I would like to note that not all frameworks are viable at-scale. We ran into that with Meteor, as it scaled extremely poorly. It didn't implement CSRF tokens, but also didn't use cookies to store auth data, so it didn't much matter.
We only target recent versions of modern browsers, as a consequence of our user base, so we're more able to move to an origin-based solution.
We only target recent versions of modern browsers, as a consequence of our user base, so we're more able to move to an origin-based solution.