Include patch quirks

src/Http/Headers/src/SetCookieHeaderValue.cs

@@ -44,7 +44,7 @@ public class SetCookieHeaderValue
 
         static SetCookieHeaderValue()
         {
-            if (AppContext.TryGetSwitch("Microsoft.Net.Http.Headers.SetCookieHeaderValue.SuppressSameSiteNone", out var enabled))
+            if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))
             {
                 SuppressSameSiteNone = enabled;
             }

src/Http/Headers/test/SetCookieHeaderValueTest.cs

@@ -165,7 +165,7 @@ public static TheoryData<string> InvalidCookieValues
 
                 var header8 = new SetCookieHeaderValue("name8", "value8")
                 {
-                    SameSite = (SameSiteMode)(-1) // Unspecified
+                    SameSite = SameSiteMode.Unspecified
                 };
                 var string8a = "name8=value8; samesite";
                 var string8b = "name8=value8; samesite=invalid";

src/Http/Http.Abstractions/src/CookieBuilder.cs

@@ -11,8 +11,20 @@ namespace Microsoft.AspNetCore.Http
     /// </summary>
     public class CookieBuilder
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
         private string _name;
 
+        static CookieBuilder()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// The name of the cookie.
         /// </summary>
@@ -54,7 +66,7 @@ public virtual string Name
         /// <remarks>
         /// Determines the value that will set on <seealso cref="CookieOptions.SameSite"/>.
         /// </remarks>
-        public virtual SameSiteMode SameSite { get; set; } = SameSiteMode.Unspecified;
+        public virtual SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : SameSiteMode.Unspecified;
 
         /// <summary>
         /// The policy that will be used to determine <seealso cref="CookieOptions.Secure"/>.

src/Http/Http.Features/src/CookieOptions.cs

@@ -10,6 +10,18 @@ namespace Microsoft.AspNetCore.Http
     /// </summary>
     public class CookieOptions
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
+        static CookieOptions()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// Creates a default cookie with a path of '/'.
         /// </summary>
@@ -46,7 +58,7 @@ public CookieOptions()
         /// Gets or sets the value for the SameSite attribute of the cookie. The default value is <see cref="SameSiteMode.Unspecified"/>
         /// </summary>
         /// <returns>The <see cref="SameSiteMode"/> representing the enforcement mode of the cookie.</returns>
-        public SameSiteMode SameSite { get; set; } = SameSiteMode.Unspecified;
+        public SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : SameSiteMode.Unspecified;
 
         /// <summary>
         /// Gets or sets a value that indicates whether a cookie is accessible by client-side script.

src/Security/Authentication/test/OpenIdConnect/OpenIdConnectChallengeTests.cs

@@ -453,6 +453,7 @@ public async Task ChallengeSetsNonceAndStateCookies(OpenIdConnectRedirectBehavio
             Assert.True(correlationCookie.HttpOnly);
             Assert.Equal("/signin-oidc", correlationCookie.Path);
             Assert.False(StringSegment.IsNullOrEmpty(correlationCookie.Value));
+            Assert.Equal(Net.Http.Headers.SameSiteMode.None, correlationCookie.SameSite);
 
             Assert.Equal(2, challengeCookies.Count);
         }

src/Security/CookiePolicy/src/CookiePolicyOptions.cs

@@ -12,10 +12,22 @@ namespace Microsoft.AspNetCore.Builder
     /// </summary>
     public class CookiePolicyOptions
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
+        static CookiePolicyOptions()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// Affects the cookie's same site attribute.
         /// </summary>
-        public SameSiteMode MinimumSameSitePolicy { get; set; } = SameSiteMode.Unspecified;
+        public SameSiteMode MinimumSameSitePolicy { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : SameSiteMode.Unspecified;
 
         /// <summary>
         /// Affects whether cookies must be HttpOnly.

src/Security/CookiePolicy/src/ResponseCookiesWrapper.cs

@@ -115,7 +115,8 @@ public string CreateConsentCookie()
         private bool CheckPolicyRequired()
         {
             return !CanTrack
-                || Options.MinimumSameSitePolicy != SameSiteMode.Unspecified
+                || (CookiePolicyOptions.SuppressSameSiteNone && Options.MinimumSameSitePolicy != SameSiteMode.None)
+                || (!CookiePolicyOptions.SuppressSameSiteNone && Options.MinimumSameSitePolicy != SameSiteMode.Unspecified)
                 || Options.HttpOnly != HttpOnlyPolicy.None
                 || Options.Secure != CookieSecurePolicy.None;
         }