Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99893 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 36602 invoked from network); 18 Jul 2017 13:23:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jul 2017 13:23:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=f.bosch@genkgo.nl; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=f.bosch@genkgo.nl; sender-id=pass Received-SPF: pass (pb1.pair.com: domain genkgo.nl designates 46.21.156.38 as permitted sender) X-PHP-List-Original-Sender: f.bosch@genkgo.nl X-Host-Fingerprint: 46.21.156.38 mail.genkgo.net Received: from [46.21.156.38] ([46.21.156.38:55889] helo=mail.genkgo.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/76-02884-5EB0E695 for ; Tue, 18 Jul 2017 09:23:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=genkgo.nl; s=x; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References :Cc:To:Subject:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xKP4tKmTOTbSQPHtgAkQxnnYrNna77ofA4WuJU3Ah/w=; b=aWE5Hu0NAPWs/0OFSe7aLhAs8f u1WcbYvg0W5T24PXFNjU0y+IxvuIJnnuiVkr4kiOJ5BrcXpgCqQEs6MDtjcs6LIcO9resedwVRHli sE9cvYfSM9NElY2Fn9XQ1ziqtmhtC1D0BHqZYTZTpDht1uvef8wSzxCs4BbT5B50fy7u9lYHftNQU bzs3WIw1TXEj/jd/NIWuecLu3b6dcKQocFZoJosOE+uSOEe5Ct5D0PPtAFRpKyzu1zhhpWWULtAkx TRzE3QNlgO54se2Qcvm5zY6ycAi0zs7VUIt/apk4Hfw3jaGm7Y3mUTpAiFRgDi7Is/lY+zj/DYOc/ YsIYgmMA==; Received: from [188.213.225.106] (helo=[192.168.15.254]) by mail.genkgo.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1dXSTa-00070A-3H; Tue, 18 Jul 2017 15:23:46 +0200 To: Andrey Andreev Cc: "internals@lists.php.net" References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl> Message-ID: <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl> Date: Tue, 18 Jul 2017 15:23:45 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------F98AAD2833405A67CD283476" Content-Language: nl-NL X-Antivirus-Scanner: Clean mail though you should still use an Antivirus Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation From: f.bosch@genkgo.nl (Frederik Bosch | Genkgo) --------------F98AAD2833405A67CD283476 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hi Andrey, Thanks for your feedback. If we are going to wait for http_cookie_set, then my guess will be that it will take a while before we see samesite cookie implemented. While I totally agree there is need for a new function with a better API, I fail to see why that would mean we cannot have a samesite argument in the set(raw)cookie functions now. The RFC is in line with the design of these functions. With regard to browsers not implementing it, let me quote the currrent documentation on the httponly argument. "It has been suggested that this setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers), but that claim is often disputed." Basically it says that it is not supported by all browsers, but provides help reducing XSS attacks. I don't see the difference with samesite. Best, Frederik On 18-07-17 12:37, Andrey Andreev wrote: > Hi Frederik, > > On Tue, Jul 18, 2017 at 12:11 AM, Frederik Bosch | Genkgo > wrote: >> LS, >> >> Today I finished writing the RFC for implementing same site cookies in PHP, >> https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your >> remarks on the proposal, and improve when necessary. >> >> For those (only) interested in code, have a look at PR # 2613: >> https://github.com/php/php-src/pull/2613. >> >> For the record, I am just a messenger in this regard. Someone uploaded a >> patch for this feature in bug #72230: https://bugs.php.net/bug.php?id=72230. >> I just took the opportunity to create a PR and the corresponding RFC. >> Credits for the code go to xistence at 0x90 dot nl. >> >> Hopefully, the samesite cookie flag will become a feature of the PHP >> language through this RFC! >> > Unfortunately, all of the cons you've explained in the RFC are very > valid concerns. > I'd rather first see what happens with http_cookie_set() that's being > talked about in another thread currently (I suspect inspired by this). > > Cheers, > Andrey. -- Frederik Bosch Partner Genkgo logo Mail: f.bosch@genkgo.nl Web: support.genkgo.com Entrada 123 Amsterdam +31 208 943 931 Genkgo B.V. staat geregistreerd bij de Kamer van Koophandel onder nummer 56501153 --------------F98AAD2833405A67CD283476--