That was an interesting read, now I'm surprised there are so few websites mitigating this kind of timing attack. Seems like SameSite is still not implemented everywhere: https://caniuse.com/#feat=same-site-cookie-attribute