CSRFはブラウザ側で対処されていく、ChromeのCookieのSame Site属性が始まり

The cookie must have the Secure flag set! You can track the Chrome Platform Status of Reject insecure SameSite=None cookies but it's available behind a flag in Chrome 76 (now) and looks set to land in Chrome 80 later this year. The logic makes sense and the idea is to protect cookies sent in cross-site requests, that can be tracked and viewed on the network, from being sent over an insecure channel like HTTP. Again, site operators can test if there will be any impact using the flag: chrome://flags/#cookies-without-same-site-must-be-secure