According to https://web.dev/articles/samesite-cookies-explained?hl=en:
The introduction of the SameSite attribute (defined in RFC6265bis) allows you to declare if your cookie should be restricted to a first-party or same-site context. It's helpful to understand exactly what 'site' means here. The site is the combination of the domain suffix and the part of the domain just before it. For example, the www.web.dev domain is part of the web.dev site.
So, my understanding is, that when I'm embedding a website at https://some.long.name.company.com with an IFrame and the embedded page is located at https://short.company.com, the site located at short.company.com is always able to set a cookie (no matter what Cookie-SameSite-Policy I have).
But I'm unsure if the same is true if the top-level domain is non-public (which means it’s not on the public suffix list). So, could when I embed a website at https://some.long.name.company.local with an IFrame, the embedded page at https://short.company.local still set a cookie when the SameSite-Policy is 'lax'?
The specifications around same-site refer to the concept of registrable domain, which is, according to RFC6265bis:
This says nothing about domains without a public suffix. But experiments with Chrome have led me to assume the following rule:
If no public suffix is found for a domain, the site consists of the last two labels. Therefore
I believe that this rule is what this code excerpt implements. The comments in the code say that if no public suffix is found ("No rule found in the registry"), the last label is used instead ("the last subcomponent"). Perhaps chromium experts can confirm this.