Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:128140
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id A14B71A00BC
	for <internals@lists.php.net>; Sun, 20 Jul 2025 09:14:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1753002752; bh=HRkwtMGqE5JZRua3yekkiodNUftXSkyCNXBkY3QOxG4=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=fZbJkGZWlPr1TQ8pFZIco71JXGA43/ubGJBDmfdmiVGE+TupCTPVfHeySOMJT+6rm
	 p5rZp/01yTY5IS+tBgyd5HHm/X3fniw2WYP+yrh6VK8o23HMkejkqS9ddcgrzp9pa/
	 Ui81DG4q4CJGwb+xg8FVuZlP0I9Fj1bc7fUcjjagqjqbjw9PBcZlbhsCfG0BM/5xY4
	 MAzqEYuw0VszBcoKR6kEpK6EibzNXOpc6E4/WKPHQHAzzWIqEnFt2E1P+UHGF4msry
	 u+FgJCp9krGqPAvJ4s9ZQx4IpekA7dPxYlTxpZ6jtHx12lTmVPxZGyaMC4MKEI0FxZ
	 k7TLrmlZC0P8w==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 70EF61805B2
	for <internals@lists.php.net>; Sun, 20 Jul 2025 09:12:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
X-Envelope-From: <dossche.niels@gmail.com>
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sun, 20 Jul 2025 09:12:21 +0000 (UTC)
Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-455b00283a5so20286725e9.0
        for <internals@lists.php.net>; Sun, 20 Jul 2025 02:14:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1753002846; x=1753607646; darn=lists.php.net;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id:from
         :to:cc:subject:date:message-id:reply-to;
        bh=O8H67yptiX37J7YxE9oJyGgfNQJnRRxcQmr4WnWcFNY=;
        b=U2qXg2wt0xXZpvGj+xmLDcSSAUWySvXaFUSOhWAD2mekbNxBm4e5eCoU+vvjoOCZvM
         cFH22wMU8f4UpDRUDZ04yNlr73a+mUajzUvinotb34nXMCfmNSZHp/GWIZyd/LvgbKAF
         yQSx+F7eXxqYgz8di6kCY11TmoLKTDNDzUDKZcO8hVMDYYKa743yabfRD7EyFRqqaTtu
         /NdCVAALgc7sEJBYTfcOD7VmSZiKtSPscMxWXxuNMrj5Ajy1W8qpX9OG7KfiyqSXyWUG
         U7RW8K34MDDUBHi++RelkdQKUTik7Gk9CnUT/nJOiPVH60V/hTlsnzkpcaJpxTvCqw/q
         g7xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1753002846; x=1753607646;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=O8H67yptiX37J7YxE9oJyGgfNQJnRRxcQmr4WnWcFNY=;
        b=fkXF9DmJN4W5peV3oD7HyG30p3SOi0oI8O3PVzgAWP5lunaToVE5tDyGpgoTGfl60O
         2Rx30mCS8w6VzsFZBd+Hwn/47GsujG/8Ilvx1StCRYz1tdxGiGvnZr5cNZJRzFAvFMfl
         QXbxaJFTIfpGsyfWvofSb9sJcK0IKieEGhgUJ+k0zV+5LD+Wlw/qtdNBtC2yTUHphDsT
         HfOGbrpiGkp3tw5oCQVoOHGBwmUjtvD3swYN9gIkY9eBdhdw9/AVQ8Smsxy9f/O17fNZ
         cFBtqcfHsWNR/W+5Ku4Sd24dui+t9H/A8wjF3c0ixZcCHHsU5QBt/9prFBAvW56E3j4n
         78wQ==
X-Gm-Message-State: AOJu0YyrvE+8jRdy0fBKJQ/PTj6PrN9QLkXAKX8Zoxbzeb+6uxeYOx6r
	fM5Y/ntsrrHKD8II71WJbXCZUCfe+rgTwi3agypvMZbSePa3zhFpL2SAkO6BS5Rp
X-Gm-Gg: ASbGncvC+FpSKtxPEKD7GC96MJ4zbZ83ng+CihumSaINI+7+hNwfvhokuaBp0xdfb9I
	rOGnraqmcgktqomns67LB0htHiSUXuTDVwkMPHORDj6h267N+hKAKBiH+fQxLMvR7BpGbCMCFJu
	2fb80N/3f72+wasUszuuIYOviz6xKNAMIUN3E9pLbbJolXwzWkqRkFBHDzKlbWyRXqh0YcEk/hS
	fRD2EKNhJVt9vLVJ0NHNR/mSxmzujUr5VSM50wPZZaQ5Gxfwr8xQVTwTRji7YXuvFgdFsSZFwzT
	0/jKz03w2rODVE6wUCZFw/rcK8Koyjb/YBNVrO33h7khMhIT1LM2S9VxUmYvUy5ANQpNuoJQRe2
	XOLHQ1l5IpP5muyE6+xjg5zkIc8B6AvfOCePGCN9A58CWX99s12zX4wjYTizQw/m/r5Y=
X-Google-Smtp-Source: AGHT+IEh2JLDdTQapZQxtTn2Q0pNwhUlq/sqRd8UXSuq2NJVgaquZily7J9zdnZYKPdJKCvfaP9vgg==
X-Received: by 2002:a05:600c:8415:b0:455:ed0f:e8ec with SMTP id 5b1f17b1804b1-4563b8aa590mr86425425e9.9.1753002845746;
        Sun, 20 Jul 2025 02:14:05 -0700 (PDT)
Received: from [192.168.0.241] (178-119-85-231.access.telenet.be. [178.119.85.231])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3b61ca2ba0asm7014129f8f.21.2025.07.20.02.14.05
        for <internals@lists.php.net>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 20 Jul 2025 02:14:05 -0700 (PDT)
Message-ID: <520a4e54-eb18-41f7-871f-d5929fce3eb0@gmail.com>
Date: Sun, 20 Jul 2025 11:14:05 +0200
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
x-ms-reactions: disallow
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PHP-DEV] [RFC] [Discussion] CHIPS
To: internals@lists.php.net
References: <CANTuiHsW99Ny-Cx1+kyU0+Q4bimnGWZe+stWd0wvSSfO=zwvgw@mail.gmail.com>
 <6F5072EB-E477-4CCD-8FF0-E09C2C10ED47@gmail.com>
Content-Language: en-US
In-Reply-To: <6F5072EB-E477-4CCD-8FF0-E09C2C10ED47@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: dossche.niels@gmail.com (Niels Dossche)

