In this lesson, we'll learn what a Cross Site Request Forgery (CRSF) vulnerability is by learning how to exploit a CSRF vulnerable site by making malicious requests on behalf of a logged in user. We'll construct a malicious payload that automatically gets POSTed to the vulnerable site simply by visiting the attacker website while being logged into the target website.
The cookie in the iframe won't work unless we'll add to the cookie object the property
sameSite with the value "none"
Yes, same as Allen. Seems the browser is handling this for me. I am using Chrome Version 87.0.4280.67
Update: The instructor does make note of this "lax" default in browsers at the end of lesson #8.