SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. Example:
Set-Cookie: jsessionid=asdiifiwiaifiai; secure; HttpOnly; SameSite=Lax
The default lax value provides a reasonable balance between security and usability for websites that want to maintain user’s logged-in session after the user arrives from an external link. The session cookie would be allowed when following a regular link from an external website while blocking it in CSRF-prone request methods (e.g. POST).
It think Ghost could use that too as it’s backwards compatible as well: https://caniuse.com/#search=SameSite