The point of this MR is to make use of the SameSite extended cookie attribute
that's supported in most browsers and in Zope.
This is in order to add extra protection against cross-origin requests as a way to fix #20181019-3CB56B.
In its current form, it breaks officejs which uses cross origin cookies.