[jub0bs]

I hoped the TL;DR item entitled "SameSite paints a target on your subdomains' back" would be enough to compel readers to get through the whole post... But I understand your criticism; the post is quite long...

By the way, one of the takeaways in the post is that even SameSite=Strict is powerless against (cross-origin) same-site attacks. I would certainly recommend using Strict wherever possible and practical, but Strict shouldn't be misconstrued as a drop-in replacement for anti-CSRF tokens.

[Noumenon72]

That's still not how I use tl;dr, because it's a teaser, not a summary. I would say "Don't use SameSite=Strict to replace anti-CSRF tokens if you have subdomains". That tells you "Here's what you're going to believe by the end of this article", and then you can decide whether you already know that or care to know.