Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:99894 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38719 invoked from network); 18 Jul 2017 13:37:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jul 2017 13:37:16 -0000 Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: lists@rhsoft.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:40363] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F5/E6-02884-80F0E695 for ; Tue, 18 Jul 2017 09:37:13 -0400 Received: from rh.thelounge.net (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3xBh6D1Nb4zXMT for ; Tue, 18 Jul 2017 15:37:08 +0200 (CEST) To: internals@lists.php.net References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl> <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl> Message-ID: Date: Tue, 18 Jul 2017 15:37:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-CH Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation From: lists@rhsoft.net ("lists@rhsoft.net") Am 18.07.2017 um 15:23 schrieb Frederik Bosch | Genkgo: > Hi Andrey, > > Thanks for your feedback. If we are going to wait for http_cookie_set, > then my guess will be that it will take a while before we see samesite > cookie implemented. While I totally agree there is need for a new > function with a better API, I fail to see why that would mean we cannot > have a samesite argument in the set(raw)cookie functions now. The RFC is > in line with the design of these functions. > > With regard to browsers not implementing it, let me quote the currrent > documentation on the httponly argument. "It has been suggested that this > setting can effectively help to reduce identity theft through XSS > attacks (although it is not supported by all browsers), but that claim > is often disputed." Basically it says that it is not supported by all > browsers, but provides help reducing XSS attacks. I don't see the > difference with samesite. which browser in 2017 does not support 'httponly'? that was true a decade ago, now that parapgraph in the docs is just FUD > On 18-07-17 12:37, Andrey Andreev wrote: >> Hi Frederik, >> >> On Tue, Jul 18, 2017 at 12:11 AM, Frederik Bosch | Genkgo >> wrote: >>> LS, >>> >>> Today I finished writing the RFC for implementing same site cookies >>> in PHP, >>> https://wiki.php.net/rfc/same-site-cookie. I am happy to receive your >>> remarks on the proposal, and improve when necessary. >>> >>> For those (only) interested in code, have a look at PR # 2613: >>> https://github.com/php/php-src/pull/2613. >>> >>> For the record, I am just a messenger in this regard. Someone uploaded a >>> patch for this feature in bug #72230: >>> https://bugs.php.net/bug.php?id=72230. >>> I just took the opportunity to create a PR and the corresponding RFC. >>> Credits for the code go to xistence at 0x90 dot nl. >>> >>> Hopefully, the samesite cookie flag will become a feature of the PHP >>> language through this RFC! >>> >> Unfortunately, all of the cons you've explained in the RFC are very >> valid concerns. >> I'd rather first see what happens with http_cookie_set() that's being >> talked about in another thread currently (I suspect inspired by this)