Would setting samesite cookie values have mitigated Bluehost's problems 1 and 2 in part? Or do CORS requests include cookies for compatibility purposes?
SameSite cookies are never sent on CORS requests (not even when the server explicitly allows CORS requests with credentials [1]).
In other words: yes, it would have mitigated Bluehost's problems. It would also have broken their sites (or otherwise they would not be needing to use CORS requests at all).
In other words: yes, it would have mitigated Bluehost's problems. It would also have broken their sites (or otherwise they would not be needing to use CORS requests at all).
[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Ac...