> On Jul 18, 2017, at 08:37, li...@rhsoft.net wrote: > > > > Am 18.07.2017 um 15:23 schrieb Frederik Bosch | Genkgo: >> Hi Andrey, >> Thanks for your feedback. If we are going to wait for http_cookie_set, then >> my guess will be that it will take a while before we see samesite cookie >> implemented. While I totally agree there is need for a new function with a >> better API, I fail to see why that would mean we cannot have a samesite >> argument in the set(raw)cookie functions now. The RFC is in line with the >> design of these functions. >> With regard to browsers not implementing it, let me quote the currrent >> documentation on the httponly argument. "It has been suggested that this >> setting can effectively help to reduce identity theft through XSS attacks >> (although it is not supported by all browsers), but that claim is often >> disputed." Basically it says that it is not supported by all browsers, but >> provides help reducing XSS attacks. I don't see the difference with samesite. > > which browser in 2017 does not support 'httponly'? > that was true a decade ago, now that parapgraph in the docs is just FUD
(/me nods) Perhaps the same will be true for "samesite". -- Paul M. Jones pmjone...@gmail.com http://paul-m-jones.com Modernizing Legacy Applications in PHP https://leanpub.com/mlaphp Solving the N+1 Problem in PHP https://leanpub.com/sn1php -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
