Fix couple issues w/ samesite handling in session, make sure session start has correct value, write header where needed, and use None for opt out frame so the session ID is sent when embedding the iframe.
Also Firefox and Edge announced to support the SameSite cookies. Won't they restrict SameSite=None without Secure as well? Not sure if the check for Chrome makes sense here at all.
Just fyi they support samesite already for a while. What changes for Chrome is the default when no samesite attribute is specified, then Lax is applied, and when it says None it must be secure. AFAIK Firefox etc that's not the case just yet. We could probably apply same behaviour across browsers already though. Just means opt out might be broken for few more sites on http but might not be too many.
Updated to always add SameSite=Lax in JS. Seems to work for chrome, firefox & safari. Didn't use old versions of safari of course, though those have issues w/ None only.