...
Newer versions of Tomcat (8.5.42 and 9.0.21 onward) and Jetty (9.4.21 onward) offer mechanisms for setting the same-site cookie attribute on cookies. Neither of which are standardised, and neither are compatible between containers. It looks like the earliest point from which the Servlet Specification will contain support for same-site is v5.1. Support for servlet spec v5.1 is likely (but not guaranteed) to arrive in Jetty version 11 and Tomcat 10.X. In my opinion most implementations of Java servlets use version 3.1 of the spec. and so a future using v5.1 seems a long way off.
Jetty's 'workaround' relies on encoding the same-site value into a cookie's comment attribute which is later extracted and added to the Set-Cookie header by its own Response object - v9.4.23 onward allow this to be set on the session cookie also. Unless container 'sniffing' was used, this approach would silently fail inside other containers.
...