Nette Framework 2.4 (2017–01–19)
- David Grudl
- Nette Core | 8228
Nette Framework 2.4 (2017–01–19) has just been released.
This summarizes the differences from release 2016–12–21
Support for CSP & nonce
Added support for Content-Security-Policy & nonce. Can I use nonce? Yes, you can!
Usage in template:
<script n:nonce src="/jquery.js"></script>
<script n:nonce>
...
</script>
and config:
http:
csp:
script-src: nonce
frame-ancestors: none
form-action: self
style-src:
- self
- https://cdn.example.com
To not cut off browsers that support only CSP-1, we should add for scripts a fallback:
http:
csp:
script-src: [
nonce # for browsers that support CSP2
self, unsafe-inline # for browsers that support CSP1
]
Tracy works with nonce
automatically.
Related reading:
- CSP 1, CSP 2, CSP 3
- https://developer.mozilla.org/…urity-Policy
- https://githubengineering.com/…csp-journey/
Application
- UIMacros: added n:nonce
For the details you can have a look at the diff.
Latte
- Filters: added |padLeft & |padRight
- FileLoader::
normalizePath()
not forget leading ../ nette/latte#138 nette/latte#139 - BlockMacros: removed deprecation warning for {includeblock}, it is deprecated silently
- BlockMacros: dynamic blocks with content-types html & htmlattr are compatible nette/latte#146
- BlockMacros: implemented modifies for dynamic blocks
- RegexpException: added PREG_JIT_STACKLIMIT_ERROR
- CoreMacros: {status} uses
http_response_code()
related to nette/http#113
For the details you can have a look at the diff.
DI
- PhpGenerator: generates native return type hints
- Compiler: added option ‘alteration’
- ContainerBuilder:
getDefinitionByType()
method added nette/di#130 (nette/di#137) - ContainerBuilder::
literal()
can have arguments - Compiler: fixed notice when overwriting service
- uses Nette\Utils\Reflection::
getParameterDefaultValue()
to prevent Fatal Error when invalid constant is used - compatibility with nette/php-generator v3
- ContainerBuilder: support for nullable types in generated factories nette/di#132
- DependencyChecker: fixed serialization of returnType, supports nullable types
- Config\Loader: allow absolute paths in includes section (nette/di#131)
- IniAdapter, NeonAdapter:
process()
is public nette/di#134 - @return self → static
For the details you can have a look at the diff.
Http
- HttpExtension: added option ‘csp’ for Content-Security-Policy
- Response::
setCode()
added $reason - HttpExtension: sends headers via Http\Response
For the details you can have a look at the diff.
Neon
- Decoder: every regexp are possessive nette/neon#36
- Entity: added
__set_state()
support nette/neon#35
For the details you can have a look at the diff.
PhpGenerator (v2.5)
- added Factory
- Method, Parameter: added support for PHP 7.1 nullable types
- Parameter::from() prevents fatal error when default value is not resolvable
- ClassType: improved rendering of anonymous classes
- add Constant; class constants can have declared visibility and comment
- refactoring: extracted base class Member for properties, methods and constants
- Method::from() sets visibility ‘public’
- Parameters: added hasDefaultValue() as replacement of isOptional()
- deprecated Parameter::from() and Property::from()
Reflection
- AnnotationsParser: sooner $useReflection initialization
- AnnotationsParser: fixed expanding to FQCN in bracketed namespace
- AnnotationParser: support PHP 7 group use statements (nette/di#125)
For the details you can have a look at the diff.
RobotLoader
- added
setTempDirectory()
, should be used instead ofsetCacheStorage()
- presence of cacheStorage is checked only in
register()
, not inrebuild()
For the details you can have a look at the diff.
Utils
- added Reflection
For the details you can have a look at the diff.
Tracy
- added support for Content Security Policy script-src: ‘nonce-…’ nette/tracy#136
- bar.js: avoid multiple init for bar links nette/tracy#239
- bar.css: resets some other CSS properties and :before and :after (nette/tracy#240)
- bar: showing/hiding of panel is done via CSS classes
- TracyExtension: fixed compatibility with nette/di
- bar.js:
evalScripts()
uses createElement(‘script’) instead ofeval()
- bar.js: monkey patching
getResponseHeader()
&getAllResponseHeaders()
replaced withaddEventListener()
For the details you can have a look at the diff.
- David Grudl
- Nette Core | 8228
When you modify an existing service (for example cache.storage
or application.application
), you can now add flag
alteration
to ensure, that this service really exists, ie that you
are really modify existing service and not creating a new one. As prevention of
typo in service name.
services:
cache.storage:
create: DifferentClass
alteration: yes
If the service cache.storage
didn't exist, it threw
exception.
- radas
- Member | 225
How to set CSP directives reflected-xss or referrer, whose values can not be enclosed in quotes?
config.neon:
http:
csp:
form-action: self
reflected-xss: block
referrer: no-referrer
produces
form-action: 'self'; reflected-xss 'block'; referrer 'no-referrer';
Correctly it shoud be
form-action: 'self'; reflected-xss block; referrer no-referrer;
Workaround:
http:
csp:
form-action: self
reflected-xss: " block"
referrer: " no-referrer"
Last edited by radas (2017-01-20 12:40)