dotnet
diff --git a/‎src/Http/Headers/ref/Microsoft.Net.Http.Headers.netcoreapp.cs
Lines changed: 1 addition & 0 deletions b/‎src/Http/Headers/ref/Microsoft.Net.Http.Headers.netcoreapp.cs
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Http/Headers/src/SameSiteMode.cs
Lines changed: 3 additions & 1 deletion b/‎src/Http/Headers/src/SameSiteMode.cs
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/Http/Headers/src/SetCookieHeaderValue.cs
Lines changed: 60 additions & 16 deletions b/‎src/Http/Headers/src/SetCookieHeaderValue.cs
Lines changed: 60 additions & 16 deletions
diff --git a/‎src/Http/Headers/test/SetCookieHeaderValueTest.cs
Lines changed: 117 additions & 7 deletions b/‎src/Http/Headers/test/SetCookieHeaderValueTest.cs
Lines changed: 117 additions & 7 deletions
diff --git a/‎src/Http/Http.Abstractions/src/CookieBuilder.cs
Lines changed: 14 additions & 2 deletions b/‎src/Http/Http.Abstractions/src/CookieBuilder.cs
Lines changed: 14 additions & 2 deletions
@@ -316,6 +316,7 @@ public RangeItemHeaderValue(long? from, long? to) { }
     }
     public enum SameSiteMode
     {
+        Unspecified = -1,
         None = 0,
         Lax = 1,
         Strict = 2,
 
@@ -5,12 +5,14 @@ namespace Microsoft.Net.Http.Headers
 {
     /// <summary>
     /// Indicates if the client should include a cookie on "same-site" or "cross-site" requests.
-    /// RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
+    /// RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
     /// </summary>
     // This mirrors Microsoft.AspNetCore.Http.SameSiteMode
     public enum SameSiteMode
     {
         /// <summary>No SameSite field will be set, the client should follow its default cookie policy.</summary>
+        Unspecified = -1,
+        /// <summary>Indicates the client should disable same-site restrictions.</summary>
         None = 0,
         /// <summary>Indicates the client should send the cookie with "same-site" requests, and with "cross-site" top-level navigations.</summary>
         Lax,
 
@@ -20,8 +20,14 @@ public class SetCookieHeaderValue
         private const string SecureToken = "secure";
         // RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
         private const string SameSiteToken = "samesite";
+        private static readonly string SameSiteNoneToken = SameSiteMode.None.ToString().ToLower();
         private static readonly string SameSiteLaxToken = SameSiteMode.Lax.ToString().ToLower();
         private static readonly string SameSiteStrictToken = SameSiteMode.Strict.ToString().ToLower();
+
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
         private const string HttpOnlyToken = "httponly";
         private const string SeparatorToken = "; ";
         private const string EqualsToken = "=";
@@ -36,6 +42,14 @@ private static readonly HttpHeaderParser<SetCookieHeaderValue> MultipleValuePars
         private StringSegment _name;
         private StringSegment _value;
 
+        static SetCookieHeaderValue()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         private SetCookieHeaderValue()
         {
             // Used by the parser to create a new instance of this type.
@@ -92,16 +106,17 @@ public StringSegment Value
 
         public bool Secure { get; set; }
 
-        public SameSiteMode SameSite { get; set; }
+        public SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : SameSiteMode.Unspecified;
 
         public bool HttpOnly { get; set; }
 
-        // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax}; httponly
+        // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={strict|lax|none}; httponly
         public override string ToString()
         {
             var length = _name.Length + EqualsToken.Length + _value.Length;
 
             string maxAge = null;
+            string sameSite = null;
 
             if (Expires.HasValue)
             {
@@ -129,9 +144,20 @@ public override string ToString()
                 length += SeparatorToken.Length + SecureToken.Length;
             }
 
-            if (SameSite != SameSiteMode.None)
+            // Allow for Unspecified (-1) to skip SameSite
+            if (SameSite == SameSiteMode.None && !SuppressSameSiteNone)
+            {
+                sameSite = SameSiteNoneToken;
+                length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
+            }
+            else if (SameSite == SameSiteMode.Lax)
             {
-                var sameSite = SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken;
+                sameSite = SameSiteLaxToken;
+                length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
+            }
+            else if (SameSite == SameSiteMode.Strict)
+            {
+                sameSite = SameSiteStrictToken;
                 length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;
             }
 
