[HttpFoundation] Cookies Having Independent Partitioned State (CHIPS) #52002
Conversation
|
Hey! I see that this is your first PR. That is great! Welcome! Symfony has a contribution guide which I suggest you to read. In short:
Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change. When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor! I am going to sit back now and wait for the reviews. Cheers! Carsonbot |
|
Please rebase your branch. We cannot merge PRs containing merge commits. Thanks |
Thanks @OskarStark, that was unintentional. Cleaned up. |
|
Lovely. Thank you for this PR. What a great first contribution! I agree with all your changes, but I am a bit hesitant on adding types to protected properties (which is not mentioned in our BC policy). If you want this PR to get a quick merge, I suggest you remove all unrelated changes. Example: Changing the existing properties and doing Doing this will make sure the discussions are only focus on the Also, can you please have a look on the fabbot.io CI job? |
|
I agree. Apart from a very low likelyhood of a BC, typed attributes can wait until a major release. I further reverted the All |
|
Status: Needs Review |
6033e39 to
9d1d441
Compare
There was a problem hiding this comment.
LGTM thanks. I think this feature is important to have for 6.4!
I pushed some minor changes, see https://github.com/symfony/symfony/compare/9e0b944c1f6a0ceeb005eba148c7e5aba19c257f..9d1d4415914b7d4412c93d41ebae0f2db3c1b221
|
Thanks @nicolas-grekas! That forward compatibility modification is great. As you said, it makes sense (if possible) to ship it with 6.4 so we don't fall behind the current pace of major browsers. |
|
Thank you @fabricecw. |
This PR was squashed before being merged into the 6.4 branch. Discussion ---------- [HttpFoundation] Fix clearing CHIPS cookies | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | N/A | License | MIT Related PR: - #52002 This PR is the continuation of #52002 to add the `partitioned` parameter when we want to clear a cookie with this parameter. Besides, this PR adds this parameter for deleted cookies on logout. Commits ------- bfe2670 [HttpFoundation] Fix clearing CHIPS cookies
Due to Chrome's roadmap (and all other major browsers) to phase out third-party cookies starting from midway through 2024, "partitioned" cookies were introduced. If a cookie is flagged as
partitioned, its cross-site boundry is tied to the top-level site.Considerations: According to current security design, browser will only accept partitioned cookies with the
secureflag andSameSiteattributenone(otherwise it isn't a third-party cookie...). I classified this as an implementation topic and therefore omitted this validation in the Cookie class itself.Further information: