- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18) - use "-samesite strict" per default on signed cookies
Background from NaviServer commit:
ns_setcookie: add flag "-samesite" with values "strict|lax|none"
When the flag is set it prevents the browser from sending this cookie along with cross-site requests to mitigate cross site scripting attacks. Permissible values are [term strict], [term lax], or [term none] (default). While the value [term strict] prevents sending the cookie to the target site in all cross-site browsing context, the value of [term lax] allows sending the cookie when the user clicks on regular links. For details, see https://www.owasp.org/index.php/SameSite
This cookie flag is not yet part of an RFC, but most major browsers support it. Browsers that do not support it, ignore the flag silently (see https://caniuse.com/#search=samesite).
Although most cookies should probably use the flags, in order to provide backward compatibility, the flag can't be activated by default on all cookies.