@@ -140,9 +166,9 @@ public override string ToString()
                 length += SeparatorToken.Length + HttpOnlyToken.Length;
             }
 
-            return string.Create(length, (this, maxAge), (span, tuple) =>
+            return string.Create(length, (this, maxAge, sameSite), (span, tuple) =>
             {
-                var (headerValue, maxAgeValue) = tuple;
+                var (headerValue, maxAgeValue, sameSite) = tuple;
 
                 Append(ref span, headerValue._name);
                 Append(ref span, EqualsToken);
@@ -180,9 +206,9 @@ public override string ToString()
                     AppendSegment(ref span, SecureToken, null);
                 }
 
-                if (headerValue.SameSite != SameSiteMode.None)
+                if (sameSite != null)
                 {
-                    AppendSegment(ref span, SameSiteToken, headerValue.SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);
+                    AppendSegment(ref span, SameSiteToken, sameSite);
                 }
 
                 if (headerValue.HttpOnly)
@@ -248,9 +274,18 @@ public void AppendToStringBuilder(StringBuilder builder)
                 AppendSegment(builder, SecureToken, null);
             }
 
-            if (SameSite != SameSiteMode.None)
+            // Allow for Unspecified (-1) to skip SameSite
+            if (SameSite == SameSiteMode.None && !SuppressSameSiteNone)
+            {
+                AppendSegment(builder, SameSiteToken, SameSiteNoneToken);
+            }
+            else if (SameSite == SameSiteMode.Lax)
             {
-                AppendSegment(builder, SameSiteToken, SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);
+                AppendSegment(builder, SameSiteToken, SameSiteLaxToken);
+            }
+            else if (SameSite == SameSiteMode.Strict)
+            {
+                AppendSegment(builder, SameSiteToken, SameSiteStrictToken);
             }
 
             if (HttpOnly)
@@ -302,7 +337,7 @@ public static bool TryParseStrictList(IList<string> inputs, out IList<SetCookieH
             return MultipleValueParser.TryParseStrictValues(inputs, out parsedValues);
         }
 
-        // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax}; httponly
+        // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict|Lax|None}; httponly
         private static int GetSetCookieLength(StringSegment input, int startIndex, out SetCookieHeaderValue parsedValue)
         {
             Contract.Requires(startIndex >= 0);
@@ -437,25 +472,34 @@ private static int GetSetCookieLength(StringSegment input, int startIndex, out S
                 {
                     result.Secure = true;
                 }
-                // samesite-av = "SameSite" / "SameSite=" samesite-value
-                // samesite-value = "Strict" / "Lax"
+                // samesite-av = "SameSite=" samesite-value
+                // samesite-value = "Strict" / "Lax" / "None"
                 else if (StringSegment.Equals(token, SameSiteToken, StringComparison.OrdinalIgnoreCase))
                 {
                     if (!ReadEqualsSign(input, ref offset))
                     {
-                        result.SameSite = SameSiteMode.Strict;
+                        result.SameSite = SuppressSameSiteNone ? SameSiteMode.Strict : SameSiteMode.Unspecified;
                     }
                     else
                     {
                         var enforcementMode = ReadToSemicolonOrEnd(input, ref offset);
 
-                        if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))
+                        if (StringSegment.Equals(enforcementMode, SameSiteStrictToken, StringComparison.OrdinalIgnoreCase))
+                        {
+                            result.SameSite = SameSiteMode.Strict;
+                        }
+                        else if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))
                         {
                             result.SameSite = SameSiteMode.Lax;
                         }
+                        else if (!SuppressSameSiteNone
+                            && StringSegment.Equals(enforcementMode, SameSiteNoneToken, StringComparison.OrdinalIgnoreCase))
+                        {
+                            result.SameSite = SameSiteMode.None;
+                        }
                         else
                         {
-                            result.SameSite = SameSiteMode.Strict;
+                            result.SameSite = SuppressSameSiteNone ? SameSiteMode.Strict : SameSiteMode.Unspecified;
                         }
                     }
                 }
 
