httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option then iframes). For the sessions to work, I would need to change the cookie attribute to SameSite=None. However, Google will disallow SameSite=None cookies in the future (making this not an option).
I'd like to keep session cookies w/ httpOnly attribute, because it protects against XSS session stealing (in contrast to local/sessionStorage). Is there any option keeping httpOnly session cookies while still being able to load my website via iframe (like required by teams app)?
If not, Googles Privacy initiative will reduce session security by a lot? For sure one can adhere to XSS prevention best practices, nevertheless a non negligible chance of having XSS vulnerabilities remains.
