Summary

This PR adds support for SameSite=None (and other SameSite variants) to the cookie flag filter used by BunkerWeb/Nginx in order to prevent breakages in existing/legacy service environments where cross-site cookie flows are required.

Background / Motivation

When applying BunkerWeb to an existing production service, we found that the current cookie flags mechanism does not allow configuring SameSite=None.

In real deployments, some authentication/session flows (e.g., cross-site SSO callbacks, embedded contexts, or other third-party scenarios) still rely on cookies being sent in a cross-site context. Without the ability to set SameSite=None, cookies may be blocked by browsers and can cause user-facing outages (session loss, login loops, broken integrations).

While SameSite=Lax or SameSite=Strict are generally more secure and recommended, operators still need the ability to explicitly choose SameSite=None for compatibility during migration or for services that cannot immediately change their flow.

Changes

• Extend set_cookie_flag directive parsing to support:
  • samesite=none
  • samesite=lax
  • samesite=strict
  • samesite (value-less)
• Add validation to detect duplicate flags in directive arguments (e.g., samesite=lax and samesite=strict together) and fail fast during config parsing.
• Preserve existing behavior:
  • Apply flags to matching Set-Cookie headers by cookie name, and allow default rules via *.
  • Avoid appending duplicate attributes if the header already contains them.
  • Keep * default configuration applied last (moved to the end of the array).

Configuration Examples

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-app
  annotations:
    bunkerweb.io/example.com_COOKIE_FLAGS: '* HttpOnly SameSite=None'