Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:102983 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26282 invoked from network); 30 Jul 2018 09:51:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2018 09:51:37 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 74.125.82.49 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 74.125.82.49 mail-wm0-f49.google.com Received: from [74.125.82.49] ([74.125.82.49:35884] helo=mail-wm0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BB/F6-36025-6AFDE5B5 for ; Mon, 30 Jul 2018 05:51:36 -0400 Received: by mail-wm0-f49.google.com with SMTP id s14-v6so13048049wmc.1 for ; Mon, 30 Jul 2018 02:51:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3PPFpqxh/Q4zwtWviJ8s+pQOK1BSz1l8gjIYcF3P+QA=; b=Q/tC7rmjHoQGkKvaOAruMVTrbAA9roPWZ6zCLDUF0fRMJR0L2mCOax87n/AmMMDGKF dqFRGlBNjqvXy6we/Ynh5C8ZG7QozSqMnOGDg1PwhrRunC03ZRO8hhmaMRRXxTHtjWAJ fUbb0F1EmxJSpzPjcafkRdWeDCJQa2bbPLPQw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3PPFpqxh/Q4zwtWviJ8s+pQOK1BSz1l8gjIYcF3P+QA=; b=N1uLHrJDc2mUAB8ZRqOJn1r4qutL8Cx4YQU2aUwX7bVAsEu/h9LCgqrjzahVA6d/W7 8W3Mh1EjD9VnJ26BUW8r5jkZH52RT92/8g+4AaaUZJ8a7LtEuisAWx//VfTDXiteXTH9 jE18uacEkMx6E2FEdKu2A7nuOowO6KWk0yih9iqi6ynLjJU9eSKk34J338w0vlel13mN Eao2e9/1rm22b0Jp5raVCE2jBPx6nJEgQpZr+J72Y+EicPG7CJynW2l4EJCAhtg218dx WLokE5rJo4Rbpxv9P7BtoDaD1WhH4PMqincPvAqPQ5G+MZkF95ng+n19cJA8IGkOh0iu t6OQ== X-Gm-Message-State: AOUpUlHfrX4Kgj79JgjTXSr/44w2zjEKIblkTwdEizLZTrCWySU1/GR0 kYlEYqQQOq72v1Z0LdvgCPXG1mqxGPvEVgzTgHdvgw== X-Google-Smtp-Source: AAOMgpdhU8Nl0Uj9s/eGaRQWER/AJCBYUxGDyErZ8TTliI4tTEa6qUMyD9HjzJ3YFGYCU9ma0n8CrXE8OtwvghgqRUA= X-Received: by 2002:a1c:9f12:: with SMTP id i18-v6mr15062116wme.124.1532944291488; Mon, 30 Jul 2018 02:51:31 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:adf:add2:0:0:0:0:0 with HTTP; Mon, 30 Jul 2018 02:51:30 -0700 (PDT) In-Reply-To: References: <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com> Date: Mon, 30 Jul 2018 12:51:30 +0300 Message-ID: To: Yasuo Ohgaki Cc: Niklas Keller , =?UTF-8?Q?Pedro_Magalh=C3=A3es?= , "Frederik Bosch | Genkgo" , Stas Malyshev , PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC From: narf@devilix.net (Andrey Andreev) On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki wrote: > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev wrote: >> >> Hi, >> >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki wrote: >> > >> > One thing regarding implementation. >> > Since the internet RFC has only 2 values for "samesite", the parameter >> > can >> > be >> > bool rather than string so that users can avoid "broken security by a >> > typo". >> > If "samesite" has more than 2 values, the INI handler can be changed so >> > that >> > it can >> > handle both bool and string parameters. >> > >> >> The attribute has 2 possible values, but those are 2 different modes >> of operation *when enabled*, not 2 states in total. It doesn't fit in >> a boolean, and even if it did it wouldn't be forward-compatible that >> way. > > > What do you mean by "those are 2 different modes > of operation *when enabled*, not 2 states in total. "? > > samesite-value = "Strict" / "Lax" > > Flag is flag. It does not matter if it is used as combined values. > > An INI value can be bool and string/etc. Even when 3rd value is added, it > can > be supported. Such INIs exist in PHP already. > A boolean makes sense for Secure and HTTPonly, where the flag either exists or not. That's not what we have here, as SameSite=Lax is not the same thing as not having SameSite at all. bool(false) may make sense as an Off switch, yes, but that's not what you suggested ... Cheers, Andrey.