post a form request using window.open makes CSRF token mismatch exception in Safari on Laravel 7.X

[gaejabong]

• Laravel Version: 7.13.0
• PHP Version: 7.2.31
• Database Driver & Version: n/a
• macOS: 10.15.5
• Safari: 13.1.1
• Chrome: 83.0.4103.61
• Firefox: 76.0.1

Description:

When I try to post a form request using window.open script, it will cause csrf token mismatch exception in Safari on Laravel 7.X. I've tested Chrome and Firefox and they're just fine. Safari also works perfectly with same code on Laravel 6.18.16.

Steps To Reproduce:

1. Install a fresh laravel app

composer create-project --prefer-dist laravel/laravel popup7

2. web.php

Route::get('/', function () {
    return view('welcome');
});

Route::post('/blank', function () {
    return 'blank page';
});

3. welcome.blade.php

<!DOCTYPE html>
<html lang="{{ str_replace('_', '-', app()->getLocale()) }}">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">

        <title>Laravel</title>

        <script>
            function openPopup(target) {
                window.open("", target + "_popup", "width=430,height=640,scrollbar=yes");
                let form = document.getElementById(target);
                form.target = target + "_popup";
                form.submit();
            }
        </script>
    </head>
    <body>
    <form id="mobile" name="mobile" action="/blank" method="POST">
        @csrf
        <button onclick="openPopup('mobile');">
            open
        </button>
    </form>
    </body>
</html>

4. click 'open' button
   

Additional Information

There is no proper cookie header for /blank request on Laravel 7.X

request/response header for /blank in Safari on Laravel 7.X

• request
  

• response
  

request/response header for /blank in Safari on Laravel 6.18.16

• request
  

• response