21832799728

Committed 09 Feb 2026 04:17PM UTC coverage: 83.62% (-0.2%) from 83.772%

Build Type

push

github

Committed by

Commit Message

Request::isSameSite() is silently deprecated

Run Details

924 of 1105 relevant lines covered (83.62%)

0.84 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

71.43

/src/Bridges/HttpDI/HttpExtension.php

<?php

/**
 * This file is part of the Nette Framework (https://nette.org)
 * Copyright (c) 2004 David Grudl (https://davidgrudl.com)
 */

declare(strict_types=1);

namespace Nette\Bridges\HttpDI;

use Nette;
use Nette\Schema\Expect;
use function is_array, strval;


/**
 * HTTP extension for Nette DI.
 */
class HttpExtension extends Nette\DI\CompilerExtension
{
        public function __construct(
                private readonly bool $cliMode = false,
        ) {
        }


        public function getConfigSchema(): Nette\Schema\Schema
        {
                return Expect::structure([
                        'proxy' => Expect::anyOf(Expect::arrayOf('string'), Expect::string()->castTo('array'))->firstIsDefault()->dynamic(),
                        'forceHttps' => Expect::bool(false)->dynamic(),
                        'headers' => Expect::arrayOf('scalar|null')->default([
                                'X-Powered-By' => 'Nette Framework 3',
                                'Content-Type' => 'text/html; charset=utf-8',
                        ])->mergeDefaults(),
                        'frames' => Expect::anyOf(Expect::string(), Expect::bool(), null)->default('SAMEORIGIN'), // X-Frame-Options
                        'csp' => Expect::arrayOf('array|scalar|null'), // Content-Security-Policy
                        'cspReportOnly' => Expect::arrayOf('array|scalar|null'), // Content-Security-Policy-Report-Only
                        'featurePolicy' => Expect::arrayOf('array|scalar|null'), // Feature-Policy
                        'cookiePath' => Expect::string()->dynamic(),
                        'cookieDomain' => Expect::string()->dynamic(),
                        'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS
                        'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette
                ]);
        }


        public function loadConfiguration(): void
        {
                $builder = $this->getContainerBuilder();
                $config = $this->config;
                \assert($config instanceof \stdClass);

                $requestFactory = $builder->addDefinition($this->prefix('requestFactory'))
                        ->setFactory(Nette\Http\RequestFactory::class)
                        ->addSetup('setProxy', [$config->proxy]);

                if ($config->forceHttps) {
                        $requestFactory->addSetup('setForceHttps');
                }

                $request = $builder->addDefinition($this->prefix('request'))
                        ->setFactory('@Nette\Http\RequestFactory::fromGlobals');

                $response = $builder->addDefinition($this->prefix('response'))
                        ->setFactory(Nette\Http\Response::class);

                if ($config->cookiePath !== null) {
                        $response->addSetup('$cookiePath', [$config->cookiePath]);
                }

                if ($config->cookieDomain !== null) {
                        $value = $config->cookieDomain === 'domain'
                                ? $builder::literal('$this->getService(?)->getUrl()->getDomain(2)', [$request->getName()])
                                : $config->cookieDomain;
                        $response->addSetup('$cookieDomain', [$value]);
                }

                if ($config->cookieSecure !== null) {
                        $value = $config->cookieSecure === 'auto'
                                ? $builder::literal('$this->getService(?)->isSecured()', [$request->getName()])
                                : $config->cookieSecure;
                        $response->addSetup('$cookieSecure', [$value]);
                }

                if ($this->name === 'http') {
                        $builder->addAlias('nette.httpRequestFactory', $this->prefix('requestFactory'));
                        $builder->addAlias('httpRequest', $this->prefix('request'));
                        $builder->addAlias('httpResponse', $this->prefix('response'));
                }

                if (!$this->cliMode) {
                        $this->sendHeaders();
                }
        }


        private function sendHeaders(): void
        {
                $config = $this->config;
                \assert($config instanceof \stdClass);
                $headers = array_map(strval(...), $config->headers);

                if (isset($config->frames) && $config->frames !== true && !isset($headers['X-Frame-Options'])) {
                        $frames = $config->frames;
                        if ($frames === false) {
                                $frames = 'DENY';
                        } elseif (preg_match('#^https?:#', $frames)) {
                                $frames = "ALLOW-FROM $frames";
                        }

                        $headers['X-Frame-Options'] = $frames;
                }

                foreach (['csp', 'cspReportOnly'] as $key) {
                        if (empty($config->$key)) {
                                continue;
                        }

