I don’t quite understand the part of the article that deems that you can skip all the checks under the assumption that this is an older browser, and that there is no CSRF vulnerability.

The algorithm seems sane for modern browsers. But you could probably find an outdated browser - older Android device WebView would be common -where the whole thing breaks down.

So I think tokens can be a thing of the past for modern browsers. I like the middleware, I hope it does show up in ASP.NET proper soon. My guess is they’ll keep tokens middleware around alongside it for some time once it does though, and the decision on which to use will come down to whether or not you want to make sure older browsers are secure.