Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:128110
Message-ID: <6F5072EB-E477-4CCD-8FF0-E09C2C10ED47@gmail.com>
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_4EB48AD5-7B38-4BDD-9F3C-9A840729086F"
Precedence: bulk
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.600.51.1.1\))
Subject: Re: [PHP-DEV] [RFC] [Discussion] CHIPS
Date: Fri, 18 Jul 2025 16:15:35 +0200
In-Reply-To: <CANTuiHsW99Ny-Cx1+kyU0+Q4bimnGWZe+stWd0wvSSfO=zwvgw@mail.gmail.com>
Cc: PHP internals <internals@lists.php.net>
To: Dmitry Derepko <xepozzd@gmail.com>
References: <CANTuiHsW99Ny-Cx1+kyU0+Q4bimnGWZe+stWd0wvSSfO=zwvgw@mail.gmail.com>
From: claude.pache@gmail.com (Claude Pache)


--Apple-Mail=_4EB48AD5-7B38-4BDD-9F3C-9A840729086F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8



> Le 15 juil. 2025 =C3=A0 12:09, Dmitry Derepko <xepozzd@gmail.com> a =
=C3=A9crit :
>=20
> Hi internals,
>=20
> In collaboration with Niels Dossche I'd like to start the discussion =
for an RFC proposing a new Cookie option for use with CHIPS technology.
>=20
> As Niels noted, today is the day when in 4 weeks there will be code =
freeze, so let's try to fit into the lines and deliver the value to PHP =
8.5.
>=20
> RFC: https://wiki.php.net/rfc/chips
> Implementation: https://github.com/php/php-src/pull/12652
> Previous discussions: https://externals.io/message/127902, =
https://externals.io/message/122028
>=20

Hi,

1. The RFC says: =E2=80=9CCHIPS technology was introduced not so long =
ago, but still has =E2=80=9Clittle=E2=80=9D adoption (currently =
=E2=80=9Conly=E2=80=9D available in Blink-based browsers).=E2=80=9D

It might be useful to add the following precisions, so that we are more =
confident that it has good chance not to remain a Blink-only feature:
* As of time of writing, there is an experimental implementation in =
Firefox.
* The feature has also been implemented in Safari, but has been =
temporarily disabled because of an issue known by Apple only.


2. All examples in the RFC are variations on `setcookie("name", "value", =
["secure" =3D> true, "partitioned" =3D> true]);`, without same-site =
attribute.

As partitioned cookies are only meaningful as third-party cookies, what =
is the behaviour when:

(a) the same-site attribute is set to anything different from "None"?
(b) the same-site attribute is omitted? (Although historically, omitting =
the same-site parameter is equivalent to setting it to "None", browser =
vendors are willing to switch the default to "Lax", and some browsers =
(including Blink-based ones) have already done the switch.)

In all examples I=E2=80=99ve seen on the web, an explicit =
`samesite=3DNone` attribute is added to partitioned cookies, probably =
for some good reason?

=E2=80=94Claude=

--Apple-Mail=_4EB48AD5-7B38-4BDD-9F3C-9A840729086F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"overflow-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;"><br =
id=3D"lineBreakAtBeginningOfMessage"><div><br><blockquote =
type=3D"cite"><div>Le 15 juil. 2025 =C3=A0 12:09, Dmitry Derepko =
&lt;xepozzd@gmail.com&gt; a =C3=A9crit :</div><br =
class=3D"Apple-interchange-newline"><div><div dir=3D"ltr"><div>Hi =
internals,<br><br>In collaboration with Niels Dossche I'd like to start =
the discussion for an RFC proposing a new Cookie option for use with =
CHIPS technology.</div><div><br></div><div>As Niels noted, today is the =
day when in 4 weeks there will be code freeze, so let's try to fit into =
the lines and deliver the value to PHP 8.5.<br><br>RFC: <a =
href=3D"https://wiki.php.net/rfc/chips">https://wiki.php.net/rfc/chips</a>=
<br>Implementation: <a =
href=3D"https://github.com/php/php-src/pull/12652">https://github.com/php/=
php-src/pull/12652</a></div><div>Previous discussions:&nbsp;<a =
href=3D"https://externals.io/message/127902">https://externals.io/message/=
127902</a>,&nbsp;<a =
href=3D"https://externals.io/message/122028">https://externals.io/message/=
122028</a><br><br></div></div></div></blockquote><div><br></div><div>Hi,</=
div></div><br><div>1. The RFC says: =E2=80=9CCHIPS technology was =
introduced not so long ago, but still has =E2=80=9Clittle=E2=80=9D =
adoption (currently =E2=80=9Conly=E2=80=9D available in Blink-based =
browsers).=E2=80=9D</div><div><br></div><div>It might be useful to add =
the following precisions, so that we are more confident that it has good =
chance not to remain a Blink-only feature:</div><div>* As of time of =
writing, there is an experimental implementation in Firefox.</div><div>* =
The feature has also been implemented in Safari, but has been =
temporarily disabled because of an issue known by Apple =
only.</div><div><br></div><div><br></div><div>2. All examples in the RFC =
are variations on `setcookie("name", "value", ["secure" =3D&gt; true, =
"partitioned" =3D&gt; true]);`, without same-site =
attribute.</div><div><br></div><div>As partitioned cookies are only =
meaningful as third-party cookies, what is the behaviour =
when:</div><div><br></div><div>(a) the same-site attribute is set to =
anything different from "None"?</div><div>(b) the same-site attribute is =
omitted? (Although historically, omitting the same-site parameter is =
equivalent to setting it to "None", browser vendors are willing to =
switch the default to "Lax", and some browsers (including Blink-based =
ones) have already done the switch.)</div><div><br></div><div>In all =
examples I=E2=80=99ve seen on the web, an explicit `samesite=3DNone` =
attribute is added to partitioned cookies, probably for some good =
reason?</div><div><br></div><div>=E2=80=94Claude</div></body></html>=

--Apple-Mail=_4EB48AD5-7B38-4BDD-9F3C-9A840729086F--