There is a new internet draft which updates RFC6265 to add the "SameSite" attribute to Cookie.
The OWASP's SameSite page desribes:
SameSite allows a server define a cookie attribute making it impossible to the browser send this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage, and provides some protection against cross-site request forgery attacks.
Further references and examples are also available in the followings.
It's worthy to start adding an initial experimental support for the Same-site Cookie in Undertow.
Of course, I understand it's still draft status and not yet fully implemented in many browsers at this moment. Also I understand that it will not be available within servlet application unless the servlet API javax.servlet.http.Cookie has been updated to add support for it.