On 25.08.2017 at 22:54, Lars Strojny wrote: > I strongly believe this is something we should ship with 7.2. That > would give the ecosystem a 1-year head with a feature that could > eventually help eradicate CSRF. I would argue that this is worth the > unorthodox circumnavigation of our policies. Do you think that’s > outrageously crazy?
Considering the current browser support (https://caniuse.com/#search=samesite), I am not convinced that any rush is appropriate. In the worst case, developers might rely on this feature, while in fact the option is ignored by many browsers, and as such gives a false sense of security. -- Christoph M. Becker -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
