Feature request: configurable behaviour for cookie defaults and overrides

[rowan-m]

By applying SameSite=None; Secure to all cookies you do have the benefit of maintaining their legacy behaviour, however it does mean that you're explicitly marking all cookies for cross-site use. While this may be necessary for API auth related cookies, it's probably not needed for the majority of site cookies. It would be nice to provide configuration that enabled the following:

• A map of cookie names to the SameSite attribute value to be applied
• A boolean option for if the mapped SameSite value should override an existing value
• A default value for the SameSite attribute to apply when missing
• A boolean option to remove invalid SameSite values from cookies

For example, this would allow a developer to specify their auth cookie for the SameSite=None; Secure attributes, but apply a SameSite=Lax policy by default to everything else.

[pschinis]

I don't have a lot of bandwidth to add more configuration options at the moment, but hopefully should have some time before Chrome's changes go live in February. Otherwise the code is pretty simple so feel free to submit a pull request.

[synth]

To add to the configurable behavior, we'd love to see request level configuration. Our app has lots of integrations that are implemented via iFrames (eg Sharepoint, Microsoft Teams, etc). For requests coming from those integrations (which can be validated), we'd like to remove the samesite restriction, but for other requests, we'd like to have the lax or strict setting.

15 takes a stab at accomplishing but unsure if that implementation is the best.