At Nimbusec we use SameSite:strict to prevent CSRF attacks.
While CSRF Token work perfectly good in preventing CSRF attacks, the implementation of these tokens is not a pleasant work, and can lead to errors if a developer forgets to implement them for a new form.
With the Cookie attribute SameSite:strict, the developer does not have to worry about CSRF attacks anymore when adding a new form. The CSRF protection just works.
In our opinion, CSRF should not be a problem a website owner has to fix. CSRF should be fixed by the browser, because the whole WWW is affected by it.
Disadvantages of CSRF token (on a developers point of view):
* needs extra code for implementation.
* if using a library, this library must be updated and maintained.
* needs to be added to each form. May be added to only 4 of 5 forms. The fifth form would then be vulnerable.
* adds more boilerplate to the code
* frustrates the developer
Disadvantages of SameSite:strict (on a customers point of view):
* is not supported in Internet Explorer 😵 https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Browser_compatibility