Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99895
Return-Path: <pmjones88@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40050 invoked from network); 18 Jul 2017 13:39:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jul 2017 13:39:01 -0000
Authentication-Results: pb1.pair.com header.from=pmjones88@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pmjones88@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.54 as permitted sender)
X-PHP-List-Original-Sender: pmjones88@gmail.com
X-Host-Fingerprint: 209.85.214.54 mail-it0-f54.google.com  
Received: from [209.85.214.54] ([209.85.214.54:36941] helo=mail-it0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/37-02884-37F0E695 for <internals@lists.php.net>; Tue, 18 Jul 2017 09:39:00 -0400
Received: by mail-it0-f54.google.com with SMTP id v127so3651238itd.0
        for <internals@lists.php.net>; Tue, 18 Jul 2017 06:38:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=qDEuGBoU39bxMZUkWnhkuHQA/ee2s22loTgEp682mTg=;
        b=vTyNCfIfuycOk4eqJAQ9CQ7WSK/tDqcqM/9jW8okzHE6VEVgC1eV+q/zrGW2XsTj8W
         eLM0fO1fakxZiA3SPMW8VcCKJTWM1E4eNol3ijz7dGlKTPUTRhnNxMnKgFUWY3hAFeG/
         hkwOZhWWSxpZu8fgE4fRGH3Br8lyjqhQ9JEduJ4kIgv5eCeWWBcCvLCpWzFUWSmdCNk+
         +NY7W3tj6y8wcPtfgHJaBA4zP6uXASVTzCJ9t5mVaEBw2/CF1s1cPsfu1EVx39NbtoxP
         1wICZqsLMVXjxkA2dVmCqwBnCNr41KCcQg8PBaH7Xfo7bXPpciliP6KYYD417QMqMk20
         GpHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=qDEuGBoU39bxMZUkWnhkuHQA/ee2s22loTgEp682mTg=;
        b=YXlSqOg78c+otLh4QQ9AljKk5Knk4JAkq+q/W6+4CAIJ2NV1+34vK1qxq89vW2Cw9q
         uEeEZOqS/FA3Z2lIAFCA9P+gjF1VAW1E9piLL589pGUTrPFmnNxNIqulsTgdsb+RIPbw
         53XhxGx7QQzIU8RgmyBEVm2o1RpnkhdNm8vg/c0giMDblTpaQGBQnuCi8QDjbotoBaMB
         KX7KTzGo0s6NiH5nH3w7BHFfHgzyvOmHC2SuO/sCciUW8hr2hHhxFsj0VQ6WMrGawPdt
         MwnSvvGEmUsbL9gWtzlW0WDMsW50BfEuwWP1HnTj8iDMRJpjJDExS/PkaLXFMdenZkvQ
         uu6Q==
X-Gm-Message-State: AIVw112vhRXsk7gsl7lydIJ1/uuYNTXlAS5IULidjzaZVO6cYa9VwjCA
	UR87GND108BPLOMWnHA=
X-Received: by 10.36.206.196 with SMTP id v187mr728008itg.44.1500385136975;
        Tue, 18 Jul 2017 06:38:56 -0700 (PDT)
Received: from [192.168.1.88] (107-223-28-39.lightspeed.nsvltn.sbcglobal.net. [107.223.28.39])
        by smtp.gmail.com with ESMTPSA id 138sm1455946itw.10.2017.07.18.06.38.56
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Jul 2017 06:38:56 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
In-Reply-To: <e1483954-5542-fa54-c7eb-a742908af40c@rhsoft.net>
Date: Tue, 18 Jul 2017 08:38:53 -0500
Cc: internals@lists.php.net
Content-Transfer-Encoding: quoted-printable
Message-ID: <BF31715F-1B73-4A8B-8812-3E2D6AF28E12@gmail.com>
References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl>
 <CAPhkiZyn-nVS1ngds2SgYG3oAebtJkQOaJxOccD1eoCrvvcmJQ@mail.gmail.com>
 <08f6d5f1-a7e7-90a3-1b6a-ac353498cef8@genkgo.nl>
 <e1483954-5542-fa54-c7eb-a742908af40c@rhsoft.net>
To: "lists@rhsoft.net" <lists@rhsoft.net>
X-Mailer: Apple Mail (2.3273)
Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation
From: pmjones88@gmail.com (Paul Jones)


> On Jul 18, 2017, at 08:37, lists@rhsoft.net wrote:
>=20
>=20
>=20
> Am 18.07.2017 um 15:23 schrieb Frederik Bosch | Genkgo:
>> Hi Andrey,
>> Thanks for your feedback. If we are going to wait for =
http_cookie_set, then my guess will be that it will take a while before =
we see samesite cookie implemented. While I totally agree there is need =
for a new function with a better API, I fail to see why that would mean =
we cannot have a samesite argument in the set(raw)cookie functions now. =
The RFC is in line with the design of these functions.
>> With regard to browsers not implementing it, let me quote the =
currrent documentation on the httponly argument. "It has been suggested =
that this setting can effectively help to reduce identity theft through =
XSS attacks (although it is not supported by all browsers), but that =
claim is often disputed." Basically it says that it is not supported by =
all browsers, but provides help reducing XSS attacks. I don't see the =
difference with samesite.
>=20
> which browser in 2017 does not support 'httponly'?
> that was true a decade ago, now that parapgraph in the docs is just =
FUD

(/me nods)

Perhaps the same will be true for "samesite".


--=20
Paul M. Jones
pmjones88@gmail.com
http://paul-m-jones.com

Modernizing Legacy Applications in PHP
https://leanpub.com/mlaphp

Solving the N+1 Problem in PHP
https://leanpub.com/sn1php