Nette Framework 2.4 (2017–01–19)

David Grudl
Nette Core | 7975

Nette Framework 2.4 (2017–01–19) has just been released.

This summarizes the differences from release 2016–12–21

Support for CSP & nonce

Added support for Content-Security-Policy & nonce. Can I use nonce? Yes, you can!

Usage in template:

<script n:nonce src="/jquery.js"></script>

<script n:nonce>

and config:

		script-src: nonce
		frame-ancestors: none
		form-action: self
			- self

To not cut off browsers that support only CSP-1, we should add for scripts a fallback:

		script-src: [
			nonce                 # for browsers that support CSP2
			self, unsafe-inline   # for browsers that support CSP1

Tracy works with nonce automatically.

Related reading:


  • UIMacros: added n:nonce

For the details you can have a look at the diff.


  • Filters: added |padLeft & |padRight
  • FileLoader::normalizePath() not forget leading ../ nette/latte#138 nette/latte#139
  • BlockMacros: removed deprecation warning for {includeblock}, it is deprecated silently
  • BlockMacros: dynamic blocks with content-types html & htmlattr are compatible nette/latte#146
  • BlockMacros: implemented modifies for dynamic blocks
  • RegexpException: added PREG_JIT_STACKLIMIT_ERROR
  • CoreMacros: {status} uses http_response_code() related to nette/http#113

For the details you can have a look at the diff.


  • PhpGenerator: generates native return type hints
  • Compiler: added option ‘alteration’
  • ContainerBuilder: getDefinitionByType() method added nette/di#130 (nette/di#137)
  • ContainerBuilder::literal() can have arguments
  • Compiler: fixed notice when overwriting service
  • uses Nette\Utils\Reflection::getParameterDefaultValue() to prevent Fatal Error when invalid constant is used
  • compatibility with nette/php-generator v3
  • ContainerBuilder: support for nullable types in generated factories nette/di#132
  • DependencyChecker: fixed serialization of returnType, supports nullable types
  • Config\Loader: allow absolute paths in includes section (nette/di#131)
  • IniAdapter, NeonAdapter: process() is public nette/di#134
  • @return self → static

For the details you can have a look at the diff.


  • HttpExtension: added option ‘csp’ for Content-Security-Policy
  • Response::setCode() added $reason
  • HttpExtension: sends headers via Http\Response

For the details you can have a look at the diff.


For the details you can have a look at the diff.

PhpGenerator (v2.5)

  • added Factory
  • Method, Parameter: added support for PHP 7.1 nullable types
  • Parameter::from() prevents fatal error when default value is not resolvable
  • ClassType: improved rendering of anonymous classes
  • add Constant; class constants can have declared visibility and comment
  • refactoring: extracted base class Member for properties, methods and constants
  • Method::from() sets visibility ‘public’
  • Parameters: added hasDefaultValue() as replacement of isOptional()
  • deprecated Parameter::from() and Property::from()


  • AnnotationsParser: sooner $useReflection initialization
  • AnnotationsParser: fixed expanding to FQCN in bracketed namespace
  • AnnotationParser: support PHP 7 group use statements (nette/di#125)

For the details you can have a look at the diff.


  • added setTempDirectory(), should be used instead of setCacheStorage()
  • presence of cacheStorage is checked only in register(), not in rebuild()

For the details you can have a look at the diff.


For the details you can have a look at the diff.


  • added support for Content Security Policy script-src: ‘nonce-…’ nette/tracy#136
  • bar.js: avoid multiple init for bar links nette/tracy#239
  • bar.css: resets some other CSS properties and :before and :after (nette/tracy#240)
  • bar: showing/hiding of panel is done via CSS classes
  • TracyExtension: fixed compatibility with nette/di
  • bar.js: evalScripts() uses createElement(‘script’) instead of eval()
  • bar.js: monkey patching getResponseHeader() & getAllResponseHeaders() replaced with addEventListener()

For the details you can have a look at the diff.

Member | 140

Thanks for the release. Just a quick question – what is alteration for in Nette/DI?

David Grudl
Nette Core | 7975

When you modify an existing service (for example or application.application), you can now add flag alteration to ensure, that this service really exists, ie that you are really modify existing service and not creating a new one. As prevention of typo in service name.

		create: DifferentClass
		alteration: yes

If the service didn't exist, it threw exception.

Member | 219

How to set CSP directives reflected-xss or referrer, whose values can not be enclosed in quotes?

CSP Evaluator


    form-action: self
    reflected-xss: block
    referrer: no-referrer


form-action: 'self'; reflected-xss 'block'; referrer 'no-referrer';

Correctly it shoud be

form-action: 'self'; reflected-xss block; referrer no-referrer;


    form-action: self
    reflected-xss: " block"
    referrer: " no-referrer"

Last edited by radas (2017-01-20 12:40)

David Grudl
Nette Core | 7975

I didn't found these directives even in CSP 1, CSP 2 or (working draft) CSP 3.

The “unquoted” directive is sandbox and it is currectly supported only as string:

		sandbox: "allow-forms allow-scripts"