Re: [RFC] [Discussion] CHIPS

From:	Niels Dossche	Date:	Sun, 20 Jul 2025 09:14:05 +0000
Subject:	Re: [RFC] [Discussion] CHIPS
References:	1 2	Groups:	php.internals
Request:	Send a blank email to internals+get-128140@lists.php.net to get a copy of this message

On 18/07/2025 16:15, Claude Pache wrote:
> Hi,
> 

Hi Claude

> 1. The RFC says: “CHIPS technology was introduced not so long ago, but still has “little”
> adoption (currently “only” available in Blink-based browsers).”
> 
> It might be useful to add the following precisions, so that we are more confident that it has
> good chance not to remain a Blink-only feature:
> * As of time of writing, there is an experimental implementation in Firefox.
> * The feature has also been implemented in Safari, but has been temporarily disabled because of
> an issue known by Apple only.
> 

Sure! Those are good points to clarify the introduction. Thanks!

> 
> 2. All examples in the RFC are variations on setcookie("name",
> "value", ["secure" => true, "partitioned" => true]);,
> without same-site attribute.
> 
> As partitioned cookies are only meaningful as third-party cookies, what is the behaviour when:
> 
> (a) the same-site attribute is set to anything different from "None"?
> (b) the same-site attribute is omitted? (Although historically, omitting the same-site
> parameter is equivalent to setting it to "None", browser vendors are willing to switch the
> default to "Lax", and some browsers (including Blink-based ones) have already done the
> switch.)
> 
> In all examples I’ve seen on the web, an explicit samesite=None attribute is
> added to partitioned cookies, probably for some good reason?

Yep, all examples use "samesite=None" because you need that to create a 3rd party cookie.
So including "Partitioned" without "samesite=None" is useless in those cases.
Although if "samesite=Lax" is still the default for a particular browser, then it
won't be useless, but I believe the goal is - as you said - to switch all browsers over to
"samesite=None".
According to https://github.com/privacycg/CHIPS,
the following will happen:

(a) The cookie won't be sent to a 3rd party context and "Partitioned" won't have
an effect. The cookie header is still interpreted correctly so it will have an effect on the origin
site, just not in a 3rd party context.
(b) Depends on what the default is for a particular browser.

Kind regards
Niels


   

Thread (5 messages)

• Dmitry DerepkoTue, 15 Jul 2025 10:09:46 +0000
  • Derick RethansWed, 16 Jul 2025 12:31:28 +0000
    • Tim DüsterhusWed, 16 Jul 2025 13:53:06 +0000
  • Claude PacheFri, 18 Jul 2025 14:15:35 +0000
    • Niels DosscheSun, 20 Jul 2025 09:14:05 +0000