News in Nette Http 3.1

3 years ago by David Grudl  

News in Nette Http version 3.1 mainly concerns the current development of browsers in relation to cookies. Current browsers finally work without bugs with the SameSite flag, so Nette automatically sends it.

So now Nette sends all cookies (including session id) by default:

  • with flag SameSite=Lax
  • with flag Secured if the server uses HTTPS

The fact that a cookie has the Lax flag means that it does not have to be sent when accessed from another origin.

You can also reconfigure the default values ​​of cookiePath and cookieDomain. The cookieDomain option determines which domains (origins) can accept cookies. If not specified, the cookie is accepted by the same (sub)domain as is set by it, excluding their subdomains. If cookieDomain is specified, then subdomains are also included. Therefore, specifying cookieDomain is less restrictive than omitting.

For example, if cookieDomain: is set, cookie is also available on all subdomains like This can also be achieved with the special value domain, ie cookieDomain: domain.

Deprecated is an option session › cookieSecure because its value is taken from the more general http › cookieSecure.

More news

The method Nette\Http\FileUpload::getName() has been renamed more “deterrent” getUntrustedName() so that the programmer can keep in mind that data from the user, which is also the name of the uploaded file, cannot be trusted. Of course, the original name still works as an alias.

The name of the automatically sent cookie for CSRF attack detection has been changed from the original nette-samesite to a shorter _nss so that the name of the framework is not obvious.

Methods Url::isEqual() and Url::canonicalize() normalize IDN domains.

A new method Nette\Http\Response::sendAsFile(string $fileName) has been added to ensure that the response is downloaded using the Save As dialog box with specified name. It does not send any file itself to output.