Add support for SameSite cookie property

[blowdart]

https://tools.ietf.org/html/draft-west-first-party-cookies-07

Basically add a new property SameSite with values of None, Lax and Strict.

The value should then be appended to cookies when the cookie is sent;

Set-Cookie: CookieName=CookieValue; SameSite=Lax;
Set-Cookie: CookieName=CookieValue; SameSite=Strict;

[Tratcher]

This has come up before (though I can't find the issue). We were going to wait for the RFC to finish.

[blowdart]

Yea I couldn't find it either, I thought I had logged it before. I figured better safe than sorry.

[Tratcher]

This sounds like something that should be added to the CookiePolicy middleware.

[blowdart]

Not so sure, after all we can set HTTP_Only and Secure on individual cookies, via CookieOptions. I feel it ought to go in there, along with the ability to override everything in the CookiePolicy middleware.

[Tratcher]

Yes, I meant in addition to implementing it here.

[blowdart]

Ah :)

[muratg]

Backlogging until spec is more stable. Ping me if you think otherwise.

[Tratcher]

@blowdart has requested a re-triage