The csrf token cookie is said to protect against cross-site attack because it would better warranty that the request is coming from the javascript produced by our website (cf:explanation, Spring-boot implementation)
This CSRF cookie is provided once logged-in and is linked (hash linked or alike) to a SESSION-ID cookie; Since (unlike browsers), javascripts coming from a different site can't read a cookie from another site and send it back through a http header, if the server receives the value of this cookie through this header, it must come from some javascript of our site.
Other resources explains that https still should be used for this mechanism to be secure ...
Thanks @Andreas the answer is here effectively:
The reason is that the OWASP is considering the cookie-to-header solution to be more vulnerable ! As a result they recommend to not compromise the SESSIONID cookie by using an additional cookie for csrf protection !
This lead to ask why are browser providers excusable for allowing cross site cookies ? ;-)