This on Hacker News today: CSRF, CORS, and HTTP Security headers Demystified.

The above article referred to OWASP SameSite doco, and you can read about how to implement that with PHP.