Modern CSRF protection without tokens

[ConsoleTVs]

I think it could be very beneficial to start working on a stateless CSRF implementation.

Fore example, Go's HTTP implementation provides a middleware for that. It works as follows:

Cross-origin requests are currently detected with the Sec-Fetch-Site header, available in all browsers since 2023, or by comparing the hostname of the Origin header with the Host header.

The GET, HEAD, and OPTIONS methods are safe methods and are always allowed. It's important that applications do not perform any state changing actions due to requests with safe methods.

Requests without Sec-Fetch-Site or Origin headers are currently assumed to be either same-origin or non-browser requests, and are allowed.

[ConsoleTVs]

Another example from Hono: https://hono.dev/docs/middleware/builtin/csrf