Mention SameSite cookies in accounts fetch

[npm1]

This PR adds a mention to which cookies ought to be sent in the accounts fetch. Once cookie layering work is done, we can remove this note and properly specify it.

Relevant issue: https://github.com/fedidcg/FedCM/issues/609

---

Preview | Diff

[npm1]

This PR aligns the spec with the Chrome implementation. But there is some feedback that we may need to change the implementation on https://github.com/w3c-fedid/FedCM/issues/587. We can either keep this PR pending the resolution of that or land it and possibly address the changes from that later.

[npm1]

Section 2 ("The Browser API") says that "unpartitioned cookies are included, as if the resource was loaded as a same-origin request, e.g. regardless of the SameSite value". That should probably be updated too?

Updated, ptal