response.setHeader("Set-Cookie", "HttpOnly;Secure;SameSite=Strict");

Http iframes are not shown in https pages in many major browsers. Please read this post for details.