I do not see Same-Site Cookies as a great solution. If you use a framework like Laravel CSRF tokens are setup out of the box. I cannot imagine it being any simpler.
The two cookie solution needed to fix problems with `SameSite=Strict` is more complicated than just using CRSF tokens.
And `SameSite=Lax` solution creates a new way for developers to screw up. The lax setting gives you no CSRF protection on GET requests. It is too easy to accidentally accept GET requests on a critical form that should be POST only.
I agree that it's still too easy to screw this up using lax same site cookies.
I do think that using them does provide some additional defence in depth, and specifically provides use that CSRF tokens can't. These are listed under 'additional uses' in the post, and essentially boil down to the fact that cookies are not sent at all.
In the wild, this would help today with any timing attacks looking to expose info from if/when a cookie is included in the request.
The two cookie solution needed to fix problems with `SameSite=Strict` is more complicated than just using CRSF tokens.
And `SameSite=Lax` solution creates a new way for developers to screw up. The lax setting gives you no CSRF protection on GET requests. It is too easy to accidentally accept GET requests on a critical form that should be POST only.