Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:99899
Return-Path: <ocramius@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44540 invoked from network); 18 Jul 2017 13:57:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jul 2017 13:57:27 -0000
Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.182 as permitted sender)
X-PHP-List-Original-Sender: ocramius@gmail.com
X-Host-Fingerprint: 209.85.128.182 mail-wr0-f182.google.com  
Received: from [209.85.128.182] ([209.85.128.182:32805] helo=mail-wr0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6E/28-02884-6C31E695 for <internals@lists.php.net>; Tue, 18 Jul 2017 09:57:26 -0400
Received: by mail-wr0-f182.google.com with SMTP id v105so541009wrb.0
        for <internals@lists.php.net>; Tue, 18 Jul 2017 06:57:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=92410X9s+3APKN9cOtbl7kqaA/tzp8iTsqaQPhkQ2zE=;
        b=jfnUCR5CVEGy6v9SFAcdmhDNq9uoWC6qwaB9MWE+5oBADQwlOCk5cNo/r5+4N7cQYv
         2pogEz6cEgOURKhd3r6Kq/knv/b4YkMjeGam5iPNMgR9CQ5kMygTfVeJ4zWQ05YBBMuj
         vsjkAKifuN2zW4rmy2DK0UEEU0QvUW8TQzvldjFZx2abTmZCPz3YuZ1U/UTQdmQ050R+
         fT2SmBHoI289SF/AH09pOmTgLfd2LFj2qKVFq1q85BNbtTXTRjr/MUyVYd5uf3/fFHzX
         K2NakbA6udpKzRYe3L3BLoftmInggAA8ddZuWg1QzW2E7h8ZuH4fq7Fa21hp7qRBjWV9
         QB9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=92410X9s+3APKN9cOtbl7kqaA/tzp8iTsqaQPhkQ2zE=;
        b=VTem0or9mbNp4JlVFr6vuuXhh/EIaCuBu9scoztYK94csdlwsCo98Bne1tsD0fpDsv
         YPTDvC3EgUdouXEcBK1HauRKKBiTmjvTvp1EKGZOAPrlt91lx4e9RPnwwsUZaehpWGun
         GMziBKER901YnPXBeLHs4AMrw3Hce5TRdkMJV2HOR9nju5X3SzjCw8u8BDV2xACtm16m
         IlT1A2lTDFkY7Mc1gpWYAQ3yMdjFrB5hMu5tMIaxx/8ia3kKt3H+OSgHV4xHHMcVYqTS
         FSx7XN89vZe00n3NF8ag6ov08HbiX8YoLbi8gJlBmX4OwkAsMDCC2E3WEESGGQlROqQc
         y42Q==
X-Gm-Message-State: AIVw112r612eWbr5FGVHXDSdU003kWiamLy+Kl8WrVgJ5WlKJB4fENua
	+qedDHYeQu0Ij2CBdBvJFVRUkjjEsQ==
X-Received: by 10.28.152.141 with SMTP id a135mr2318308wme.39.1500386244022;
 Tue, 18 Jul 2017 06:57:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.135.186 with HTTP; Tue, 18 Jul 2017 06:57:03 -0700 (PDT)
In-Reply-To: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl>
References: <14052ebf-efea-cb43-39e0-bdc30e493ff3@genkgo.nl>
Date: Tue, 18 Jul 2017 15:57:03 +0200
Message-ID: <CADyq6sKC0o4PATjx8rShJpaC-qirjiCD5Mp7DDL6yJFkiYkjLA@mail.gmail.com>
To: "Frederik Bosch | Genkgo" <f.bosch@genkgo.nl>
Cc: PHP Internals List <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="001a114b2fbc19dda8055497e5ff"
Subject: Re: [PHP-DEV] [RFC] samesite cookie implementation
From: ocramius@gmail.com (Marco Pivetta)

--001a114b2fbc19dda8055497e5ff
Content-Type: text/plain; charset="UTF-8"

Hey Andrey,
On Mon, Jul 17, 2017 at 11:11 PM, Frederik Bosch | Genkgo <f.bosch@genkgo.nl
> wrote:

> LS,
>
> Today I finished writing the RFC for implementing same site cookies in
> PHP, https://wiki.php.net/rfc/same-site-cookie. I am happy to receive
> your remarks on the proposal, and improve when necessary.
>
> For those (only) interested in code, have a look at PR # 2613:
> https://github.com/php/php-src/pull/2613.
>
> For the record, I am just a messenger in this regard. Someone uploaded a
> patch for this feature in bug #72230: https://bugs.php.net/bug.php?i
> d=72230. I just took the opportunity to create a PR and the corresponding
> RFC. Credits for the code go to xistence at 0x90 dot nl.
>
> Hopefully, the samesite cookie flag will become a feature of the PHP
> language through this RFC!
>

The (already) infinite signature of this function just adds up some more
scenarios where BC compliance becomes a problem.

The current `setcookie` method has 7 parameters, of which 6 are optional.
This is already a mess, as any default value change introduced for either
forward-compliance or security issue compliance would result in a BC break.

This RFC suggests adding even more parameters (URGH), and increasing the
issue impact.

I had already expressed this issue in https://wiki.php.net/rfc/openssl_aead,
which basically passed

Honestly, API


Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

--001a114b2fbc19dda8055497e5ff--