I have a ASP.NET web application running in IIS that handles the authentication session with cookies.
A customer wants to display this application inside an iframe of another application. However, AFAIK this would force me to set SameSite=None for my auth cookie, which would make it vulnerable to CRSF attacks (an also fail in any pentest audit).
Is there any way to keep my auth cookies with SameSite=Lax while displaying the application inside an iframe? If not, is there any secure alternative?
To answer my own question after much testing and reading: It's not possible to have SameSite=Lax cookies inside an iframe, and there is no secure workaround for this.
Furthermore, as pointed out by Heiko Theißen, this will be even more impossible when browsers start enforcing third-party cookie blocking.