I attempted to post the following response regarding a ColdFusion bug that I reported back in March 2018, but Adobe's CFTracker web application wasn't working and refused to accept my post for an undisclosed reason.

CFCookie "samesite" support
https://tracker.adobe.com/#/view/CF-4201688

A third-party site's API recently triggered the following warning message in Chrome 78:

A cookie associated with a cross-site resource at http://jetio.streamguys.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032

I reported it to them and they fixed it within 2-3 days on their PHP platform.

As a workaround for CF2016 (and CF10 & 11), I'm using this modified UDF to set a CFCookie & a fallback "set-cookie" CFHeader. It's duplicates the response headers, but if CFCookie isn't used, the value isn't added to the COOKIE scope. (The 2nd set-cookie header automatically overwrites the first one set by CF.)

Source Code

1/17/2020 Update

Adobe has indicated that this will be fixed in CF2016+, but it's 20 days away and nothing has been made available yes. On 1/16/2020, Google published Get Ready for New SameSite=None; Secure Cookie and listed other platforms that had same-site examples.

3/24/2020 Update

Adobe has posted manual patches for CF2016 & CF2018 on the bug report. (If using CF2016, download the CF2018 attachment as the instructions for CF2016 are incorrect.)

If you are still using ColdFusion 10 or 11, you can use this UDF or Pete Freitag's solution for IIS or Apache.