@@ -57,7 +57,7 @@ public static TheoryData<SetCookieHeaderValue, string> SetCookieHeaderDataSet
                 {
                     SameSite = SameSiteMode.None,
                 };
-                dataset.Add(header7, "name7=value7");
+                dataset.Add(header7, "name7=value7; samesite=none");
 
 
                 return dataset;
@@ -155,9 +155,20 @@ public static TheoryData<IList<SetCookieHeaderValue>, string[]> ListOfSetCookieH
                 {
                     SameSite = SameSiteMode.Strict
                 };
-                var string6a = "name6=value6; samesite";
-                var string6b = "name6=value6; samesite=Strict";
-                var string6c = "name6=value6; samesite=invalid";
+                var string6 = "name6=value6; samesite=Strict";
+
+                var header7 = new SetCookieHeaderValue("name7", "value7")
+                {
+                    SameSite = SameSiteMode.None
+                };
+                var string7 = "name7=value7; samesite=None";
+
+                var header8 = new SetCookieHeaderValue("name8", "value8")
+                {
+                    SameSite = SameSiteMode.Unspecified
+                };
+                var string8a = "name8=value8; samesite";
+                var string8b = "name8=value8; samesite=invalid";
 
                 dataset.Add(new[] { header1 }.ToList(), new[] { string1 });
                 dataset.Add(new[] { header1, header1 }.ToList(), new[] { string1, string1 });
@@ -170,9 +181,10 @@ public static TheoryData<IList<SetCookieHeaderValue>, string[]> ListOfSetCookieH
                 dataset.Add(new[] { header1, header2, header3, header4 }.ToList(), new[] { string.Join(",", string1, string2, string3, string4) });
                 dataset.Add(new[] { header5 }.ToList(), new[] { string5a });
                 dataset.Add(new[] { header5 }.ToList(), new[] { string5b });
-                dataset.Add(new[] { header6 }.ToList(), new[] { string6a });
-                dataset.Add(new[] { header6 }.ToList(), new[] { string6b });
-                dataset.Add(new[] { header6 }.ToList(), new[] { string6c });
+                dataset.Add(new[] { header6 }.ToList(), new[] { string6 });
+                dataset.Add(new[] { header7 }.ToList(), new[] { string7 });
+                dataset.Add(new[] { header8 }.ToList(), new[] { string8a });
+                dataset.Add(new[] { header8 }.ToList(), new[] { string8b });
 
                 return dataset;
             }
@@ -301,6 +313,28 @@ public void SetCookieHeaderValue_ToString(SetCookieHeaderValue input, string exp
             Assert.Equal(expectedValue, input.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_ToString_SameSiteNoneCompat()
+        {
+            SetCookieHeaderValue.SuppressSameSiteNone = true;
+
+            var input = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            Assert.Equal("name=value", input.ToString());
+
+            SetCookieHeaderValue.SuppressSameSiteNone = false;
+
+            var input2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            Assert.Equal("name=value; samesite=none", input2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(SetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_AppendToStringBuilder(SetCookieHeaderValue input, string expectedValue)
@@ -312,6 +346,32 @@ public void SetCookieHeaderValue_AppendToStringBuilder(SetCookieHeaderValue inpu
             Assert.Equal(expectedValue, builder.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_AppendToStringBuilder_SameSiteNoneCompat()
+        {
+            SetCookieHeaderValue.SuppressSameSiteNone = true;
+
+            var builder = new StringBuilder();
+            var input = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            input.AppendToStringBuilder(builder);
+            Assert.Equal("name=value", builder.ToString());
+
+            SetCookieHeaderValue.SuppressSameSiteNone = false;
+
+            var builder2 = new StringBuilder();
+            var input2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            input2.AppendToStringBuilder(builder2);
+            Assert.Equal("name=value; samesite=none", builder2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(SetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_Parse_AcceptsValidValues(SetCookieHeaderValue cookie, string expectedValue)
@@ -322,6 +382,31 @@ public void SetCookieHeaderValue_Parse_AcceptsValidValues(SetCookieHeaderValue c
             Assert.Equal(expectedValue, header.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_Parse_AcceptsValidValues_SameSiteNoneCompat()
+        {
+            SetCookieHeaderValue.SuppressSameSiteNone = true;
+            var header = SetCookieHeaderValue.Parse("name=value; samesite=none");
+
+            var cookie = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.Strict,
+            };
+
+            Assert.Equal(cookie, header);
+            Assert.Equal("name=value; samesite=strict", header.ToString());
+            SetCookieHeaderValue.SuppressSameSiteNone = false;
+
+            var header2 = SetCookieHeaderValue.Parse("name=value; samesite=none");
+
+            var cookie2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+            Assert.Equal(cookie2, header2);
+            Assert.Equal("name=value; samesite=none", header2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(SetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_TryParse_AcceptsValidValues(SetCookieHeaderValue cookie, string expectedValue)
@@ -332,6 +417,31 @@ public void SetCookieHeaderValue_TryParse_AcceptsValidValues(SetCookieHeaderValu
             Assert.Equal(expectedValue, header.ToString());
         }
 
