During a code review of an application we're developing, one of the security advisors raised storing the CSRF token in the XSRF-COOKIE is insecure and "isn't mitigation to CSRF at all".
It was suggested that a malicious forged request from an attacker could pick up a victim's cookies from their browser, including the XSRF-TOKEN cookie, meaning the attacker could forge a request using a valid csrf token.
I'm quite happy I can prevent the XSRF-TOKEN cookie from being set without any negative consequences — we include the _token parameter in each POST request and X-CSRF-TOKEN header in ajax requests. My question is to find out if there's any stock in this claim? I don't know enough about request forgery to comment.