We've talked on the call about looking into using the Tomcat CSRF filter rather than all of our local CSRF custom code. Here's a link to their filter.
It would be "nice" if we could just remove all of our custom CSRF protection and use a filter instead. This kind of came up by some discussion on SAK-29256.
I don't know if this is easy or possible without forking their filter. Just seemed like a better idea than changing entity broker and every tool that calls into it.
From the comments it looks like just using the SameSite cookie attribute might be the better way to go.