+        [Fact]
+        public void SetCookieHeaderValue_TryParse_AcceptsValidValues_SameSiteNoneCompat()
+        {
+            SetCookieHeaderValue.SuppressSameSiteNone = true;
+            Assert.True(SetCookieHeaderValue.TryParse("name=value; samesite=none", out var header));
+            var cookie = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.Strict,
+            };
+
+            Assert.Equal(cookie, header);
+            Assert.Equal("name=value; samesite=strict", header.ToString());
+
+            SetCookieHeaderValue.SuppressSameSiteNone = false;
+
+            Assert.True(SetCookieHeaderValue.TryParse("name=value; samesite=none", out var header2));
+            var cookie2 = new SetCookieHeaderValue("name", "value")
+            {
+                SameSite = SameSiteMode.None,
+            };
+
+            Assert.Equal(cookie2, header2);
+            Assert.Equal("name=value; samesite=none", header2.ToString());
+        }
+
         [Theory]
         [MemberData(nameof(InvalidSetCookieHeaderDataSet))]
         public void SetCookieHeaderValue_Parse_RejectsInvalidValues(string value)
 
@@ -11,8 +11,20 @@ namespace Microsoft.AspNetCore.Http
     /// </summary>
     public class CookieBuilder
     {
+        // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1
+        // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1
+        internal static bool SuppressSameSiteNone;
+
         private string _name;
 
+        static CookieBuilder()
+        {
+            if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))
+            {
+                SuppressSameSiteNone = enabled;
+            }
+        }
+
         /// <summary>
         /// The name of the cookie.
         /// </summary>
@@ -49,12 +61,12 @@ public virtual string Name
         public virtual bool HttpOnly { get; set; }
 
         /// <summary>
-        /// The SameSite attribute of the cookie. The default value is <see cref="SameSiteMode.None"/>
+        /// The SameSite attribute of the cookie. The default value is <see cref="SameSiteMode.Unspecified"/>
         /// </summary>
         /// <remarks>
         /// Determines the value that will set on <seealso cref="CookieOptions.SameSite"/>.
         /// </remarks>
-        public virtual SameSiteMode SameSite { get; set; } = SameSiteMode.None;
+        public virtual SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : SameSiteMode.Unspecified;
 
