I’ve spent a very long time figuring out a similar issue was caused by this samsite=lax behaviour:
https://github.com/mozilla/discourse/issues/156
This fixes my issue - at least on macOS Mojave - so I assume it fixes it on iOS too. Thanks!
I’d also like to know people’s opinions on this.
What with this being the Mozilla Discourse and all, we don’t have a huge amount of traffic from Safari, so don’t want to make ourselves vulnerable to CSRF attacks for something which will benefit a very small proportion of our users.