Re: Adding Origin header checking to CSRF middleware (#16010)

Hi Tim, Thanks for working on this. I've put together some replies to your points here. On #1 - I think it's legitimate to have `CSRF_TRUSTED_ORIGINS` require the schemes. I think the setting should have included them all along, since a scheme is part of the definition of an origin. It's backward

Re: Adding Origin header checking to CSRF middleware (#16010)

OWASP Cheat Sheet says, "It is important to note that [the SameSite Cookie] attribute should be implemented as an additional layer *defense in depth* concept. This attribute protects the user through the browsers supporting it, and it contains as well 2 ways to bypass it as mentioned in the fol

Re: Adding Origin header checking to CSRF middleware (#16010)

Shouldn't we consider to put the CSRF token onto the deprecation list anyway? All browsers released later than 2017 support the 'SameSite' cookie attribute , making the CSRF token obsolete. I don't know what kind of policy the Django Project follows in depre