Great article all around.<p>TL;DR: A cross-origin request can still be same site. Also, SameSite cookies do not prevent cookies from being included in malicious requests originating from subdomains because "site" is by definition scheme (e.g., https) plus eTLD+1 (e.g., example.com).<p>Example: <a href="https://subdomain.example.com" rel="nofollow">https://subdomain.example.com</a> can submit a malicious POST to <a href="https://example.com/delete-account" rel="nofollow">https://example.com/delete-account</a> and the user's session cookie would still get included in the request headers. This is why CSRF tokens are commonly employed on top of SameSite cookies as an added layer of protection.