         /// <summary>
         /// The policy that will be used to determine <seealso cref="CookieOptions.Secure"/>.
Original file line number	Diff line number	Diff line change
`@@ -316,6 +316,7 @@ public RangeItemHeaderValue(long? from, long? to) { }`
`316`	`316`	`}`
`317`	`317`	`public enum SameSiteMode`
`318`	`318`	`{`
	`319`	`+ Unspecified = -1,`
`319`	`320`	`None = 0,`
`320`	`321`	`Lax = 1,`
`321`	`322`	`Strict = 2,`
Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,14 @@ public class SetCookieHeaderValue`
`20`	`20`	`private const string SecureToken = "secure";`
`21`	`21`	`// RFC Draft: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00`
`22`	`22`	`private const string SameSiteToken = "samesite";`
	`23`	`+ private static readonly string SameSiteNoneToken = SameSiteMode.None.ToString().ToLower();`
`23`	`24`	`private static readonly string SameSiteLaxToken = SameSiteMode.Lax.ToString().ToLower();`
`24`	`25`	`private static readonly string SameSiteStrictToken = SameSiteMode.Strict.ToString().ToLower();`
	`26`	`+`
	`27`	`+ // True (old): https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-3.1`
	`28`	`+ // False (new): https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-4.1.1`
	`29`	`+ internal static bool SuppressSameSiteNone;`
	`30`	`+`
`25`	`31`	`private const string HttpOnlyToken = "httponly";`
`26`	`32`	`private const string SeparatorToken = "; ";`
`27`	`33`	`private const string EqualsToken = "=";`
`@@ -36,6 +42,14 @@ private static readonly HttpHeaderParser<SetCookieHeaderValue> MultipleValuePars`
`36`	`42`	`private StringSegment _name;`
`37`	`43`	`private StringSegment _value;`
`38`	`44`
	`45`	`+ static SetCookieHeaderValue()`
	`46`	`+ {`
	`47`	`+ if (AppContext.TryGetSwitch("Microsoft.AspNetCore.SuppressSameSiteNone", out var enabled))`
	`48`	`+ {`
	`49`	`+ SuppressSameSiteNone = enabled;`
	`50`	`+ }`
	`51`	`+ }`
	`52`	`+`
`39`	`53`	`private SetCookieHeaderValue()`
`40`	`54`	`{`
`41`	`55`	`// Used by the parser to create a new instance of this type.`
`@@ -92,16 +106,17 @@ public StringSegment Value`
`92`	`106`
`93`	`107`	`public bool Secure { get; set; }`
`94`	`108`
`95`		`- public SameSiteMode SameSite { get; set; }`
	`109`	`+ public SameSiteMode SameSite { get; set; } = SuppressSameSiteNone ? SameSiteMode.None : SameSiteMode.Unspecified;`
`96`	`110`
`97`	`111`	`public bool HttpOnly { get; set; }`
`98`	`112`
`99`		`- // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict\|Lax}; httponly`
	`113`	`+ // name="value"; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={strict\|lax\|none}; httponly`
`100`	`114`	`public override string ToString()`
`101`	`115`	`{`
`102`	`116`	`var length = _name.Length + EqualsToken.Length + _value.Length;`
`103`	`117`
`104`	`118`	`string maxAge = null;`
	`119`	`+ string sameSite = null;`
`105`	`120`
`106`	`121`	`if (Expires.HasValue)`
`107`	`122`	`{`
`@@ -129,9 +144,20 @@ public override string ToString()`
`129`	`144`	`length += SeparatorToken.Length + SecureToken.Length;`
`130`	`145`	`}`
`131`	`146`
`132`		`- if (SameSite != SameSiteMode.None)`
	`147`	`+ // Allow for Unspecified (-1) to skip SameSite`
	`148`	`+ if (SameSite == SameSiteMode.None && !SuppressSameSiteNone)`
	`149`	`+ {`
	`150`	`+ sameSite = SameSiteNoneToken;`
	`151`	`+ length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;`
	`152`	`+ }`
	`153`	`+ else if (SameSite == SameSiteMode.Lax)`
`133`	`154`	`{`
`134`		`- var sameSite = SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken;`
	`155`	`+ sameSite = SameSiteLaxToken;`
	`156`	`+ length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;`
	`157`	`+ }`
	`158`	`+ else if (SameSite == SameSiteMode.Strict)`
	`159`	`+ {`
	`160`	`+ sameSite = SameSiteStrictToken;`
`135`	`161`	`length += SeparatorToken.Length + SameSiteToken.Length + EqualsToken.Length + sameSite.Length;`
`136`	`162`	`}`
`137`	`163`
`@@ -140,9 +166,9 @@ public override string ToString()`
`140`	`166`	`length += SeparatorToken.Length + HttpOnlyToken.Length;`
`141`	`167`	`}`
`142`	`168`
`143`		`- return string.Create(length, (this, maxAge), (span, tuple) =>`