                        $value = self::buildPolicy($config->$key);
                        if (str_contains($value, "'nonce'")) {
                                $this->initialization->addBody('$cspNonce = base64_encode(random_bytes(16));');
                                $value = Nette\DI\ContainerBuilder::literal(
                                        'str_replace(?, ? . $cspNonce, ?)',
                                        ["'nonce", "'nonce-", $value],
                                );
                        }

                        $headers['Content-Security-Policy' . ($key === 'csp' ? '' : '-Report-Only')] = $value;
                }

                if (!empty($config->featurePolicy)) {
                        $headers['Feature-Policy'] = self::buildPolicy($config->featurePolicy);
                }

                $this->initialization->addBody('$response = $this->getService(?);', [$this->prefix('response')]);
                foreach ($headers as $key => $value) {
                        if ($value !== '') {
                                $this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);
                        }
                }

                if (!$config->disableNetteCookie) {
                        $this->initialization->addBody(
                                'Nette\Http\Helpers::initCookie($this->getService(?), $response);',
                                [$this->prefix('request')],
                        );
                }
        }


        /** @param array<string, list<mixed>|scalar|null>  $config */
        private static function buildPolicy(array $config): string
        {
                $nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];
                $value = '';
                foreach ($config as $type => $policy) {
                        if ($policy === false) {
                                continue;
                        }

                        $policy = $policy === true ? [] : (array) $policy;
                        $value .= $type;
                        foreach ($policy as $item) {
                                if (is_array($item)) {
                                        $item = key($item) . ':';
                                }

                                $value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+$#D', $item)
                                        ? " '$item'"
                                        : " $item";
                        }

