Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:119277
Return-Path: <george.banyard@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53772 invoked from network); 16 Jan 2023 13:39:45 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 16 Jan 2023 13:39:45 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id A40E7180511
	for <internals@lists.php.net>; Mon, 16 Jan 2023 05:39:42 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,FREEMAIL_REPLY,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <george.banyard@gmail.com>
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Mon, 16 Jan 2023 05:39:42 -0800 (PST)
Received: by mail-pj1-f50.google.com with SMTP id v13-20020a17090a6b0d00b00219c3be9830so31088911pjj.4
        for <internals@lists.php.net>; Mon, 16 Jan 2023 05:39:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=1krgNlFIaKOsaRYq4UbtZORpoXz8juNgkr5QHXEGSqk=;
        b=ZDp25x6Q8Zp+jxWJL3lU3D0AHhwkQDyVbXEzBIDlgSUqeHlnQEXn1hQ+d/c65r3yNs
         w+86Ixhpq3gldNTo/p2NQ7XXRWQoXBKhfvU4WDLG4GNzT1wZflQm7VEmXSdWLhl3Ahwm
         fY1LOGoSDcclPWfyrIv74TnXBXIYxhbLj3tJrjAdYTF1CUNvFe1TGTuyfIJ83HfsoEHi
         ZmbihkJgBCGDK8NlckItJCjxt1BLQ43Y/tanMNMBQjWrgBaHmMhDN98V7oaqN+vwY/lz
         D+jcnduKt+RM9Wt67nMzkAmmRSwWG4Lqx8Wnzzr+Q+1O2IQW6/eKkWrvHUE5Arw/bHAK
         eYxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1krgNlFIaKOsaRYq4UbtZORpoXz8juNgkr5QHXEGSqk=;
        b=3Zw7uQWtygk5IeG5QooUI1p2gl5RKWT/IJVT9DHgc2cMmqJOciZqxi8Ot+tLwUEXsG
         vNE7TFr3SiHR0pHmbpnBhmaVo2gwUsKuzGjAjbC220XXxO8tmakPPGZc1xirQAWFlJwu
         VwEmUBLzwBG2aJ+jigXSjknrinR2GdzEmMTwIjX0l3D9sYFMktYVm3wGAfET6dRj4Sow
         oS6BrrWBqa15uluSkefCmEI96pBpPOa4hM43M0Xs7ueR8AwwqyxSyedNhJzFIFjZxYVd
         CJQrUP43iWypFzgYalfC9pwkNk40ZbXXpMNfaDc3XOH50qz7pYAoJ9EFm7gaxIGYfLyr
         Wqqg==
X-Gm-Message-State: AFqh2kpOJEJyZ7FiCpF6f1Yxkn+djsfpxMNb0Nz0/O+42dllaUfSXb+O
	s2hMVVLlgL4qVnsXceFyqq1MBo4EN0BxZWDx12A9z8qbX+E=
X-Google-Smtp-Source: AMrXdXvrjS/8CPMrsJoPbGSzK4PzxtvnHR4S2IPACXEtcg/9VYt+xQziIiGRV/Qd9rzae2T8zb0DqDRsPDYTp8K1tdE=
X-Received: by 2002:a17:90b:915:b0:229:4c59:3eeb with SMTP id
 bo21-20020a17090b091500b002294c593eebmr421023pjb.51.1673876380938; Mon, 16
 Jan 2023 05:39:40 -0800 (PST)
MIME-Version: 1.0
References: <CAFPFaM+d_1pV__2u+rkTEOF8mPM_CSXRk3udmG-+G1oVuKbQmg@mail.gmail.com>
 <CAOWwgpnJrHfx83wkd35J_9HwqzkB-1iRfTyqYbZ=7HB9nUhrhQ@mail.gmail.com>
In-Reply-To: <CAOWwgpnJrHfx83wkd35J_9HwqzkB-1iRfTyqYbZ=7HB9nUhrhQ@mail.gmail.com>
Date: Mon, 16 Jan 2023 13:39:29 +0000
Message-ID: <CAFPFaMKTaQDSJXFfos=3sdL7ddSrje_aHWcg67GA9jXPe8uhew@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Cc: Christian Schneider <cschneid@cschneid.com>, Nicolas Grekas <nicolas.grekas+php@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000001576d105f261b779"
Subject: Re: [PHP-DEV] [RFC] Add SameSite cookie attribute parameter
From: george.banyard@gmail.com ("G. P. B.")

