With Same-Site cookies defaulting to lax is CSRF dead? Discuss.

@freddy WWW-Authenticate: Negotiate :)

@buherator Never heard of it. Is it kerberos? an MSFT thing?

@freddy You typically see this when IIS handles NTLM/Kerberos auth. Authentication is transparently handled on the (Windows) client so even if the session cookie is not sent (e.g. due to SameSite) with the original request, the request gets reauthenticated and (in most cases) the requested action will be performed at server-side.

@freddy Note that this is typical to intranets where the risk of CSRF is negligible IMO

@freddy usually I would say yes.
Rarely we see it being explicitly disabled although they shouldn't have and it's old school broken.
Btw. feels like JWT via Authorization header is also a big CSRF killer, but not as big as SameSite.
There are also genius setups at certain companies, but CSRF is just part of the problem often... e.g. imagine setting a cookie to top level (parent) domain but also giving every laptop a tld name... now if that cookie is a SSO cookie🤦‍♂️🤦‍♂️

@acut3hack What do you mean by grace period? Lax allowing unsafe? https://www.ietf.org/archive/id/draft-ietf-httpbis-rfc6265bis-10.html#lax-allowing-unsafe.

That would mean, it's fixed by cookies set to "lax" explicitly rather than implicitly.