Released version 3.0.2

• Session: added read_and_close configuration (#156)
• RequestFactory: respect host set by trusted proxy (#162)
• RequestFactory: set user and password to Url (#161)
• UrlImmutable: added withoutUserInfo()
• Url, UrlImmutable: includes "empty" hostname ('0') in the host URL (#159)(#158)
• added .phpstorm.meta.php

For the details you can have a look at the diff.

Released version 3.0.1

• DI extensions: are using configuration Schema
• simplified code
• Session: do not regenerate session ID when is newly created
• Session: security options can not be bypassed
• Session: $started changed from static to object property
• Session: $started replaced with checking session_status() for better cooperation with the session started outside nette nette/forms#214
• RequestFactory: added workaround [] in REMOTE_ADDR #152
• Revert "HttpExtension: uses interfaces IRequest & IResponse instead of Request & Response (BC break) #90"
• SessionExtension: accepts 'cookieSamesite = true'
• Revert "Session: by default uses sameSite: Lax (BC break)"
• HttpExtension: removed option 'sameSiteProtection', cookie 'nette-samesite' is always set
• Session: validates configuration option names
• SessionPanel: uses Tracy\Helpers::escapeHtml()

For the details you can have a look at the diff.

Released version 3.0.0 🎉

Features

• requires PHP 7.1
• uses declare(strict_types=1)
• uses PHP 7.1 scalar and return type hints
• added support for SameSite cookie
• Request, HttpExtension: added sameSite protection (enabled by default)
• Session: by default uses sameSite: Lax (BC break)
• Session: enabled PHP option use_strict_mode
• FileUpload: added IMAGE_MIME_TYPES
• FileUpload: Added Webp content type to isImage (#132)
• added UrlImmutable
• UrlScript: added getRelativePath() [Closes #45]

Changes

• UrlScript extends from UrlImmutable (BC break)
• Request: removed unused second parameter $query (BC break)
• IRequest, IResponse, Url: parameters $default are deprecated (BC break)
• HttpExtension: uses interfaces IRequest & IResponse instead of Request & Response (BC break) [Closes #90]
• some classes & members marked as final (BC break)
• HttpExtension: default value of secureCookie is auto (BC break)
• Session: default values for cookie_path, cookie_domain & cookie_secure are taken from Response
• Session::getCookieParameters() is deprecated
• Url::parseQuery() - correctly decodes spaces and dots in keys (BC break)
• Url: is not ignoring user & password (BC break) [Closes #63]
• RequestFactory: removed user & password from Url (BC break)
• Request::getReferer() returns UrlImmutable (BC break)

Released version 2.4.11

• Session: do not regenerate session ID when is newly created
• HttpExtension: option 'sameSiteProtection' does not change session cookie flag 'samesite'
• SessionExtension: added option handler to pass own SessionHandlerInterface (#146)

For the details you can have a look at the diff.

Released version 2.4.10

• Request, HttpExtension: added sameSite protection
• Session: added support for SameSite cookie
• Response::setCookie() supports SameSite
• SessionExtension: cookieSecure can be 'auto'
• Response: removed removeDuplicateCookies() #139
• HttpExtension: added option cookieSecure; allowed values are: true, false, auto
• HttpExtension: allows bools in CSP policy
• HttpExtension: fixed quotating in sections require-sri-for & sandbox #143
• HttpExtension: added Feature-Policy header #142
• HttpExtension: renamed csp-report to cspReportOnly (BC break)
• fixed compatibility with PHP 7.3

For the details you can have a look at the diff.

Released version 2.4.9

• SessionPanel: compatibility with Tracy 2.5
• coding style
• type fixes

For the details you can have a look at the diff.

Released version 2.4.8

• HttpExtension: allow setup CSP in restrictive and report mode at the same time #136 #135
• Session: don't call session_set_cookie_params() when values was not changed #134 #23
• Session: session id cookie is checked only if it was not regenerated #133 #129

For the details you can have a look at the diff.

Released version 2.4.7

• supports PHP up to 7.2
• FileUpload: uses FileSystem
• silenced each() deprecation notice in PHP 7.2

For the details you can have a look at the diff.

Released version 2.4.6

• coding style: fixes, lowercase true/false/null
• RequestFactory: when proxy is used and HTTP_X_FORWARDED_PORT is not available, uses default port #124
• RequestFactory: test that HTTP_X_FORWARDED_PROTO doesn't change the port
• typo
• RequestFactory: correctly ignores not-ip values in HTTP_X_FORWARDED_FOR & REMOTE_ADDR (#122)

For the details you can have a look at the diff.

Released version 2.4.5

• Session: configuration options are normalized in setOptions() instead of configure() #121
• SessionExtension: special value 'domain' in cookieDomain means whole domain
• Url: added getDomain()
• fixed phpDoc

For the details you can have a look at the diff.