New Feature: Added Support for cookie's SameSite attribute.

docs/config.rst

@@ -208,6 +208,14 @@ The following configuration values are used internally by Flask:
 
     Default: ``False``
 
+.. py:data:: SESSION_COOKIE_SAMESITE
+
+    Browser will only send cookies to the domain that created them.
+    There are two possible values for the same-site attribute: "Strict" and "Lax"
+    If set to "None", the samesite flag is not set.
+
+    Default: ``None``
+
 .. py:data:: PERMANENT_SESSION_LIFETIME
 
     If ``session.permanent`` is true, the cookie's expiration will be set this
@@ -635,4 +643,3 @@ Example usage for both::
     # or via open_instance_resource:
     with app.open_instance_resource('application.cfg') as f:
         config = f.read()
-

docs/security.rst

@@ -195,16 +195,18 @@ They can be set on other cookies too.
 - ``HttpOnly`` protects the contents of cookies from being read with
   JavaScript.
 - ``SameSite`` ensures that cookies can only be requested from the same
-  domain that created them. It is not supported by Flask yet.
+  domain that created them. There are two possible values for the same-site
+  attribute: "Strict" and "Lax"
 
 ::
 
     app.config.update(
         SESSION_COOKIE_SECURE=True,
         SESSION_COOKIE_HTTPONLY=True,
+        SESSION_COOKIE_SAMESITE='Strict'
     )
 
-   response.set_cookie('username', 'flask', secure=True, httponly=True)
+   response.set_cookie('username', 'flask', secure=True, httponly=True, samesite='Strict')
 
 Specifying ``Expires`` or ``Max-Age`` options, will remove the cookie after
 the given time, or the current time plus the age, respectively. If neither