invalid non `Sec-Fetch-Site: same-origin` request

[Tuinslak]

I understand there's been a recent change related to Sec-Fetch-Site: same-origin.

Since updating to the latest Go version, I am unable to create new Go links (old go links and go/ still work). It's not entirely clear what this header is meant to do, and how I can bypass this current issue.

The error in the browser is: invalid non Sec-Fetch-Site: same-origin request

I'm having this on both Firefox and Chrome on OSX. Everything is at the latest version. There's nothing useful in the Go logs via docker logs go.

[willnorris]

Could you open the Network tab in the browser developer tools to inspect the request when you create a new link? It should look something like:

In particular, I'm curious if any Sec-Fetch-* headers are being sent, and what their values are.

[willnorris]

ahh, I just saw your fediverse post too. We were trying to fix a bunch of XSRF issues by using the new-ish Sec-Fetch-Site header, but overlooked that that only works when using TLS. We're reverting that change now in #184

[willnorris]

Fixed by #184

[Tuinslak]

Perfect, works again -- thx!