or don’t match the expected host, CSRF validation fails, and the request is blocked with a 403. ...