Re: [PHP-DEV] Partitioned cookies

2023-12-24 Thread Niels Dossche 
Hi

On 24/12/2023 17:04, Derick Rethans wrote:
> On 24 December 2023 12:46:40 CET, Niels Dossche  
> wrote:
>> Hi internals
>>
>> I opened a PR [1] to implement Partitioned cookie support, as requested on 
>> the bugtracker [2], into the setcookie() PHP function. This is done by 
>> adding an option to the $options array, not via an additional argument to 
>> the function. The amount of code to support this is tiny.
>>
>> This cookie option is being pushed by browser vendors (primarily by Google 
>> it seems) to eliminate third-party cookies [3, 4]. One of the impacts here 
>> is that cookies marked with "SameSite=None; Secured" without "Partitioned" 
>> will stop working eventually during 2024.
>>
>> Although the Partitioned cookie proposal is still a draft, Chrome will apply 
>> the change starting in January 2024 for a tiny percentage of users (as a 
>> form of A/B testing it seems). Symfony has already implemented support for 
>> this option as well [5].
>> The SameSite option was also added in PHP when it was still in a draft.
>>
>> Let me know what you think and if you are okay / objecting to merging this 
>> PR.
> 
> 
> I've two concerns (none with the PR, as I haven't checked):
> 
> - Compatibility: 
> https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies#browser_compatibility

Right, indeed it is only supported by Blink-based browsers right now.
It is on the roadmap for Safari and Firefox for 2024 according to 
https://developer.mozilla.org/en-US/blog/goodbye-third-party-cookies/

> - What happens if it just stays a draft, or doesn't get accepted, or with a 
> different name?

Good question, no idea.

> 
> And also, would/should the PHP function enforce that this should only be set 
> if for example Secure is set too? And if so, with a warning or TypeError?

This constraint is enforced already in the PR.
If you try to set it without setting Secure, a ValueError is thrown.
This is consistent with how other options can also throw a ValueError if 
constraints are broken.

> 
> cheers
> Derick 

Kind regards
Niels

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php

Re: [PHP-DEV] Partitioned cookies

2023-12-24 Thread Derick Rethans 
On 24 December 2023 12:46:40 CET, Niels Dossche  wrote:
>Hi internals
>
>I opened a PR [1] to implement Partitioned cookie support, as requested on the 
>bugtracker [2], into the setcookie() PHP function. This is done by adding an 
>option to the $options array, not via an additional argument to the function. 
>The amount of code to support this is tiny.
>
>This cookie option is being pushed by browser vendors (primarily by Google it 
>seems) to eliminate third-party cookies [3, 4]. One of the impacts here is 
>that cookies marked with "SameSite=None; Secured" without "Partitioned" will 
>stop working eventually during 2024.
>
>Although the Partitioned cookie proposal is still a draft, Chrome will apply 
>the change starting in January 2024 for a tiny percentage of users (as a form 
>of A/B testing it seems). Symfony has already implemented support for this 
>option as well [5].
>The SameSite option was also added in PHP when it was still in a draft.
>
>Let me know what you think and if you are okay / objecting to merging this PR.


I've two concerns (none with the PR, as I haven't checked):

- Compatibility: 
https://developer.mozilla.org/en-US/docs/Web/Privacy/Partitioned_cookies#browser_compatibility
- What happens if it just stays a draft, or doesn't get accepted, or with a 
different name?

And also, would/should the PHP function enforce that this should only be set if 
for example Secure is set too? And if so, with a warning or TypeError?

cheers
Derick

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php