Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103044 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 43575 invoked from network); 6 Aug 2018 08:54:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Aug 2018 08:54:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:57722] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/54-26693-ABC086B5 for ; Mon, 06 Aug 2018 04:54:21 -0400 Received: (qmail 39331 invoked by uid 89); 6 Aug 2018 08:54:15 -0000 Received: from unknown (HELO mail-yw1-f51.google.com) (yohgaki@ohgaki.net@209.85.161.51) by 0 with ESMTPA; 6 Aug 2018 08:54:15 -0000 Received: by mail-yw1-f51.google.com with SMTP id q129-v6so3323809ywg.8 for ; Mon, 06 Aug 2018 01:54:15 -0700 (PDT) X-Gm-Message-State: AOUpUlEWQFotqSTdJPhdwt/OFr7bDUppE5/A9KtlExLo5Pxc2A76hBjl HtwzyQaAcfCGAp/iUNK+YuioPE+D+D/YQZIMyA== X-Google-Smtp-Source: AAOMgpeE3Os64esn7VAgfiS7Lq71cjb2BLA0GdbQwmLw7mOtwP/JRTQhef9Pu4R2rMAinyJdWjjty83QGyT8/VvF6JM= X-Received: by 2002:a81:92ce:: with SMTP id j197-v6mr7190202ywg.37.1533545649388; Mon, 06 Aug 2018 01:54:09 -0700 (PDT) MIME-Version: 1.0 References: <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com> In-Reply-To: Date: Mon, 6 Aug 2018 17:53:33 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Andrey Andreev Cc: Niklas Keller , mail@pmmaga.net, f.bosch@genkgo.nl, Stas Malyshev , PHP internals Content-Type: multipart/alternative; boundary="000000000000adc67f0572c06b2f" Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC From: yohgaki@ohgaki.net (Yasuo Ohgaki) --000000000000adc67f0572c06b2f Content-Type: text/plain; charset="UTF-8" On Mon, Jul 30, 2018 at 6:51 PM Andrey Andreev wrote: > On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki wrote: > > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev wrote: > >> > >> Hi, > >> > >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki > wrote: > >> > > >> > One thing regarding implementation. > >> > Since the internet RFC has only 2 values for "samesite", the parameter > >> > can > >> > be > >> > bool rather than string so that users can avoid "broken security by a > >> > typo". > >> > If "samesite" has more than 2 values, the INI handler can be changed > so > >> > that > >> > it can > >> > handle both bool and string parameters. > >> > > >> > >> The attribute has 2 possible values, but those are 2 different modes > >> of operation *when enabled*, not 2 states in total. It doesn't fit in > >> a boolean, and even if it did it wouldn't be forward-compatible that > >> way. > > > > > > What do you mean by "those are 2 different modes > > of operation *when enabled*, not 2 states in total. "? > > > > samesite-value = "Strict" / "Lax" > > > > Flag is flag. It does not matter if it is used as combined values. > > > > An INI value can be bool and string/etc. Even when 3rd value is added, it > > can > > be supported. Such INIs exist in PHP already. > > > > A boolean makes sense for Secure and HTTPonly, where the flag either > exists or not. That's not what we have here, as SameSite=Lax is not > the same thing as not having SameSite at all. > > bool(false) may make sense as an Off switch, yes, but that's not what > you suggested ... > Bool actually have 3 values. true/false/null(empty) So there isn't issue being bool INI. It's much secure than string, since current code does not have validation. i.e. Typo breaks security setting. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --000000000000adc67f0572c06b2f--