On Mon, Jul 30, 2018 at 6:51 PM Andrey Andreev <n...@devilix.net> wrote:
> On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev <n...@devilix.net> wrote: > >> > >> Hi, > >> > >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki <yohg...@ohgaki.net> > wrote: > >> > > >> > One thing regarding implementation. > >> > Since the internet RFC has only 2 values for "samesite", the parameter > >> > can > >> > be > >> > bool rather than string so that users can avoid "broken security by a > >> > typo". > >> > If "samesite" has more than 2 values, the INI handler can be changed > so > >> > that > >> > it can > >> > handle both bool and string parameters. > >> > > >> > >> The attribute has 2 possible values, but those are 2 different modes > >> of operation *when enabled*, not 2 states in total. It doesn't fit in > >> a boolean, and even if it did it wouldn't be forward-compatible that > >> way. > > > > > > What do you mean by "those are 2 different modes > > of operation *when enabled*, not 2 states in total. "? > > > > samesite-value = "Strict" / "Lax" > > > > Flag is flag. It does not matter if it is used as combined values. > > > > An INI value can be bool and string/etc. Even when 3rd value is added, it > > can > > be supported. Such INIs exist in PHP already. > > > > A boolean makes sense for Secure and HTTPonly, where the flag either > exists or not. That's not what we have here, as SameSite=Lax is not > the same thing as not having SameSite at all. > > bool(false) may make sense as an Off switch, yes, but that's not what > you suggested ... > Bool actually have 3 values. true/false/null(empty) So there isn't issue being bool INI. It's much secure than string, since current code does not have validation. i.e. Typo breaks security setting. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net