Do people use XSRF-tokens nowadays? That used to be the standard approach to this, before all browser CORS protection came to be. The server gives the client a token on the top level page, that must be included in any subsequent POST requests, while also requiring the cookies. Seems like a safer approach, unless you fully trust all browsers to get CORS correct.
It's similar to the Authorization header technique, except you would normally submit it as a parameter in the POST request instead of headers. Explicit credentials are good but has some drawbacks, by being in the headers, you must submit it using fetch(), making it difficult to use in forms or <a>-tags, there the implicit credentials work smoother.
It's similar to the Authorization header technique, except you would normally submit it as a parameter in the POST request instead of headers. Explicit credentials are good but has some drawbacks, by being in the headers, you must submit it using fetch(), making it difficult to use in forms or <a>-tags, there the implicit credentials work smoother.