Thoughts on SameSite cookie and CSRF

During a security assessment I noticed that Firefox automatically set the SameSite value of a session cookie to Lax. According to the Mozilla specs, this is the case for ‘modern browsers’.

The SameSite attribute set to Lax seems to protect against CSRF (every cross-origin request that’s doesn’t use GET). Obviously, outdated browser would still be vulnerable.

Would you still bother developers with implementing CSRF protection, if session cookies are protected by default in modern browsers? It depends on your security/business philosophy, and the type of application, whether it’s worth the effort. I’m interested in your opinion on the matter. Obviously, in the best case one would implement classic CSRF protection everywhere, but it keeps getting harder to sell the implementation efforts as a business case to development teams.

Go to Source
Author: Beurtschipper