Nette Framework 2.4 (2017–01–19)

2 years ago

David Grudl
Nette Core | 6828
+
+24
-

Nette Framework 2.4 (2017–01–19) has just been released.

This summarizes the differences from release 2016–12–21

Support for CSP & nonce

Added support for Content-Security-Policy & nonce. Can I use nonce? Yes, you can!

Usage in template:

<script n:nonce src="/jquery.js"></script>

<script n:nonce>
...
</script>

and config:

http:
    csp:
        script-src: nonce
        frame-ancestors: none
        form-action: self
        style-src:
            - self
            - https://cdn.example.com

To not cut off browsers that support only CSP-1, we should add for scripts a fallback:

http:
    csp:
        script-src: [
            nonce                 # for browsers that support CSP2
            self, unsafe-inline   # for browsers that support CSP1
        ]

Tracy works with nonce automatically.

Related reading:

Application

  • UIMacros: added n:nonce

For the details you can have a look at the diff.

Latte

  • Filters: added |padLeft & |padRight
  • FileLoader::normalizePath() not forget leading ../ nette/latte#138 nette/latte#139
  • BlockMacros: removed deprecation warning for {includeblock}, it is deprecated silently
  • BlockMacros: dynamic blocks with content-types html & htmlattr are compatible nette/latte#146
  • BlockMacros: implemented modifies for dynamic blocks
  • RegexpException: added PREG_JIT_STACKLIMIT_ERROR
  • CoreMacros: {status} uses http_response_code() related to nette/http#113

For the details you can have a look at the diff.

DI

  • PhpGenerator: generates native return type hints
  • Compiler: added option ‘alteration’
  • ContainerBuilder: getDefinitionByType() method added nette/di#130 (nette/di#137)
  • ContainerBuilder::literal() can have arguments
  • Compiler: fixed notice when overwriting service
  • uses Nette\Utils\Reflection::getParameterDefaultValue() to prevent Fatal Error when invalid constant is used
  • compatibility with nette/php-generator v3
  • ContainerBuilder: support for nullable types in generated factories nette/di#132
  • DependencyChecker: fixed serialization of returnType, supports nullable types
  • Config\Loader: allow absolute paths in includes section (nette/di#131)
  • IniAdapter, NeonAdapter: process() is public nette/di#134
  • @return self → static

For the details you can have a look at the diff.

Http

  • HttpExtension: added option ‘csp’ for Content-Security-Policy
  • Response::setCode() added $reason
  • HttpExtension: sends headers via Http\Response

For the details you can have a look at the diff.

Neon

For the details you can have a look at the diff.

PhpGenerator (v2.5)

  • added Factory
  • Method, Parameter: added support for PHP 7.1 nullable types
  • Parameter::from() prevents fatal error when default value is not resolvable
  • ClassType: improved rendering of anonymous classes
  • add Constant; class constants can have declared visibility and comment
  • refactoring: extracted base class Member for properties, methods and constants
  • Method::from() sets visibility ‘public’
  • Parameters: added hasDefaultValue() as replacement of isOptional()
  • deprecated Parameter::from() and Property::from()

Reflection

  • AnnotationsParser: sooner $useReflection initialization
  • AnnotationsParser: fixed expanding to FQCN in bracketed namespace
  • AnnotationParser: support PHP 7 group use statements (nette/di#125)

For the details you can have a look at the diff.

RobotLoader

  • added setTempDirectory(), should be used instead of setCacheStorage()
  • presence of cacheStorage is checked only in register(), not in rebuild()

For the details you can have a look at the diff.

Utils

For the details you can have a look at the diff.

Tracy

  • added support for Content Security Policy script-src: ‘nonce-…’ nette/tracy#136
  • bar.js: avoid multiple init for bar links nette/tracy#239
  • bar.css: resets some other CSS properties and :before and :after (nette/tracy#240)
  • bar: showing/hiding of panel is done via CSS classes
  • TracyExtension: fixed compatibility with nette/di
  • bar.js: evalScripts() uses createElement(‘script’) instead of eval()
  • bar.js: monkey patching getResponseHeader() & getAllResponseHeaders() replaced with addEventListener()

For the details you can have a look at the diff.

2 years ago

mrtnzlml
Member | 143
+
0
-

Thanks for the release. Just a quick question – what is alteration for in Nette/DI?

2 years ago

David Grudl
Nette Core | 6828
+
+9
-

When you modify an existing service (for example cache.storage or application.application), you can now add flag alteration to ensure, that this service really exists, ie that you are really modify existing service and not creating a new one. As prevention of typo in service name.

services:
    cache.storage:
        factory: DifferentClass
        alteration: yes

If the service cache.storage didn't exist, it threw exception.

2 years ago

radas
Member | 210
+
0
-

How to set CSP directives reflected-xss or referrer, whose values can not be enclosed in quotes?

CSP Evaluator

config.neon:

http:
  csp:
    form-action: self
    reflected-xss: block
    referrer: no-referrer

produces

form-action: 'self'; reflected-xss 'block'; referrer 'no-referrer';

Correctly it shoud be

form-action: 'self'; reflected-xss block; referrer no-referrer;

Workaround:

http:
  csp:
    form-action: self
    reflected-xss: " block"
    referrer: " no-referrer"

Last edited by radas (2017-01-20 12:40)

2 years ago

David Grudl
Nette Core | 6828
+
0
-

I didn't found these directives even in CSP 1, CSP 2 or (working draft) CSP 3.

The “unquoted” directive is sandbox and it is currectly supported only as string:

http:
    csp:
        sandbox: "allow-forms allow-scripts"