I agree that it's still too easy to screw this up using lax same site cookies.
I do think that using them does provide some additional defence in depth, and specifically provides use that CSRF tokens can't. These are listed under 'additional uses' in the post, and essentially boil down to the fact that cookies are not sent at all.
In the wild, this would help today with any timing attacks looking to expose info from if/when a cookie is included in the request.
I do think that using them does provide some additional defence in depth, and specifically provides use that CSRF tokens can't. These are listed under 'additional uses' in the post, and essentially boil down to the fact that cookies are not sent at all.
In the wild, this would help today with any timing attacks looking to expose info from if/when a cookie is included in the request.