[throwawayReply]

There's a "Same-Site" cookie flag that helps prevent CSRF by preventing cookies being sent in that scenario. Can the browser be made to treat all cookies as "same-site" for a quick 'fix' to this issue?

Obviously this would need a white-list (and a pair<from,to> whitelist, not just "this domain is OK list) to allow SSO scenarios.

[tscs37]

Simply set the configuration value privacy.firstparty.isolate in your about:config.

This will treat every first party domain as it's own container for cookies and other stuff.

[UncleMeat]

Yes, but as you say this breaks a large number of applications. The web browsers aren't super likely to break existing behavior since people simply blame the browser that whatever thing doesn't work.