After reading (and implementing) "Protecting against CSRF in 2025" (see link below), I'm wondering now whether cookies should still have any SameSite attribute at all, or whether it would be better to completely drop it and keep whatever is the browser's default for (session) cookies handling?