> Le 15 juil. 2025 à 12:09, Dmitry Derepko <[email protected]> a écrit :
>
> Hi internals,
>
> In collaboration with Niels Dossche I'd like to start the discussion for an
> RFC proposing a new Cookie option for use with CHIPS technology.
>
> As Niels noted, today is the day when in 4 weeks there will be code freeze,
> so let's try to fit into the lines and deliver the value to PHP 8.5.
>
> RFC: https://wiki.php.net/rfc/chips
> Implementation: https://github.com/php/php-src/pull/12652
> Previous discussions: https://externals.io/message/127902,
> https://externals.io/message/122028
>
Hi,
1. The RFC says: “CHIPS technology was introduced not so long ago, but still
has “little” adoption (currently “only” available in Blink-based browsers).”
It might be useful to add the following precisions, so that we are more
confident that it has good chance not to remain a Blink-only feature:
* As of time of writing, there is an experimental implementation in Firefox.
* The feature has also been implemented in Safari, but has been temporarily
disabled because of an issue known by Apple only.
2. All examples in the RFC are variations on `setcookie("name", "value",
["secure" => true, "partitioned" => true]);`, without same-site attribute.
As partitioned cookies are only meaningful as third-party cookies, what is the
behaviour when:
(a) the same-site attribute is set to anything different from "None"?
(b) the same-site attribute is omitted? (Although historically, omitting the
same-site parameter is equivalent to setting it to "None", browser vendors are
willing to switch the default to "Lax", and some browsers (including
Blink-based ones) have already done the switch.)
In all examples I’ve seen on the web, an explicit `samesite=None` attribute is
added to partitioned cookies, probably for some good reason?
—Claude
