We removed advertising cookies, here's what happened

[jefftk]

If you authenticate users only via Same-Site=Strict cookies you're protected against CSRF in modern browsers: a cross-site request won't have the auth cookie.