Nette Framework 2.4 (2018–09–18)

David Grudl
Nette Core | 8212
+
+27
-

Nette Framework 2.4 (2018–09–18) has just been released.

Note that dependencies in composer.json has been relaxed to ^2.4, so ZIP packages are now distinguished by build date instead of patch version. Hence this release is “2.4 2018–07–03”

This summarizes the differences from release 2018–07–03

This release should by fully compatible with PHP 7.3.0RC1.

SameSite protection

An important security feature is SameSite cookie support (in czech).

Enhanced CSP support

Beside Content-Security-Policy you can define Content-Security-Policy-Report-Only and the new Feature-Policy headers:

http:
    cspReportOnly:
		report-uri: https://example.com/report
        script-src:
            - self
            - https://cdn.example.com

	featurePolicy:
		geolocation:
			- self
			- https://example.com
		camera: *

The syntax now allows you to use booleans:

http:
	csp:
		upgrade-insecure-requests: true
		block-all-mixed-content: false

Secured (HTTPS) cookies

Secure cookies are a type of cookie that are transmitted over encrypted HTTP connections. It instructs the browser that the cookie should only be returned to the application over encrypted connections.

Now you can use option auto which sends cookie as secured when HTTPS is used and vice versa:

session:
	cookieSecure: auto

http:
	cookieSecure: auto

DI

  • ContainerBuilder::resolveImplement supports polymorphism (nette/di#175)
  • Helpers::expand() supports %dynamic.item% for dynamic parameters

For the details you can have a look at the diff.

Forms

  • BaseControl: added ability to multiple forms with different HTML ID nette/forms#188
  • add Form::PATTERN_ICASE as a case-insensitive variant of Form::PATTERN; fixes nette/forms#185 (nette/forms#187)
  • netteForms: uses unicode RegExp if is supported
  • netteForms.js: support checking file name via pattern rule using HTML5 File API (nette/forms#186)

For the details you can have a look at the diff.

Http

  • Request, HttpExtension: added sameSite protection
  • Session: added support for SameSite cookie
  • Response::setCookie() supports SameSite
  • SessionExtension: cookieSecure can be ‘auto’
  • Response: removed removeDuplicateCookies() nette/http#139
  • HttpExtension: added option cookieSecure; allowed values are: true, false, auto
  • HttpExtension: allows bools in CSP policy
  • HttpExtension: fixed quotating in sections require-sri-for & sandbox nette/http#143
  • HttpExtension: added Feature-Policy header nette/http#142
  • HttpExtension: renamed csp-report to cspReportOnly (BC break)
  • fixed compatibility with PHP 7.3

For the details you can have a look at the diff.

Utils

  • Callback: removes HTML from error message nette/mail#54
  • Callback: fixed bug in is_callable($object, true) nette/utils#176
  • Reflection: token_get_all() uses flag TOKEN_PARSE
  • FileSystem: better error messages

For the details you can have a look at the diff.

uestla
Backer | 799
+
+3
-

Thank you for these great new security features, fixes, enhancements and your work altogether! :-)

MajklNajt
Member | 491
+
+2
-

Hello @DavidGrudl, you have broken link in Utils diff. Current is https://github.com/…5.2...v2.5.3 but correct should be likely https://github.com/…5.2...v2.5.3