- ad_set_cookie: add option "-samesite" and use it, when the server supports it (NaviServer 4.99.18)
- use "-samesite strict" per default on signed cookies
Background from NaviServer commit:
ns_setcookie: add flag "-samesite" with values "strict|lax|none"
When the flag is set it prevents the browser from
sending this cookie along with cross-site requests to mitigate cross site
scripting attacks. Permissible values are [term strict], [term lax],
or [term none] (default). While the value [term strict] prevents
sending the cookie to the target site in all cross-site browsing
context, the value of [term lax] allows sending the cookie when the
user clicks on regular links. For details, see
https://www.owasp.org/index.php/SameSiteThis cookie flag is not yet part of an RFC, but most major browsers
support it. Browsers that do not support it, ignore the flag
silently (see
https://caniuse.com/#search=samesite).
Although most cookies should probably use the flags, in order to
provide backward compatibility, the flag can't be activated by
default on all cookies.
