That said, would love to hear some ideas.
Instead of "I don't really see the problem with X" I think you really meant "I think on the whole the benefits of X outweigh its downsides". Neither the article nor the OP has suggested getting rid of cookies. They're merely trying to broach the subject of re-examining the HTTP state mechanism to see if there are better ways to solve the problem.
To suggest that something is sub-optimal is not to necessarily suggest that its net effect is negative.
Besides, some people have the illusion that changing the cookies will give them privacy. Well, there are many other ways of following them around although a little less accurate.
Lots of things in the world have similar tradeoffs, to use a silly example "Leave your front door unlocked" makes it easy for anyone to come in, but also makes it easy for crooks to come in, so a common solution is to lock it and give certain folks the key.
Cookies came about as a way for a web service to retain state across sessions, and then that concept got applied to lots and lots and lots of things, some good some bad. Perhaps there are two things here we should have "originHostState" and "GenericUserState". We could then see how many people allowed the latter type of cookie to be set.
Some research browser architectures like Atlantis (http://research.microsoft.com/pubs/154698/Atlantis-SOSP.pdf) go the opposite extreme, where cookies are never sent unless their domain matches the initiating origin. In the case of Atlantis, the reason they have to go this route is somewhat messy: their microkernel architecture exposes a network interface to webpages, and the network interface has no way to differentiate between a request initiated by XHR or by an img/script/etc., so the network interface cannot send cookies with any cross-origin requests, or else it risks exposing private data via XHR.
I wonder if it would be useful to see something more flexible than the current standard, sameDomain, or disallowing all cross-origin cookies. When you set a cookie, maybe it would be nice to be able to specify which origins are authorized to send requests with that cookie.
Perhaps a more illustrative example is that this will deny Twitter, FB, Google and other embeddable widget factories any tracking and analytics information that leaks with every request for TweetThis, LikeThat and WhatNot buttons, fonts and scripts. There is absolutely no reason for them to be seeing this information.
Are there such protections in other browsers such as Firefox or IE? Were there proposals for Chromium that got shut down?
The basic idea is that any requests that do not originate from the domain will not send the cookies, preventing CSRF, clickjacking and the advanced CSRF discussed here yesterday (from stackoverflow: http://stackoverflow.com/q/2669690/3287)