Open robrwo opened 3 years ago
Do you have a link to the specification? I still only see the draft on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#specifications.
Note that the experimental designation is a Mojolicious designation, not based on how many browsers support it.
The MDN page links to https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05 but that draft links to a newer version https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-08
Note that the experimental designation is a Mojolicious designation, not based on how many browsers support it.
The wording suggests that it is so because the specification isn't final, but support by major browsers (and now enforcement of cookie policies) suggests that there won't be significant changes at this point.
See also the documentation for Mojo::Cookie::Response that also refers to this as "experimental".
Also note that the experimental designation for Mojolicious is problematic. Because web browsers are requiring this now, applications need to use SameSite cookies. The designation suggests that applications which configure this may break because of a change in the interface.
Unless the Mojolicious developers are actually considering a different interface for this, it is not a useful label.
The Changes page says that it was added in 8.11. Mojolicious is now at version 9.22, more than 80 releases and one major version later.
We are keeping it experimental until there's a stable spec we can follow.
Steps to reproduce the behavior
The documentation Mojolicious::Sessions for samesite states that
Expected behavior
The documentation should be updated to no longer label this as experimental. Major web browsers support this and will start enforcing SameSite cookie policies.
Actual behavior
N/A