Don't set a default samesite for backwards compatibility

[euank]

Also add a comment over SameSiteDefaultMode discouraging its use.

The specific issue I ran into is that the default behaviour of gorilla/csrf is to include an invalid SameSite attribute on the cookie without doing any SameSite configuration.

This broke some users of the site in question because older versions of chrome (apparently the version shipped with android 8) treats an invalid samesite attribute as grounds to drop the cookie entirely rather than just default it to lax.

This updates it to use the zero-value by default for http.SameSite rather than SameSiteDefaultMode, which has different behaviour from the zero value.

xref golang/go#36990 which, when resolved, may inform this. I do think that no matter how that issue is resolved, the better default for opts.SameSite here is 0 though.

[stale]

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.