[danlugo92]

Isn't it easy to just block all `application/x-www-form-urlencoded` requests?

[yashap]

Most sites won’t want to do this, because HTML forms are useful! Also, that’s just one example, there are plenty of exemptions to the same origin policy: https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...

In practice, for now you either use anti-forgery tokens, you don’t put your auth tokens in cookies, or you use strict SameSite auth cookies AND block all traffic from browsers that don’t support them (mostly legacy browsers).