On Mon, Jul 30, 2018 at 5:46 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > On Sun, Jul 29, 2018 at 9:27 PM Andrey Andreev <n...@devilix.net> wrote: >> >> Hi, >> >> On Sun, Jul 29, 2018 at 7:22 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> > >> > One thing regarding implementation. >> > Since the internet RFC has only 2 values for "samesite", the parameter >> > can >> > be >> > bool rather than string so that users can avoid "broken security by a >> > typo". >> > If "samesite" has more than 2 values, the INI handler can be changed so >> > that >> > it can >> > handle both bool and string parameters. >> > >> >> The attribute has 2 possible values, but those are 2 different modes >> of operation *when enabled*, not 2 states in total. It doesn't fit in >> a boolean, and even if it did it wouldn't be forward-compatible that >> way. > > > What do you mean by "those are 2 different modes > of operation *when enabled*, not 2 states in total. "? > > samesite-value = "Strict" / "Lax" > > Flag is flag. It does not matter if it is used as combined values. > > An INI value can be bool and string/etc. Even when 3rd value is added, it > can > be supported. Such INIs exist in PHP already. >
A boolean makes sense for Secure and HTTPonly, where the flag either exists or not. That's not what we have here, as SameSite=Lax is not the same thing as not having SameSite at all. bool(false) may make sense as an Off switch, yes, but that's not what you suggested ... Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
