Nette Framework 2.4 (2018–09–18)
- David Grudl
- Nette Core | 8212
Nette Framework 2.4 (2018–09–18) has just been released.
Note that dependencies in composer.json has been relaxed to
^2.4
, so ZIP
packages are now distinguished by build date instead of patch version. Hence
this release is “2.4 2018–07–03”
This summarizes the differences from release 2018–07–03
This release should by fully compatible with PHP 7.3.0RC1.
SameSite protection
An important security feature is SameSite cookie support (in czech).
Enhanced CSP support
Beside Content-Security-Policy
you can define Content-Security-Policy-Report-Only
and the new
Feature-Policy
headers:
http:
cspReportOnly:
report-uri: https://example.com/report
script-src:
- self
- https://cdn.example.com
featurePolicy:
geolocation:
- self
- https://example.com
camera: *
The syntax now allows you to use booleans:
http:
csp:
upgrade-insecure-requests: true
block-all-mixed-content: false
Secured (HTTPS) cookies
Secure cookies are a type of cookie that are transmitted over encrypted HTTP connections. It instructs the browser that the cookie should only be returned to the application over encrypted connections.
Now you can use option auto
which sends cookie as secured when
HTTPS is used and vice versa:
session:
cookieSecure: auto
http:
cookieSecure: auto
DI
- ContainerBuilder::resolveImplement supports polymorphism (nette/di#175)
- Helpers::
expand()
supports %dynamic.item% for dynamic parameters
For the details you can have a look at the diff.
Forms
- BaseControl: added ability to multiple forms with different HTML ID nette/forms#188
- add Form::PATTERN_ICASE as a case-insensitive variant of Form::PATTERN; fixes nette/forms#185 (nette/forms#187)
- netteForms: uses unicode RegExp if is supported
- netteForms.js: support checking file name via pattern rule using HTML5 File API (nette/forms#186)
For the details you can have a look at the diff.
Http
- Request, HttpExtension: added sameSite protection
- Session: added support for SameSite cookie
- Response::
setCookie()
supports SameSite - SessionExtension: cookieSecure can be ‘auto’
- Response: removed
removeDuplicateCookies()
nette/http#139 - HttpExtension: added option cookieSecure; allowed values are: true, false, auto
- HttpExtension: allows bools in CSP policy
- HttpExtension: fixed quotating in sections require-sri-for & sandbox nette/http#143
- HttpExtension: added Feature-Policy header nette/http#142
- HttpExtension: renamed csp-report to cspReportOnly (BC break)
- fixed compatibility with PHP 7.3
For the details you can have a look at the diff.
Utils
- Callback: removes HTML from error message nette/mail#54
- Callback: fixed bug in is_callable($object, true) nette/utils#176
- Reflection:
token_get_all()
uses flag TOKEN_PARSE - FileSystem: better error messages
For the details you can have a look at the diff.
- MajklNajt
- Member | 491
Hello @DavidGrudl, you have broken link in Utils diff. Current is https://github.com/…5.2...v2.5.3 but correct should be likely https://github.com/…5.2...v2.5.3