I have a page on https://dskl.net/xsrf/setcookies.php which sets a cookie with the following header:
set-cookie: secure-cookie=secure; expires=Mon, 24-Jul-2023 11:27:06 GMT; Max-Age=31536000; path=/; domain=dskl.net; secure; HttpOnly
If I go to this page, the value of the cookie is displayed: https://dskl.net/xsrf/getcookies.php.
But if I make a post request to that page from a form on a different domain, the cookie is also included in the request: https://manabase.com/xsrf/
Shouldn't a cookie without SameSite attribute be treated as SameSite=Lax and not have the cookie included in a cross-domain form post?
Strangely, if I make the form post a bit later, the cookie is not included. But if I delete the cookie and try again, it works again. What might be going on here?
That sounds like the "Lax + POST" intervention, see here. This is meant to support RelayState cookies during SAML logon flow even in the absence of the SameSite attribute, see What is exactly RelayState parameter used in SSO (Ex. SAML)?.