CSRF token invalid when attempting sign in on non-HTTPS (prevents anyone from testing Sourcegraph using quickstart guide)

Created by: slimsag

Likely a regression due to a Chrome change - but this would prevent literally anyone using Chrome from trying out Sourcegraph following our quickstart guide (and likely does today!), so I am flagging as a release-blocker.

1. Start a sourcegraph/server instance using the latest insiders.
2. Navigate to http://localhost:7080 as it instructs using Chrome.
3. Try to create the site admin account and get an error:

Chrome shows it is blocking sending the CSRF cookie because Secure is not set (as expected, the server is not using HTTPS) and SameSite=None is an illegal cookie option without Secure:

Probably specifically in the case of not setting Secure (no HTTPS) we should set SameSite=Strict? Need to think about consequences of doing that.