Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122032 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 28740 invoked from network); 24 Dec 2023 22:11:01 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 24 Dec 2023 22:11:01 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 0CA5518004E for ; Sun, 24 Dec 2023 14:11:25 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 24 Dec 2023 14:11:24 -0800 (PST) Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-33677fb38a3so3507628f8f.0 for ; Sun, 24 Dec 2023 14:11:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703455859; x=1704060659; darn=lists.php.net; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=4bC4jnSgGtbe+7/xlWZPkZi3URWQ7m5GXJnHn5zdHJQ=; b=C4rQvKCwAj6HD2qH1gXYdaj3WBvAV/1IzdeLp/ljSz2R9mG5g22/Xec/1wOuwXubVu qzDuNUccsuaHQfzWtROed3JpMuxlI89ypocs2bjihxmuc9qcRnyzoXHPkOAtO4+7VU+f GQ5VQacV9PTIv6vVOwW4nTG+OteTAqZU+FUPClaRbyxHw10vUZA+u8aZAMjzIyxERnB1 2uYiT5uq7pD4gQD+aIGryzgYulc80iTWlXIrdZehWSGBhNIsAN9A6DbfFqf4WGsSwqDk 4fr00I8KhZuu5RhhLGHbVXYO/9sOfm8qbi8pC61w2lnD/LujdUOLeoJ7RBjXbTDs/HqY dMaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703455859; x=1704060659; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4bC4jnSgGtbe+7/xlWZPkZi3URWQ7m5GXJnHn5zdHJQ=; b=pNgtlnl31YvQXLXJZp48oqDC0EONeMQzzKO76h93E0nsfRDsZsUiBPNc1hg5VLW+rP 3AxNW4D/m4iAaxm9VeTxctOaxx8FTk+WGiMLp1YSWSPL2EVdM0hS6NH5io9QxdZf/fK7 A6eqVcx/MAO2vsg9r3+Decz9F0/7bNnAUdszmOV4ICt34+4K3jzN7KirlEF7F80mblcR qgz70H9caJB8ULZG+S6bx5QwFhiyJW3PizcMAN92uqf9qDNkqdqNqnkFUQ4TA9jVxNF4 StOfBc70UCehPn1vZogAJlJ5M0BBI+dKC1T18aAy3rf3Q/58qtY6tGgZdOJaZP2Q4cyG 9IKw== X-Gm-Message-State: AOJu0Yxps361CS0ABSuFBrdtuSO5eNcCHjjSMqacGu9sgFH8LgC2NexU quNcjrLDwkzfyqZ9PmUNsNi1JoOA5Bk= X-Google-Smtp-Source: AGHT+IGEvEqKYSttDyVi4fxtxLgSyVBxs75tgsv5IVqHIGECqUEMEAXgQoOIwtGq4em7brJLcnX7KA== X-Received: by 2002:a05:600c:1d16:b0:40d:3beb:bea8 with SMTP id l22-20020a05600c1d1600b0040d3bebbea8mr2563168wms.76.1703455858482; Sun, 24 Dec 2023 14:10:58 -0800 (PST) Received: from ?IPV6:2a02:1811:cc83:ee30:8e76:2662:766d:ebaa? (ptr-dtfv04vjm7u23t23d7u.18120a2.ip6.access.telenet.be. [2a02:1811:cc83:ee30:8e76:2662:766d:ebaa]) by smtp.gmail.com with ESMTPSA id p2-20020a05600c1d8200b0040596352951sm23776268wms.5.2023.12.24.14.10.57 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 24 Dec 2023 14:10:57 -0800 (PST) Message-ID: <5b5f8e4e-c3e3-4f0c-9425-3b784f4a4a09@gmail.com> Date: Sun, 24 Dec 2023 23:10:57 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: internals@lists.php.net References: <76dc625a-0e45-4377-bfff-2aba5244acae@gmail.com> <50E720CC-29B0-46E6-8581-C5A549DEDA44@php.net> In-Reply-To: <50E720CC-29B0-46E6-8581-C5A549DEDA44@php.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Partitioned cookies From: dossche.niels@gmail.com (Niels Dossche) Hi On 24/12/2023 17:04, Derick Rethans wrote: > On 24 December 2023 12:46:40 CET, Niels Dossche wrote: >> Hi internals >> >> I opened a PR [1] to implement Partitioned cookie support, as requested on the bugtracker [2], into the setcookie() PHP function. This is done by adding an option to the $options array, not via an additional argument to the function. The amount of code to support this is tiny. >> >> This cookie option is being pushed by browser vendors (primarily by Google it seems) to eliminate third-party cookies [3, 4]. One of the impacts here is that cookies marked with "SameSite=None; Secured" without "Partitioned" will stop working eventually during 2024. >> >> Although the Partitioned cookie proposal is still a draft, Chrome will apply the change starting in January 2024 for a tiny percentage of users (as a form of A/B testing it seems). Symfony has already implemented support for this option as well [5]. >> The SameSite option was also added in PHP when it was still in a draft. >> >> Let me know what you think and if you are okay / objecting to merging this PR. > > > I've two concerns (none with the PR, as I haven't checked): > > - Compatibility: https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies#browser_compatibility Right, indeed it is only supported by Blink-based browsers right now. It is on the roadmap for Safari and Firefox for 2024 according to https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/ > - What happens if it just stays a draft, or doesn't get accepted, or with a different name? Good question, no idea. > > And also, would/should the PHP function enforce that this should only be set if for example Secure is set too? And if so, with a warning or TypeError? This constraint is enforced already in the PR. If you try to set it without setting Secure, a ValueError is thrown. This is consistent with how other options can also throw a ValueError if constraints are broken. > > cheers > Derick Kind regards Niels