[keycloak-dev] [KEYCLOAK-9127] CSRF support when using credentials in cookies

Some time ago we got this PR for Gatekeeper: https://github.com/keycloak/keycloak-gatekeeper/pull/446. But I'm 50/50 on this. Even though I think it's great to add extra protection to Gatekeeper, we will end up with a new dependency and implementation of something that apps could handle. Plus, the inclusion of SameSite (https://github.com/keycloak/keycloak-gatekeeper/pull/482) helps to mitigate CSRF. If we take into consideration all the security threats that we have today, probably dependencies like https://github.com/unrolled/secure should also be included too. At the moment, I'm leaning toward to reject this change, as I don't see any real need for this, but if you have any thoughts, please let me know. -- - abstractj