Set a default SameSite policy of 'none'

But make it configurable through a public SameSite field on the sso
Handler object.

httpsso/handler.go

@@ -78,6 +78,7 @@ type SSOWrapper struct {
 	serverOrigin string
 
 	EnableCORS bool
+	SameSite   http.SameSite
 }
 
 // NewSSOWrapper returns a new SSOWrapper that will authenticate users
@@ -99,6 +100,7 @@ func NewSSOWrapper(serverURL string, pkey []byte, domain string, sessionAuthKey,
 		serverURL:    serverURL,
 		serverOrigin: originFromURL(serverURL),
 		EnableCORS:   true,
+		SameSite:     http.SameSiteNoneMode,
 	}, nil
 }
 
@@ -146,6 +148,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, servi
 	nonce := cookie.Value
 	cookie.MaxAge = -1
 	cookie.Value = ""
+	cookie.SameSite = s.SameSite
 	http.SetCookie(w, cookie)
 
 	tkt, err := s.v.Validate(t, nonce, service, groups)
@@ -173,6 +176,7 @@ func (s *SSOWrapper) handleLogin(w http.ResponseWriter, req *http.Request, servi
 		Path:     pathFromService(service),
 		Secure:   true,
 		HttpOnly: true,
+		SameSite: s.SameSite,
 	})
 
 	s.redirectWithCORS(w, req, d)
@@ -204,6 +208,7 @@ func (s *SSOWrapper) redirectToLogin(w http.ResponseWriter, req *http.Request, s
 		Path:     pathFromService(service) + "sso_login",
 		Secure:   true,
 		HttpOnly: true,
+		SameSite: s.SameSite,
 	})
 
 	v := make(url.Values)