The behavior here has evolved many times over the last 12 years.
Lets go backwards through the spec and you'll see it's not a matter of "Do This" in a specific spec.
But one of "Anything But This" causes the behavior you are experiencing.
Keep in mind that this behavior was basically defined in the Jakarta Servlet spec during Servlet 4.0, but was finally TCKd recently.
RFC 6265 - HTTP State Management MechanismPublished: April 2011
Obsoletes: RFC 2965
Described for HTTP/1.1 (RFC7230) and HTTP/2 (RFC7540)
It defines an attribute as only (and they mean ONLY) ...
Expires = <sane-cookie-date>
Max-Age = <non-zero-digit *DIGIT>
Domain = <domain-value>
Path = <path-value>
Secure
HttpOnly
This decision was made to restrict what can be an attribute very strictly to only those named in the spec.
Anything else is not an attribute and is intepreted as a new cookie.
This is simply because the attribute starts with a `$` which is not recognized by this RFC.
All of the remnants of Version'd cookies, and the Netscape cookie spec have been purged (finally)
Note: "SameSite" is a new attribute that currently exists as a draft at
https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-10 Which will update RFC 6265 once approved.
RFC 2965 - HTTP State Management MechanismPublished: October 2000
Obsoletes: RFC 2109
Described for HTTP/1.1 - RFC 2616
This defines an attribute as
av-pairs = av-pair *(";" av-pair)
av-pair = attr ["=" value] ; optional value
attr = token
value = token | quoted-string
Which allows for anything to be an attribute.
As long as it satisfies the RFC2616 <token> rules.
It went so far as to define that the specific attribute names starting with `$` are reserved and MUST NOT be used by applications.
Which only defined `$Path` and `$Domain` and `$Port` as reserved.
The other attributes, such as `HttpOnly` and `Secure` are part of the non-reserved space, but are increasingly showing up as mandatory parts of the spec.
This spec still defines the versioned spec
RFC 2109 - HTTP State Management MechanismPublished: February 1997
Obsoletes: Nothing (this is the first Cookie spec)
Described for HTTP/1.0 - RFC 1945
This is the original spec, that defined `$Version="1"` cookies.