Backport to 1.0: allow explicit SameSite=None cookies (#1282)

[theikkila]

fixes #1035
(cherry picked from commit a328794)

[robjtede]

Thanks for the backport. Not sure what the best approach is for the changelogs. @actix/contributors

[JohnTitor]

Uhm, I wouldn't backport this as discussed on former PR.

[JohnTitor]

As doc says, None here means "No SameSite attribute" and we should expect so. One avoidance is to add "The None SameSite attribute" and leave None variant. But naming is a problem and may cause confusion (yeah, current naming also causes it though :/).

[robjtede]

This is cherry picked from my fix. The issue before was that None and Some(SameSite::None) are treated the same which is wrong.

[JohnTitor]

Yeah, I'd just say when you want to fix it on 2.0 or 1.0, you should come up with another way that doesn't break current behavior.

[robjtede]

Hmm, I stil consider this a bug and not a breaking change per se.
To do what you're asking there'd have to be either a feature flag or an extra field on Cookie to enable the behavior.

[JohnTitor]

Uhmm, okay I'll re-visit here once we make a new alpha release for actix-http.

[JohnTitor]

Okay, I was thinking about this and would like to accept. But we're going ahead to 3.0 so we should backport to 2.0.

[robjtede]

In light of recent issues, I don't think we should backport this without also backporting the cookie crate migration... @actix/core-contributors ?