Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100306 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66437 invoked from network); 25 Aug 2017 22:18:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Aug 2017 22:18:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.21 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.21 mout.gmx.net Received: from [212.227.17.21] ([212.227.17.21:53134] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E5/D9-34801-922A0A95 for ; Fri, 25 Aug 2017 18:18:17 -0400 Received: from [192.168.2.123] ([79.243.126.107]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M8ZtH-1dYwWE2j0l-00wBNe; Sat, 26 Aug 2017 00:18:13 +0200 To: Lars Strojny , "internals@lists.php.net" References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl> <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl> <4a30e3b3-d149-f76c-23fc-79a09a80b044@genkgo.nl> <7a1f1617-5864-ad7c-f439-3c9f87cacfd1@genkgo.nl> <00CA5219-C7C8-49C8-897E-4CC6C3AA2C81@strojny.net> Message-ID: <60cf3e36-384a-e90f-fd09-88b0de6b0ba5@gmx.de> Date: Sat, 26 Aug 2017 00:18:16 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <00CA5219-C7C8-49C8-897E-4CC6C3AA2C81@strojny.net> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K0:jrGKfcQMj73KNxi8gmJ64c4HqahoGeEwxIXQXiJR1YLEfED9LvX YAeAVshP3pVp+geekFSf7l6NJSm+hIJOeiVxwk4Fs8VLGh1+F1tPMOtIG7VG95maXkF2qUJ 0eZIwNeQFYU7XsVjIQLZyneyTtvHerb2Ulm1j60QJ8VN6dV3ZulNVbRlCfpYchBJg4TCAG6 1cle30vHjiAOnx1bugsZQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:buV0paeQGUg=:K6dBYScx0VoR5FCecK5wJJ HCb9buNd59mfmS0KhYIJGnmj9QDkohmYN4BRfcILkjEqOfYYoSsTPGNkbQscaZ16M4C7H1hXQ mGEpNAv47/d/FgCpFhXPN+DU8g2gNniAHwx//69Guigel3+jU1oX9OraKBYDnahZxBwBL5mEo fHWS+5faHZl96FoJ7d0Z/pwBM/gKOBHUZM5Yft1BRN4pdgYhgzr/JXsQZ2Xd8yZ80oVoM6cWV br5hxiw7MdjxHHr1Kp9FAREinTtNu31VTFOGMOWAFqx7v6MWnsGpp+gDXhX6HSXP+5oQUNQj/ MxI0eDmGqxCrUhUHoqA1ygMvyIG6uaer2VMUsTzB/c1bY1QoXbMzLXL4ArSPBJeicjwYnkJFD 7HWA6NvkxERH1sz3ezlf6dE3HZzgl43Pu1ygAMUCxUEDCad2XQVVjzrMIPtUmek7yEIo8Wnyn umKnghwgjExAblNKetJ3cDBvSrPvmZkYuq7+EKWTkihf+mgYMpyBawAOCJN2b4SfalE387IB6 1YKHA/CNzh8CEf8IaPtaSNPeDLNEIxpIPb5heAPswyiVYO/fTG/LZmcR3nLbLKrX2XwLG+YTa xugMsfVDjICJbEz2+U0wD/gVlL3f3U3ovA5yB+tkgTwWgbS1JQfCotsPySC35IV37MtqcCjar QB1cNUOI0EVpy2yZn2emAc6hRDRcFbSAvvIe7vxiuIm+MVf2CJzV5pBdnLa0CYvuuZE2TWAAP Fd/S+Sx4l87UOqWjFQ7pPtZ7PD3w1BPo0GBSmBGk80wWoJU+alKYiooNy7DnkRNfAciwKnDXM Qtnp71kS5bAOX0v5mrYh2VpLMLgE+Ssp/TaNw3PmulnpXN1Z04= Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation From: cmbecker69@gmx.de ("Christoph M. Becker") On 25.08.2017 at 22:54, Lars Strojny wrote: > I strongly believe this is something we should ship with 7.2. That > would give the ecosystem a 1-year head with a feature that could > eventually help eradicate CSRF. I would argue that this is worth the > unorthodox circumnavigation of our policies. Do you think that’s > outrageously crazy? Considering the current browser support (https://caniuse.com/#search=samesite), I am not convinced that any rush is appropriate. In the worst case, developers might rely on this feature, while in fact the option is ignored by many browsers, and as such gives a false sense of security. -- Christoph M. Becker