SameSite Cookie Attribute Support

[ghost]

The SameSite cookie attribute is already supported in a few browsers, and some are switching the default behavior based on it, and some are enforcing a constraint regarding the value. Please see the following links for details and related issues.

Chromium - https://www.chromium.org/updates/same-site
Netty - netty/netty#8161

Current status

1. Received response cookies with "SameSite" attribute will lose the attribute.
2. Styx cannot set the "SameSite" attribute for cookies.

Acceptance criteria

Cookies with the "SameSite" attribute will retain it when being processed by Styx.
ResponseCookie API will provide the ability to set the SameSite attribute for cookies.

[bestokes]

February, 2020: Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.