Home
Release Announcements & News
Nette Framework 2.4 (2017–01–19)

Nette Framework 2.4 (2017–01–19)

Notice: This thread is very old.

David Grudl: Nette Core | 8218

+

+24

-

Nette Framework 2.4 (2017–01–19) has just been released.

This summarizes the differences from release 2016–12–21

Support for CSP & nonce

Added support for Content-Security-Policy & nonce. Can I use nonce? Yes, you can!

Usage in template:

<script n:nonce src="/jquery.js"></script>

<script n:nonce>
...
</script>

and config:

http:
	csp:
		script-src: nonce
		frame-ancestors: none
		form-action: self
		style-src:
			- self
			- https://cdn.example.com

To not cut off browsers that support only CSP-1, we should add for scripts a fallback:

http:
	csp:
		script-src: [
			nonce                 # for browsers that support CSP2
			self, unsafe-inline   # for browsers that support CSP1
		]

Tracy works with nonce automatically.

Related reading:

Application

UIMacros: added n:nonce

For the details you can have a look at the diff.

Latte

Filters: added |padLeft & |padRight
FileLoader::normalizePath() not forget leading ../ nette/latte#138 nette/latte#139
BlockMacros: removed deprecation warning for {includeblock}, it is deprecated silently
BlockMacros: dynamic blocks with content-types html & htmlattr are compatible nette/latte#146
BlockMacros: implemented modifies for dynamic blocks
RegexpException: added PREG_JIT_STACKLIMIT_ERROR
CoreMacros: {status} uses http_response_code() related to nette/http#113

For the details you can have a look at the diff.

DI

PhpGenerator: generates native return type hints
Compiler: added option ‘alteration’
ContainerBuilder: getDefinitionByType() method added nette/di#130 (nette/di#137)
ContainerBuilder::literal() can have arguments
Compiler: fixed notice when overwriting service
uses Nette\Utils\Reflection::getParameterDefaultValue() to prevent Fatal Error when invalid constant is used
compatibility with nette/php-generator v3
ContainerBuilder: support for nullable types in generated factories nette/di#132
DependencyChecker: fixed serialization of returnType, supports nullable types
Config\Loader: allow absolute paths in includes section (nette/di#131)
IniAdapter, NeonAdapter: process() is public nette/di#134
@return self → static

For the details you can have a look at the diff.

Http

HttpExtension: added option ‘csp’ for Content-Security-Policy
Response::setCode() added $reason
HttpExtension: sends headers via Http\Response

For the details you can have a look at the diff.

Neon

Decoder: every regexp are possessive nette/neon#36
Entity: added __set_state() support nette/neon#35

For the details you can have a look at the diff.

PhpGenerator (v2.5)

added Factory
Method, Parameter: added support for PHP 7.1 nullable types
Parameter::from() prevents fatal error when default value is not resolvable
ClassType: improved rendering of anonymous classes
add Constant; class constants can have declared visibility and comment
refactoring: extracted base class Member for properties, methods and constants
Method::from() sets visibility ‘public’
Parameters: added hasDefaultValue() as replacement of isOptional()
deprecated Parameter::from() and Property::from()

Reflection

AnnotationsParser: sooner $useReflection initialization
AnnotationsParser: fixed expanding to FQCN in bracketed namespace
AnnotationParser: support PHP 7 group use statements (nette/di#125)

For the details you can have a look at the diff.

RobotLoader

added setTempDirectory(), should be used instead of setCacheStorage()
presence of cacheStorage is checked only in register(), not in rebuild()

For the details you can have a look at the diff.

Utils

added Reflection

For the details you can have a look at the diff.

Tracy

added support for Content Security Policy script-src: ‘nonce-…’ nette/tracy#136
bar.js: avoid multiple init for bar links nette/tracy#239
bar.css: resets some other CSS properties and :before and :after (nette/tracy#240)
bar: showing/hiding of panel is done via CSS classes
TracyExtension: fixed compatibility with nette/di
bar.js: evalScripts() uses createElement(‘script’) instead of eval()
bar.js: monkey patching getResponseHeader() & getAllResponseHeaders() replaced with addEventListener()

For the details you can have a look at the diff.

mrtnzlml: Member | 140

+

0

-

Thanks for the release. Just a quick question – what is alteration for in Nette/DI?

David Grudl: Nette Core | 8218

+

+9

-

When you modify an existing service (for example cache.storage or application.application), you can now add flag alteration to ensure, that this service really exists, ie that you are really modify existing service and not creating a new one. As prevention of typo in service name.

services:
	cache.storage:
		create: DifferentClass
		alteration: yes

If the service cache.storage didn't exist, it threw exception.

radas: Member | 224

+

0

-

How to set CSP directives reflected-xss or referrer, whose values can not be enclosed in quotes?

config.neon:

http:
  csp:
    form-action: self
    reflected-xss: block
    referrer: no-referrer

produces

form-action: 'self'; reflected-xss 'block'; referrer 'no-referrer';

Correctly it shoud be

form-action: 'self'; reflected-xss block; referrer no-referrer;

Workaround:

http:
  csp:
    form-action: self
    reflected-xss: " block"
    referrer: " no-referrer"

Last edited by radas (2017-01-20 12:40)

David Grudl: Nette Core | 8218

+

0

-

I didn't found these directives even in CSP 1, CSP 2 or (working draft) CSP 3.

The “unquoted” directive is sandbox and it is currectly supported only as string:

http:
	csp:
		sandbox: "allow-forms allow-scripts"