Probably for the seventh time I panicked and relearned that the SameSite cookie flag is really Same*Site* and not Same*Domain*, i.e. foo.example.org and bar.example.org are the same *Site*.

#web #cookies #csrf