On Mon, Aug 6, 2018 at 5:53 PM Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> > > On Mon, Jul 30, 2018 at 6:51 PM Andrey Andreev <n...@devilix.net> wrote: > >> On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev <n...@devilix.net> >> wrote: >> >> >> >> Hi, >> >> >> >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki <yohg...@ohgaki.net> >> wrote: >> >> > >> >> > One thing regarding implementation. >> >> > Since the internet RFC has only 2 values for "samesite", the >> parameter >> >> > can >> >> > be >> >> > bool rather than string so that users can avoid "broken security by a >> >> > typo". >> >> > If "samesite" has more than 2 values, the INI handler can be changed >> so >> >> > that >> >> > it can >> >> > handle both bool and string parameters. >> >> > >> >> >> >> The attribute has 2 possible values, but those are 2 different modes >> >> of operation *when enabled*, not 2 states in total. It doesn't fit in >> >> a boolean, and even if it did it wouldn't be forward-compatible that >> >> way. >> > >> > >> > What do you mean by "those are 2 different modes >> > of operation *when enabled*, not 2 states in total. "? >> > >> > samesite-value = "Strict" / "Lax" >> > >> > Flag is flag. It does not matter if it is used as combined values. >> > >> > An INI value can be bool and string/etc. Even when 3rd value is added, >> it >> > can >> > be supported. Such INIs exist in PHP already. >> > >> >> A boolean makes sense for Secure and HTTPonly, where the flag either >> exists or not. That's not what we have here, as SameSite=Lax is not >> the same thing as not having SameSite at all. >> >> bool(false) may make sense as an Off switch, yes, but that's not what >> you suggested ... >> > > > Bool actually have 3 values. > Simple INI handler can do this, precisely. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
