Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

[Yasuo Ohgaki]

On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev  wrote:

> Hi,
>
> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki  wrote:
> >
> > One thing regarding implementation.
> > Since the internet RFC has only 2 values for "samesite", the parameter
> can
> > be
> > bool rather than string so that users can avoid "broken security by a
> typo".
> > If "samesite" has more than 2 values, the INI handler can be changed so
> that
> > it can
> > handle both bool and string parameters.
> >
>
> The attribute has 2 possible values, but those are 2 different modes
> of operation *when enabled*, not 2 states in total. It doesn't fit in
> a boolean, and even if it did it wouldn't be forward-compatible that
> way.
>

What do you mean by "those are 2 different modes
of operation *when enabled*, not 2 states in total. "?

samesite-value = "Strict" / "Lax"

Flag is flag. It does not matter if it is used as combined values.

An INI value can be bool and string/etc. Even when 3rd value is added, it
can
be supported. Such INIs exist in PHP already.

Regards,

--

Yasuo Ohgaki

Re: [PHP-DEV] [VOTE] Same Site Cookie RFC

[Andrey Andreev]

Hi,

On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki  wrote:
>
> One thing regarding implementation.
> Since the internet RFC has only 2 values for "samesite", the parameter can
> be
> bool rather than string so that users can avoid "broken security by a typo".
> If "samesite" has more than 2 values, the INI handler can be changed so that
> it can
> handle both bool and string parameters.
>

The attribute has 2 possible values, but those are 2 different modes
of operation *when enabled*, not 2 states in total. It doesn't fit in
a boolean, and even if it did it wouldn't be forward-compatible that
way.

Cheers,
Andrey.

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php