clean up samesite docs

docs/security.rst

@@ -184,6 +184,9 @@ contains the same data. ::
 
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 
+
+.. _security-cookie:
+
 Set-Cookie options
 ~~~~~~~~~~~~~~~~~~
 
@@ -194,19 +197,21 @@ They can be set on other cookies too.
 - ``Secure`` limits cookies to HTTPS traffic only.
 - ``HttpOnly`` protects the contents of cookies from being read with
   JavaScript.
-- ``SameSite`` ensures that cookies can only be requested from the same
-  domain that created them. There are two possible values for the same-site
-  attribute: "Strict" and "Lax"
+- ``SameSite`` restricts how cookies are sent with requests from
+  external sites. Can be set to ``'Lax'`` (recommended) or ``'Strict'``.
+  ``Lax`` prevents sending cookies with CSRF-prone requests from
+  external sites, such as submitting a form. ``Strict`` prevents sending
+  cookies with all external requests, including following regular links.
 
 ::
 
     app.config.update(
         SESSION_COOKIE_SECURE=True,
         SESSION_COOKIE_HTTPONLY=True,
-        SESSION_COOKIE_SAMESITE='Strict'
+        SESSION_COOKIE_SAMESITE='Lax',
     )
 
-   response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Strict')
+    response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Lax')
 
 Specifying ``Expires`` or ``Max-Age`` options, will remove the cookie after
 the given time, or the current time plus the age, respectively. If neither
@@ -239,6 +244,9 @@ values (or any values that need secure signatures).
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
 
+.. _samesite_support: https://caniuse.com/#feat=same-site-cookie-attribute
+
+
 HTTP Public Key Pinning (HPKP)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~