News in Nette Http 3.1
News in Nette Http version 3.1 mainly concerns the current development of
browsers in relation to cookies. Current browsers finally work without bugs with
the SameSite flag, so Nette automatically sends it.
So now Nette sends all cookies (including session id) by default:
- with flag
- with flag
Secured if the server uses HTTPS
The fact that a cookie has the
Lax flag means that it does not
have to be sent when accessed
from another origin.
You can also reconfigure the default values of cookiePath and
cookieDomain option determines which domains
(origins) can accept cookies. If not specified, the cookie is accepted by the
same (sub)domain as is set by it, excluding their subdomains. If
cookieDomain is specified, then subdomains are also included.
cookieDomain is less restrictive than
For example, if
cookieDomain: nette.org is set, cookie is also
available on all subdomains like
doc.nette.org. This can also be
achieved with the special value
Deprecated is an option
session › cookieSecure because its
value is taken from the more general
http › cookieSecure.
Nette\Http\FileUpload::getName() has been renamed
getUntrustedName() so that the programmer can
keep in mind that data from the user, which is also the name of the uploaded
file, cannot be trusted. Of course, the original name still works as
The name of the automatically sent cookie for CSRF attack detection has been
changed from the original
nette-samesite to a shorter
_nss so that the name of the framework is not obvious.
normalize IDN domains.
A new method
has been added to ensure that the response is downloaded using the Save
As dialog box with specified name. It does not send any file itself to