As a website owner, I’m glad to hear this. But I’m still going to do CSRF tokens for the foreseeable future, because it’s going to take <i>a long time</i> before even half of all users are on a browser that is secure by default. And the ones who aren’t on the latest browser are also the least security aware and are most susceptible to cross site forgery.