                        $value .= '; ';
                }

                return $value;
        }
}

1	<?php
2
3	/**
4	* This file is part of the Nette Framework (https://nette.org)
5	* Copyright (c) 2004 David Grudl (https://davidgrudl.com)
6	*/
7
8	declare(strict_types=1);
9
10	namespace Nette\Bridges\HttpDI;
11
12	use Nette;
13	use Nette\Schema\Expect;
14	use function is_array, strval;
15
16
17	/**
18	* HTTP extension for Nette DI.
19	*/
20	class HttpExtension extends Nette\DI\CompilerExtension
21	{
22	public function __construct(	1✔
23	private readonly bool $cliMode = false,
24	) {
25	}	1✔
26
27
28	public function getConfigSchema(): Nette\Schema\Schema
29	{
30	return Expect::structure([	1✔
31	'proxy' => Expect::anyOf(Expect::arrayOf('string'), Expect::string()->castTo('array'))->firstIsDefault()->dynamic(),	1✔
32	'forceHttps' => Expect::bool(false)->dynamic(),	1✔
33	'headers' => Expect::arrayOf('scalar\|null')->default([	1✔
34	'X-Powered-By' => 'Nette Framework 3',	1✔
35	'Content-Type' => 'text/html; charset=utf-8',
36	])->mergeDefaults(),	1✔
37	'frames' => Expect::anyOf(Expect::string(), Expect::bool(), null)->default('SAMEORIGIN'), // X-Frame-Options	1✔
38	'csp' => Expect::arrayOf('array\|scalar\|null'), // Content-Security-Policy	1✔
39	'cspReportOnly' => Expect::arrayOf('array\|scalar\|null'), // Content-Security-Policy-Report-Only	1✔
40	'featurePolicy' => Expect::arrayOf('array\|scalar\|null'), // Feature-Policy	1✔
41	'cookiePath' => Expect::string()->dynamic(),	1✔
42	'cookieDomain' => Expect::string()->dynamic(),	1✔
43	'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS	1✔
44	'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette	1✔
45	]);
46	}
47
48
49	public function loadConfiguration(): void
50	{
51	$builder = $this->getContainerBuilder();	1✔
52	$config = $this->config;	1✔
53	\assert($config instanceof \stdClass);
54
55	$requestFactory = $builder->addDefinition($this->prefix('requestFactory'))	1✔
56	->setFactory(Nette\Http\RequestFactory::class)	1✔
57	->addSetup('setProxy', [$config->proxy]);	1✔
58
59	if ($config->forceHttps) {	1✔
60	$requestFactory->addSetup('setForceHttps');	×
61	}
62
63	$request = $builder->addDefinition($this->prefix('request'))	1✔
64	->setFactory('@Nette\Http\RequestFactory::fromGlobals');	1✔
65
66	$response = $builder->addDefinition($this->prefix('response'))	1✔
67	->setFactory(Nette\Http\Response::class);	1✔
68
69	if ($config->cookiePath !== null) {	1✔
70	$response->addSetup('$cookiePath', [$config->cookiePath]);	1✔
71	}
72
73	if ($config->cookieDomain !== null) {	1✔
74	$value = $config->cookieDomain === 'domain'	1✔
75	? $builder::literal('$this->getService(?)->getUrl()->getDomain(2)', [$request->getName()])	1✔
76	: $config->cookieDomain;	1✔
77	$response->addSetup('$cookieDomain', [$value]);	1✔
78	}
79
80	if ($config->cookieSecure !== null) {	1✔
81	$value = $config->cookieSecure === 'auto'	1✔
82	? $builder::literal('$this->getService(?)->isSecured()', [$request->getName()])	1✔
83	: $config->cookieSecure;	1✔
84	$response->addSetup('$cookieSecure', [$value]);	1✔
85	}
86
87	if ($this->name === 'http') {	1✔
88	$builder->addAlias('nette.httpRequestFactory', $this->prefix('requestFactory'));	1✔
89	$builder->addAlias('httpRequest', $this->prefix('request'));	1✔
90	$builder->addAlias('httpResponse', $this->prefix('response'));	1✔
91	}
92
93	if (!$this->cliMode) {	1✔
94	$this->sendHeaders();	1✔
95	}
96	}	1✔
97
98
99	private function sendHeaders(): void
100	{
101	$config = $this->config;	1✔
102	\assert($config instanceof \stdClass);
103	$headers = array_map(strval(...), $config->headers);	1✔
104
105	if (isset($config->frames) && $config->frames !== true && !isset($headers['X-Frame-Options'])) {	1✔
106	$frames = $config->frames;	1✔
107	if ($frames === false) {	1✔
108	$frames = 'DENY';	×
109	} elseif (preg_match('#^https?:#', $frames)) {	1✔
110	$frames = "ALLOW-FROM $frames";	×
111	}
112
113	$headers['X-Frame-Options'] = $frames;	1✔
114	}
115
116	foreach (['csp', 'cspReportOnly'] as $key) {	1✔
117	if (empty($config->$key)) {	1✔
118	continue;	1✔
119	}
120
121	$value = self::buildPolicy($config->$key);	×
122	if (str_contains($value, "'nonce'")) {	×
123	$this->initialization->addBody('$cspNonce = base64_encode(random_bytes(16));');	×
124	$value = Nette\DI\ContainerBuilder::literal(	×
125	'str_replace(?, ? . $cspNonce, ?)',	×
126	["'nonce", "'nonce-", $value],	×
127	);
128	}
129
130	$headers['Content-Security-Policy' . ($key === 'csp' ? '' : '-Report-Only')] = $value;	×
131	}
132
133	if (!empty($config->featurePolicy)) {	1✔
134	$headers['Feature-Policy'] = self::buildPolicy($config->featurePolicy);	×
135	}
136
137	$this->initialization->addBody('$response = $this->getService(?);', [$this->prefix('response')]);	1✔
138	foreach ($headers as $key => $value) {	1✔
139	if ($value !== '') {	1✔
140	$this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);	1✔
141	}
142	}
143
144	if (!$config->disableNetteCookie) {	1✔
145	$this->initialization->addBody(	1✔
146	'Nette\Http\Helpers::initCookie($this->getService(?), $response);',	1✔
147	[$this->prefix('request')],	1✔
148	);
149	}
150	}	1✔
151
152
153	/** @param array<string, list<mixed>\|scalar\|null> $config */
154	private static function buildPolicy(array $config): string
155	{
156	$nonQuoted = ['require-sri-for' => 1, 'sandbox' => 1];	×
157	$value = '';	×
158	foreach ($config as $type => $policy) {	×
159	if ($policy === false) {	×
160	continue;	×
161	}
162
163	$policy = $policy === true ? [] : (array) $policy;	×
164	$value .= $type;	×
165	foreach ($policy as $item) {	×
166	if (is_array($item)) {	×
167	$item = key($item) . ':';	×
168	}
169
170	$value .= !isset($nonQuoted[$type]) && preg_match('#^[a-z-]+$#D', $item)	×
171	? " '$item'"	×
172	: " $item";	×
173	}
174
175	$value .= '; ';	×
176	}
177
178	return $value;	×
179	}
180	}

nette / http / 21832799728

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous