SameSite Cookie Status:
Run another test from the External Site.
Since the page request within the
<iframe> is a cross-site request,
your browser will have checked the SameSite cookie attribute and only sent cookies that are allowed for requests
<iframe>. All other cookies will have been blocked.
SameSite=Strict) should never sent on cross-site requests.
SameSite=Lax) should only be sent on cross-site
SameSite=None; Secure) should always be sent on cross-site requests.
SameSite=None) is invalid and should never rejected by the browser and never sent. (Note, your browser may not block these cookies yet.)
SameSiteattribute) will always be sent on cross-site reqursts until your browser rolls out
An experiment by Stephen Rees-Carter for "CSRF is dead (or is it?)" and "SameSite Cookies Deep Dive".
Source Code on GitHub, PRs welcome.