mojo icon indicating copy to clipboard operation
mojo copied to clipboard

Published 20 hours ago verified publisher icon mojolicious

[Documentation] SameSite cookies is no longer experimental

Open robrwo opened this issue 4 years ago • 6 comments

  • Mojolicious version: 9.21
  • Perl version: N/A
  • Operating system: N/A

Steps to reproduce the behavior

The documentation Mojolicious::Sessions for samesite states that

Note that this attribute is EXPERIMENTAL because even though most commonly used browsers support the feature, there is no specification yet besides this draft.

Expected behavior

The documentation should be updated to no longer label this as experimental. Major web browsers support this and will start enforcing SameSite cookie policies.

Actual behavior

N/A

robrwo avatar Sep 01 '21 15:09 robrwo

Do you have a link to the specification? I still only see the draft on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#specifications.

Note that the experimental designation is a Mojolicious designation, not based on how many browsers support it.

Grinnz avatar Sep 01 '21 15:09 Grinnz

The MDN page links to https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05 but that draft links to a newer version https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-08

robrwo avatar Sep 01 '21 16:09 robrwo

Note that the experimental designation is a Mojolicious designation, not based on how many browsers support it.

The wording suggests that it is so because the specification isn't final, but support by major browsers (and now enforcement of cookie policies) suggests that there won't be significant changes at this point.

robrwo avatar Sep 01 '21 16:09 robrwo

See also the documentation for Mojo::Cookie::Response that also refers to this as "experimental".

robrwo avatar Sep 06 '21 14:09 robrwo

Also note that the experimental designation for Mojolicious is problematic. Because web browsers are requiring this now, applications need to use SameSite cookies. The designation suggests that applications which configure this may break because of a change in the interface.

Unless the Mojolicious developers are actually considering a different interface for this, it is not a useful label.

The Changes page says that it was added in 8.11. Mojolicious is now at version 9.22, more than 80 releases and one major version later.

robrwo avatar Oct 21 '21 13:10 robrwo

We are keeping it experimental until there's a stable spec we can follow.

kraih avatar Oct 21 '21 19:10 kraih