CSRF attacks are not an issue these days since most users are using up to date browsers.

The default value for the samesite directive in the Set-Cookie header is "lax". This means, by default, cookies are not sent cross domain.

The only way a CSRF attack is possible is if, some how, the developer accidentally set a different value for the samesite directive, or, the user is using a super old browser.