Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103045 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 44897 invoked from network); 6 Aug 2018 08:56:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Aug 2018 08:56:39 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:57750] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 07/A4-26693-64D086B5 for ; Mon, 06 Aug 2018 04:56:39 -0400 Received: (qmail 39481 invoked by uid 89); 6 Aug 2018 08:56:34 -0000 Received: from unknown (HELO mail-yw1-f48.google.com) (yohgaki@ohgaki.net@209.85.161.48) by 0 with ESMTPA; 6 Aug 2018 08:56:34 -0000 Received: by mail-yw1-f48.google.com with SMTP id r184-v6so3329406ywg.6 for ; Mon, 06 Aug 2018 01:56:33 -0700 (PDT) X-Gm-Message-State: AOUpUlFjyHWZ5JEnlhIJ2hZVsk0m+1Ry7c3RSGGIyMAbzgIOGk+gm7F1 7TBVUpNxG2ffqHWr4yXZQkcQxKXp63PsN3nKCw== X-Google-Smtp-Source: AAOMgpdo/IGB1HytmHNE0LdeWDt5En6XNT9JH+rA49cOLMrz5twxo3fdNohd1/y7oY+wltOymPYYNlf0tYsakrYplbc= X-Received: by 2002:a81:6ca:: with SMTP id 193-v6mr7514209ywg.399.1533545787995; Mon, 06 Aug 2018 01:56:27 -0700 (PDT) MIME-Version: 1.0 References: <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com> In-Reply-To: Date: Mon, 6 Aug 2018 17:55:51 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Andrey Andreev Cc: Niklas Keller , mail@pmmaga.net, f.bosch@genkgo.nl, Stas Malyshev , PHP internals Content-Type: multipart/alternative; boundary="000000000000f0c0310572c073d9" Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC From: yohgaki@ohgaki.net (Yasuo Ohgaki) --000000000000f0c0310572c073d9 Content-Type: text/plain; charset="UTF-8" On Mon, Aug 6, 2018 at 5:53 PM Yasuo Ohgaki wrote: > > > On Mon, Jul 30, 2018 at 6:51 PM Andrey Andreev wrote: > >> On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki wrote: >> > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev >> wrote: >> >> >> >> Hi, >> >> >> >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki >> wrote: >> >> > >> >> > One thing regarding implementation. >> >> > Since the internet RFC has only 2 values for "samesite", the >> parameter >> >> > can >> >> > be >> >> > bool rather than string so that users can avoid "broken security by a >> >> > typo". >> >> > If "samesite" has more than 2 values, the INI handler can be changed >> so >> >> > that >> >> > it can >> >> > handle both bool and string parameters. >> >> > >> >> >> >> The attribute has 2 possible values, but those are 2 different modes >> >> of operation *when enabled*, not 2 states in total. It doesn't fit in >> >> a boolean, and even if it did it wouldn't be forward-compatible that >> >> way. >> > >> > >> > What do you mean by "those are 2 different modes >> > of operation *when enabled*, not 2 states in total. "? >> > >> > samesite-value = "Strict" / "Lax" >> > >> > Flag is flag. It does not matter if it is used as combined values. >> > >> > An INI value can be bool and string/etc. Even when 3rd value is added, >> it >> > can >> > be supported. Such INIs exist in PHP already. >> > >> >> A boolean makes sense for Secure and HTTPonly, where the flag either >> exists or not. That's not what we have here, as SameSite=Lax is not >> the same thing as not having SameSite at all. >> >> bool(false) may make sense as an Off switch, yes, but that's not what >> you suggested ... >> > > > Bool actually have 3 values. > Simple INI handler can do this, precisely. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --000000000000f0c0310572c073d9--