--0000000000001576d105f261b779
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, 15 Jan 2023 at 16:40, Nicolas Grekas <nicolas.grekas+php@gmail.com>
wrote:

> Hi George,
>
> There's quite some activity on the HTTP cookies side.
> I read about SameParty and Partitioned attributes recently, see:
> - https://developer.chrome.com/docs/privacy-sandbox/chips/
> - https://github.com/cfredric/sameparty
>
> Maybe we should have a plan that works for these too?
>
> Nicolas
>

Considering those cookie attributes are still in an experimental design
phase and are not universally agreed upon by user agents, I wouldn't want
to add a specific parameter for them.
However, a more generic solution by overloading the options array to
accepts arbitrary key:value pairs might be something to pursue, but this is
out of scope for this RFC as just adding this to the current option array
forces people to use that signature which is less type safe.


On Sun, 15 Jan 2023 at 20:58, Christian Schneider <cschneid@cschneid.com>
wrote:

> Some comments:
> - I am not convinced that we should introduce a third way of providing
> parameters to setcookie(). I don't think this function is used often enou=
gh
> in common code to add yet another iteration of the API. Assuming there is=
 1
> to 2 places in your framework using this I don't think many bugs will go
> unnoticed. Adding a warning to illegal 'samesite' values in $options woul=
d
> IMHO be enough if stricter checking is wished for.
>

How is this providing a third way of providing parameters to setcookie()?
As it is, if I want to use named arguments and the typed parameters, I
cannot set the SameSite attribute.
I've heard multiple people waste time due to a SameSite bug because they
made a typo, and it took them way too long to figure out the issue as they
thought they had a server configuration problem.
Adding a warning for invalid values is effectively turning that option into
an Enum, which at this point one might as well have a proper Enum.


> - I don't like the camelCase of $sameSite as this is different from all
> the other parameters, e.g. $expires_or_options (yes, this is a
> pseudo-parameter name, I know) and $httponly. Looking at a couple of
> functions in the standard PHP set I didn't see any $camelCase.
>

ACK, it should probably be in snake case and be $same_site


> - A more generic question: How are Enums handled concerning future
> additions of values vs. BC compatibility? What is the migration plan ther=
e
> if one wants to support both old and new PHP versions?
>

The parameter is optional, so I don't understand what migration plan you
need?
If in the, unlikely, event that a new value is added this should be added
as a case in the enum in the next minor version of PHP.
In the, again unlikely, event that a value is deprecated, the corresponding
enum case should also be deprecated following the normal PHP deprecation
process.

I only decided to make this an enum because I deem it very unlikely for a
new valid attribute value to be introduced, the new IETF RFC clarifies and
amends the behaviour of the 3 valid attribute values that have always been
the same since 2016.


> Regards,
> - Chris


On Sun, 15 Jan 2023 at 21:08, Claude Pache <claude.pache@gmail.com> wrote:

> Hi,
>
> Some technical remarks:
> * The new parameter name should be `$samesite` (all lowercase), in order
> to match with the casing of the corresponding key in `$options`.
>

I don't agree with this, the name $samesite all lowercase is far from
optimal, however it should be in snake case ($same_site) in accordance with
the other parameters.


> * I think that you should add the case `SameSite::Omit` (which is the
> current default). This is not only for BC, but also for FC if, for some
> reason, `SameSite: Lax` is replaced by some attribute that supersedes it.
> Or if `SameSite: Lax` becomes the default, and therefore redundant. =E2=
=80=94
> Having `SameSite::Omit` instead of `null` would mean that it would be
> difficult to miss it by accident.
>

Same idea as in my reply to Chris, it is extremely unlikely that a new
attribute value will be added, moreover the point of using SameSite::Lax as
the default is that it will become the default (it already is in Chrome,
and is gated between a flag in Firefox) as currently in any case you *must*
provide a SameSite values for your cookies as the behaviour end-users are
going to have depends on their browser (e.g. Chrome defaulting to Lax,
while Firefox and Safari still default to None currently) and thus omitting
the value is, IMHO, a bug waiting to happen.


> That said, I am much more interested in being able to add custom cookie
> attributes. Back when SameSite was introduced (on the web, not in PHP), I
> recall that I had to use some hack in order to include them in my session
> cookie (before upgrading to PHP 7.3). The new cookie attributes mentioned
> by Nicolas in the other mail are probably too experimental in order to
> support them officially, but it could be interesting to be able to includ=
e
> them nonetheless, e.g. using some `customAttributes` parameter.
>

As said to Nicolas, this is definitely interesting, but out of scope for
this RFC.


> =E2=80=94Claude


Best regards,

George P. Banyard

--0000000000001576d105f261b779--