On 18/07/2025 16:15, Claude Pache wrote:
> Hi,
> 

Hi Claude

> 1. The RFC says: “CHIPS technology was introduced not so long ago, but still has “little” adoption (currently “only” available in Blink-based browsers).”
> 
> It might be useful to add the following precisions, so that we are more confident that it has good chance not to remain a Blink-only feature:
> * As of time of writing, there is an experimental implementation in Firefox.
> * The feature has also been implemented in Safari, but has been temporarily disabled because of an issue known by Apple only.
> 

Sure! Those are good points to clarify the introduction. Thanks!

> 
> 2. All examples in the RFC are variations on `setcookie("name", "value", ["secure" => true, "partitioned" => true]);`, without same-site attribute.
> 
> As partitioned cookies are only meaningful as third-party cookies, what is the behaviour when:
> 
> (a) the same-site attribute is set to anything different from "None"?
> (b) the same-site attribute is omitted? (Although historically, omitting the same-site parameter is equivalent to setting it to "None", browser vendors are willing to switch the default to "Lax", and some browsers (including Blink-based ones) have already done the switch.)
> 
> In all examples I’ve seen on the web, an explicit `samesite=None` attribute is added to partitioned cookies, probably for some good reason?

Yep, all examples use "samesite=None" because you need that to create a 3rd party cookie. So including "Partitioned" without "samesite=None" is useless in those cases.
Although if "samesite=Lax" is still the default for a particular browser, then it won't be useless, but I believe the goal is - as you said - to switch all browsers over to "samesite=None".
According to https://github.com/privacycg/CHIPS, the following will happen:

(a) The cookie won't be sent to a 3rd party context and "Partitioned" won't have an effect. The cookie header is still interpreted correctly so it will have an effect on the origin site, just not in a 3rd party context.
(b) Depends on what the default is for a particular browser.

Kind regards
Niels