http

• Session: do not regenerate session ID when is newly created
• HttpExtension: option 'sameSiteProtection' does not change session cookie flag 'samesite'
• SessionExtension: added option handler to pass own SessionHandlerInterface (#146)

For the details you can have a look at the diff.

Features

• requires PHP 7.1
• uses declare(strict_types=1)
• uses PHP 7.1 scalar and return type hints
• added support for SameSite cookie
• Request, HttpExtension: added sameSite protection (enabled by default)
• Session: by default uses sameSite: Lax (BC break)
• Session: enabled PHP option use_strict_mode
• FileUpload: added IMAGE_MIME_TYPES
• FileUpload: Added Webp content type to isImage (#132)
• added UrlImmutable
• UrlScript: added getRelativePath() [Closes #45]

Changes

• UrlScript extends from UrlImmutable (BC break)
• Request: removed unused second parameter $query (BC break)
• IRequest, IResponse, Url: parameters $default are deprecated (BC break)
• HttpExtension: uses interfaces IRequest & IResponse instead of Request & Response (BC break) [Closes #90]
• some classes & members marked as final (BC break)
• HttpExtension: default value of secureCookie is auto (BC break)
• Session: default values for cookie_path, cookie_domain & cookie_secure are taken from Response
• Session::getCookieParameters() is deprecated
• Url::parseQuery() - correctly decodes spaces and dots in keys (BC break)
• Url: is not ignoring user & password (BC break) [Closes #63]
• RequestFactory: removed user & password from Url (BC break)
• Request::getReferer() returns UrlImmutable (BC break)

• Request, HttpExtension: added sameSite protection
• Session: added support for SameSite cookie
• Response::setCookie() supports SameSite
• SessionExtension: cookieSecure can be 'auto'
• Response: removed removeDuplicateCookies() #139
• HttpExtension: added option cookieSecure; allowed values are: true, false, auto
• HttpExtension: allows bools in CSP policy
• HttpExtension: fixed quotating in sections require-sri-for & sandbox #143
• HttpExtension: added Feature-Policy header #142
• HttpExtension: renamed csp-report to cspReportOnly (BC break)
• fixed compatibility with PHP 7.3

For the details you can have a look at the diff.

• SessionPanel: compatibility with Tracy 2.5
• coding style
• type fixes

For the details you can have a look at the diff.

• HttpExtension: allow setup CSP in restrictive and report mode at the same time #136 #135
• Session: don't call session_set_cookie_params() when values was not changed #134 #23
• Session: session id cookie is checked only if it was not regenerated #133 #129

For the details you can have a look at the diff.

• supports PHP up to 7.2
• FileUpload: uses FileSystem
• silenced each() deprecation notice in PHP 7.2

For the details you can have a look at the diff.

• coding style: fixes, lowercase true/false/null
• RequestFactory: when proxy is used and HTTP_X_FORWARDED_PORT is not available, uses default port #124
• RequestFactory: test that HTTP_X_FORWARDED_PROTO doesn't change the port
• typo
• RequestFactory: correctly ignores not-ip values in HTTP_X_FORWARDED_FOR & REMOTE_ADDR (#122)

For the details you can have a look at the diff.

• Session: configuration options are normalized in setOptions() instead of configure() #121
• SessionExtension: special value 'domain' in cookieDomain means whole domain
• Url: added getDomain()
• fixed phpDoc

For the details you can have a look at the diff.

• Session: configuration options are normalized in setOptions() instead of configure() #121

For the details you can have a look at the diff.

• HttpExtension: added option 'csp' for Content-Security-Policy
• Response::setCode() added $reason
• HttpExtension: sends headers via Http\Response

For the details you can have a look at the diff.

• Http\Response::setCode produces valid HTTP header on nginx (#113)
• SessionSection::removeExpiration() fixed (#111)
• UrlScript: accept optional $scriptPath parameter in constructor (#109)
• UserStorage: removed BROWSER_CLOSED expiration reason #112
• @return self -> static

For the details you can have a look at the diff.

• Http\Response::setCode produces valid HTTP header on nginx and PHP >= 5.4(#113)
• @return self -> static
• SessionSection::removeExpiration() fixed (#111)
• RequestFactory: improved checking of $_FILES structure

For the details you can have a look at the diff.

• Session: removed cookie nette-browser and support for expiration 'until the browser is closed' (#103)
• UrlScript: default scriptPath is whole path to maintain same behavioral as the class Url (in method getBasePath, ...) #100
• RequestFactory: parse the "proto" part of "forwarded" header instead of the "scheme" part. (#106)
• IResponse: added missing HTTP response codes (#107)
• Session: make sure __NF is array (#108)
• Session::$options: removed null options

For the details you can have a look at the diff.

• FileUpload: added hasFile() (#97)
• Url::getHostUrl() doesn't return empty // #96
• Session: max session id length is 256 #105
• Session: used static access to $started (#104)
• FileUpload: missing variable #98
• RequestFactory: improved checking of $_FILES structure

For the details you can have a look at the diff.

• requires PHP 5.6
• Implemented RFC 7239 - "Forwarded HTTP Extension" (#94)
• Session: fixed error "Session object destruction failed" - update (#86)
• RequestFactory: removes absolute URI from $_SERVER['REQUEST_URI'](issue #91) (#93)
• RequestFactory: correctly detects scheme and port if the server is behind a trusted proxy #81 #4
• IRequest: added OPTIONS and PATCH method constant (#95)
• Response: do not send "Possible problem notice in CLI" #89
• Response::setExpiration() removes header Pragma
• RequestFactory: Fixed possible remoteAddr spoofing (issue #87)
• FileUpload::move() do not suppress system warnings #82
• HttpExtension, SessionExtension: added parameter $cliMode
• Url: implements JsonSerializable nette/latte#78
• HttpExtension: service http.context is deprecated
• Session: use better detection for started session
• uses Nette\SmartObject & StaticClass

For the details you can have a look at the diff.

• Session: removed duplicated warning about sent headers
• Response::setExpiration() removes header Pragma

For the details you can have a look at the diff.

• RequestFactory: Fixed possible remoteAddr spoofing (issue #87)
• removed rarely used @property phpDoc
• Fix FileUpload::move($dest) when low permission to chmod

For the details you can have a look at the diff.

• RequestFactory: Fixed possible remoteAddr spoofing (issue #87)
• SessionPanel: ob_start() is protected against flush when error occurs

For the details you can have a look at the diff.

• IRequest: added PATCH method constant
• Fix FileUpload::move($dest) when low permission to chmod
• removed rarely used @property phpDoc

For the details you can have a look at the diff.

• Session: session ID is not regenerated when not set
• travis: migrating to container-based infrastructure
• improved coding style

For the details you can have a look at the diff.