What are SameSite cookies?
Hmm. Not sure about this. Need to revisit my understanding.
In a nutshell
SameSite is an attribute of the Set-Cookie HTTP response header that lets you specify whether an outgoing cookie should be restricted to a first-party request. You use SameSite on the server-side like this:
Set-Cookie: <cookie-name>=<cookie-value>; SameSite=<same-site-value>Values of SameSite
Lax (default in most browsers)
Cookies are sent only for first-party requests or cross-site requests where the user navigates to the origin site (e.g., via a link).
For example, a Lax cookie will be sent if a user is on website1.com and clicks on a link to go to website2.com. The navigation from website1.com to website2.com is a cross-site request but it’s a top-level navigation so the Lax cookie from website2.com cookie will still be sent to the client.
If website1.com loaded an iframe pointing to website2.com, then this is a cross-site request that’s not a top-level navigation, so a Lax cookie from website2.com won’t be sent to website1.com.
If you wanted a cookie from website2.com to be sent even if website2.com was loaded in an iframe, you’d have to set the SameSite value to None.
Lax recently replaced None as the default value for SameSite if the SameSite attribute is not explicitly specified.
Strict
Cookies are sent only to first-party requests, not to third-party requests.
None
Cookies are sent to both first-party and third-party requests. If SameSite=None is set, the cookie Secure attribute must also be set to prevent the cookie from being blocked.