As I mused elsewhere in this thread, why isn't: secure, HttpOnly and SameSite a default for cookies that you have to take action to disable. Gravity and backwards compatibility mostly.