On new cookies browser waits for 2min to apply the LAX settings to not fk with SSO or sth else.
→ if you get the browser to create a new cookie and immedetely send it u win
Problem: -> user would need to log in again Solution -> do it in different window Problem -> browser blocks popup by default unless user initialized. Solution -> wrap window.open(“vuln side”); into window.onclick = () {}