	`169`	`+ return string.Create(length, (this, maxAge, sameSite), (span, tuple) =>`
`144`	`170`	`{`
`145`		`- var (headerValue, maxAgeValue) = tuple;`
	`171`	`+ var (headerValue, maxAgeValue, sameSite) = tuple;`
`146`	`172`
`147`	`173`	`Append(ref span, headerValue._name);`
`148`	`174`	`Append(ref span, EqualsToken);`
`@@ -180,9 +206,9 @@ public override string ToString()`
`180`	`206`	`AppendSegment(ref span, SecureToken, null);`
`181`	`207`	`}`
`182`	`208`
`183`		`- if (headerValue.SameSite != SameSiteMode.None)`
	`209`	`+ if (sameSite != null)`
`184`	`210`	`{`
`185`		`- AppendSegment(ref span, SameSiteToken, headerValue.SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);`
	`211`	`+ AppendSegment(ref span, SameSiteToken, sameSite);`
`186`	`212`	`}`
`187`	`213`
`188`	`214`	`if (headerValue.HttpOnly)`
`@@ -248,9 +274,18 @@ public void AppendToStringBuilder(StringBuilder builder)`
`248`	`274`	`AppendSegment(builder, SecureToken, null);`
`249`	`275`	`}`
`250`	`276`
`251`		`- if (SameSite != SameSiteMode.None)`
	`277`	`+ // Allow for Unspecified (-1) to skip SameSite`
	`278`	`+ if (SameSite == SameSiteMode.None && !SuppressSameSiteNone)`
	`279`	`+ {`
	`280`	`+ AppendSegment(builder, SameSiteToken, SameSiteNoneToken);`
	`281`	`+ }`
	`282`	`+ else if (SameSite == SameSiteMode.Lax)`
`252`	`283`	`{`
`253`		`- AppendSegment(builder, SameSiteToken, SameSite == SameSiteMode.Lax ? SameSiteLaxToken : SameSiteStrictToken);`
	`284`	`+ AppendSegment(builder, SameSiteToken, SameSiteLaxToken);`
	`285`	`+ }`
	`286`	`+ else if (SameSite == SameSiteMode.Strict)`
	`287`	`+ {`
	`288`	`+ AppendSegment(builder, SameSiteToken, SameSiteStrictToken);`
`254`	`289`	`}`
`255`	`290`
`256`	`291`	`if (HttpOnly)`
`@@ -302,7 +337,7 @@ public static bool TryParseStrictList(IList<string> inputs, out IList<SetCookieH`
`302`	`337`	`return MultipleValueParser.TryParseStrictValues(inputs, out parsedValues);`
`303`	`338`	`}`
`304`	`339`
`305`		`- // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict\|Lax}; httponly`
	`340`	`+ // name=value; expires=Sun, 06 Nov 1994 08:49:37 GMT; max-age=86400; domain=domain1; path=path1; secure; samesite={Strict\|Lax\|None}; httponly`
`306`	`341`	`private static int GetSetCookieLength(StringSegment input, int startIndex, out SetCookieHeaderValue parsedValue)`
`307`	`342`	`{`
`308`	`343`	`Contract.Requires(startIndex >= 0);`
`@@ -437,25 +472,34 @@ private static int GetSetCookieLength(StringSegment input, int startIndex, out S`
`437`	`472`	`{`
`438`	`473`	`result.Secure = true;`
`439`	`474`	`}`
`440`		`- // samesite-av = "SameSite" / "SameSite=" samesite-value`
`441`		`- // samesite-value = "Strict" / "Lax"`
	`475`	`+ // samesite-av = "SameSite=" samesite-value`
	`476`	`+ // samesite-value = "Strict" / "Lax" / "None"`
`442`	`477`	`else if (StringSegment.Equals(token, SameSiteToken, StringComparison.OrdinalIgnoreCase))`
`443`	`478`	`{`
`444`	`479`	`if (!ReadEqualsSign(input, ref offset))`
`445`	`480`	`{`
`446`		`- result.SameSite = SameSiteMode.Strict;`
	`481`	`+ result.SameSite = SuppressSameSiteNone ? SameSiteMode.Strict : SameSiteMode.Unspecified;`
`447`	`482`	`}`
`448`	`483`	`else`
`449`	`484`	`{`
`450`	`485`	`var enforcementMode = ReadToSemicolonOrEnd(input, ref offset);`
`451`	`486`
`452`		`- if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))`
	`487`	`+ if (StringSegment.Equals(enforcementMode, SameSiteStrictToken, StringComparison.OrdinalIgnoreCase))`
	`488`	`+ {`
	`489`	`+ result.SameSite = SameSiteMode.Strict;`
	`490`	`+ }`
	`491`	`+ else if (StringSegment.Equals(enforcementMode, SameSiteLaxToken, StringComparison.OrdinalIgnoreCase))`
`453`	`492`	`{`
`454`	`493`	`result.SameSite = SameSiteMode.Lax;`
`455`	`494`	`}`
	`495`	`+ else if (!SuppressSameSiteNone`
	`496`	`+ && StringSegment.Equals(enforcementMode, SameSiteNoneToken, StringComparison.OrdinalIgnoreCase))`
	`497`	`+ {`
	`498`	`+ result.SameSite = SameSiteMode.None;`
	`499`	`+ }`
`456`	`500`	`else`
`457`	`501`	`{`
`458`		`- result.SameSite = SameSiteMode.Strict;`
	`502`	`+ result.SameSite = SuppressSameSiteNone ? SameSiteMode.Strict : SameSiteMode.Unspecified;`
`459`	`503`	`}`
`460`	`504`	`}`
`461`	`505`	`}`