[Web] Cookie policy header

 

A: Wrong. You should be able to access sub-domain

 

 

B: Wrong, HttpOnlyCookie can only be set from server side. Securemeans https only;

 

C: Correct. If you don't set the max time for cookie, it works like a session

D: Correct. By default, it set Same-Site=Lax

SameSite=Lax: This is a less restrictive model than Strict. Cookies will be withheld on cross-site subrequests, like loading images or frames, but will be sent when a user navigates to the URL from an external site, like by following a link.