Google will soon be switching Chrome to mark cookies as SameSite=lax by default, which is highly likely to break some customer functionality. They are adding support for a new non-standard SameSite=None option to revert to the old behaviour, so we should add support to that. This will be required for
- SameSite=None will only be allowed on cookies which are also marked Secure, so if this is set we should automatically set the Secure attribute too. (We may want to check if the request was sent over a secure channel and log a warning if not?)
- Apple's Safari browser prior to version 13 have a bug where they will treat SameSite=None as if it was SameSite=Strict and Apple have said they are not going to backport the fix. This means we'll need to resort to browser sniffing to avoid sending this flag to earlier versions of Safari, or perhaps only sending it to Chrome).