fix: Chrome rejects refresh_token cookie in cross-origin requests due to missing SameSite attribute.

[lxbdr]

Chrome prohibits the refresh_token cookie from being set from cross-origin requests because it is missing the samesite attribute.

Things to consider:

• This syntax requires a minimum PHP version of 7.3. Do we need a version check or workaround here to support a lower version?
• The default for samesite would be Lax maybe this could even be set to Strict as the refresh_token is probably only used on subsequent requests in a first-party context when not cross-origin.

[sun]

Sorry for not getting to this earlier. 😬 Your proposed change looks good to me.

We could move forward with it – although Google is now stating that we should implement other/additional measures in the meantime:

• https://web.dev/articles/samesite-cookies-explained
• https://developers.google.com/privacy-sandbox/cookies

Do we want to investigate that here or in a separate issue/PR?