Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99891 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26247 invoked from network); 18 Jul 2017 10:37:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jul 2017 10:37:20 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.218.51 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.218.51 mail-oi0-f51.google.com Received: from [209.85.218.51] ([209.85.218.51:33479] helo=mail-oi0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C6/45-02884-DD4ED695 for ; Tue, 18 Jul 2017 06:37:19 -0400 Received: by mail-oi0-f51.google.com with SMTP id p188so13617239oia.0 for ; Tue, 18 Jul 2017 03:37:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=B/Qs1Zs8OF98NjsDCq1jTH9lkB2NB0L5nPWmzXe+KAc=; b=A8qz20B4IUtFuiI6/aKpdz/Z8I2O3zsoCMLYiNLLtmxqwMUn/bCWNv3weKhUmbxFRO U+j7Qz5UsdlvHY+/z1v9K08n9BxpRIFJN80BT6qC0xzMmwK3yufziIWpZ/BDGPgCOVVz cC/ax72r9JlTk4dTqINP4zuTSWTNl48z4XVyo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=B/Qs1Zs8OF98NjsDCq1jTH9lkB2NB0L5nPWmzXe+KAc=; b=dwcA7IOF/WM0x0OirZ+mOKt0H2L+cWtRpH2PeUD69UeuuQBt0JieCuqRg3nMhrJQ9z bypnfFor5cHUsBNsMtVGNfbn99Hc8j+VIWN70nLzw0J9GSGLMh0jglFkHxhHOR5A49NH 3ptg2x6BBQZb26KcD9HuEVDqEq/SBGsn2pUcYKQhBNxb5GejbuP5KIfoTB6PtmihGX79 0zfiF9mK5tpJKrVIAaPG1ji+FkHx5tJ82knZHHdDDJNkcJFCNZMEJzQe+NCx3/UaNHBV ERo/YjX1tFqu7sHiI635aUbc3yvhye5X44YH1nJBFBDYmwrGHf2pf2FgNB0g3Ek0bnnL G21A== X-Gm-Message-State: AIVw113dhRBp4jmCFYlAgGc6Oz5Co7nafdwzeRMJYB6WLUKc8wRbqwnK U2wW8WzClYPPchza3mmp1cvxpcaL+eTbtEs= X-Received: by 10.202.117.68 with SMTP id q65mr677234oic.72.1500374235307; Tue, 18 Jul 2017 03:37:15 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.181.103 with HTTP; Tue, 18 Jul 2017 03:37:14 -0700 (PDT) In-Reply-To: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl> References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl> Date: Tue, 18 Jul 2017 13:37:14 +0300 Message-ID: To: "Frederik Bosch | Genkgo" Cc: "internals@lists.php.net" Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation From: narf@devilix.net (Andrey Andreev) Hi Frederik, On Tue, Jul 18, 2017 at 12:11 AM, Frederik Bosch | Genkgo wrote: > LS, > > Today I finished writing the RFC for implementing same site cookies in PHP, > https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your > remarks on the proposal, and improve when necessary. > > For those (only) interested in code, have a look at PR # 2613: > https://github.com/php/php-src/pull/2613. > > For the record, I am just a messenger in this regard. Someone uploaded a > patch for this feature in bug #72230: https://bugs.php.net/bug.php?id=72230. > I just took the opportunity to create a PR and the corresponding RFC. > Credits for the code go to xistence at 0x90 dot nl. > > Hopefully, the samesite cookie flag will become a feature of the PHP > language through this RFC! > Unfortunately, all of the cons you've explained in the RFC are very valid concerns. I'd rather first see what happens with http_cookie_set() that's being talked about in another thread currently (I suspect inspired by this). Cheers, Andrey.