Just to summarize, here's what we are doing:
- We only care about scenarios where our DNN site is running in https.
Other scenarios simply won't support cookies in iFrames any more.
- We primarily care about httpOnly cookies.
These are cookies which the server sets, and receives again, but JS cannot access. These cookies are used for authentication and similar. These cookies are extra secure - since JS cannot access them, it also cannot abuse them from another frame. But we need them, so postback calls and login state work.
- These httponly must be set to sameSite=None (see docs) because
This means that they can be used in IFrames (another site).
- AND they must also be set to Secure
Otherwise Chrome etc. will ignore the SameSite completely. So these cookies will only be allowed if you're running https.
You can read more about this in the chromium blog.