[brokegrammer]

>Have we finally reached the point where CSRF attacks can be prevented without relying on a token-based check (like double-submit cookies)?

Rails uses a token-based check, and this article demonstrates token-less approach.

Rails didn't solve CSRF btw, the technique was invented long before Rails came to life.

[nchmy]

Yes, I assumed this is what they were ignorantly pointing towards.

Indeed, Csrf tokens are an ancient concept. WordPress, for example, introduced nonces a couple years before rails. Though, it does appear that rails might have been thr first to introduce csrf protection in a seemingly automated way.

[brokegrammer]

True, it does seem like Rails introduced configuration-free token based CSRF protection, which "solved" CSRF for traditional server rendered apps.

I believe the new technique is easier to use for SPA architectures because you no longer need to extract the token from a cookie before adding it to request headers.