removed samesite check using cookie (BC break)

dg · dg · commit 423ec3ddaf48 · 2026-02-09T17:28:20.000+01:00
diff --git a/src/Bridges/HttpDI/HttpExtension.php b/src/Bridges/HttpDI/HttpExtension.php
@@ -41,7 +41,7 @@ public function getConfigSchema(): Nette\Schema\Schema
 			'cookiePath' => Expect::string()->dynamic(),
 			'cookieDomain' => Expect::string()->dynamic(),
 			'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS
-			'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette
+			'disableNetteCookie' => Expect::bool(false)->deprecated(),
 		]);
 	}
 
@@ -140,13 +140,6 @@ private function sendHeaders(): void
 				$this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);
 			}
 		}
-
-		if (!$config->disableNetteCookie) {
-			$this->initialization->addBody(
-				'Nette\Http\Helpers::initCookie($this->getService(?), $response);',
-				[$this->prefix('request')],
-			);
-		}
 	}
 
 
diff --git a/src/Http/Helpers.php b/src/Http/Helpers.php
@@ -21,9 +21,6 @@ final class Helpers
 {
 	use Nette\StaticClass;
 
-	/** @internal */
-	public const StrictCookieName = '_nss';
-
 
 	/**
 	 * Returns HTTP valid date format.
@@ -51,10 +48,4 @@ public static function ipMatch(string $ip, string $mask): bool
 
 		return strncmp($ip, $mask, $size === '' ? $max : (int) $size) === 0;
 	}
-
-
-	public static function initCookie(IRequest $request, IResponse $response): void
-	{
-		$response->setCookie(self::StrictCookieName, '1', 0, '/', sameSite: IResponse::SameSiteStrict);
-	}
 }
diff --git a/src/Http/IRequest.php b/src/Http/IRequest.php
@@ -13,7 +13,6 @@
 /**
  * HTTP request provides access scheme for request sent via HTTP.
  * @method ?UrlImmutable getReferer() Returns referrer.
- * @method bool isSameSite() Is the request sent from the same origin?
  * @method bool isFrom(string|list<string>|null $site = null, string|list<string>|null $initiator = null)
  */
 interface IRequest
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -232,13 +232,6 @@ public function isSecured(): bool
 	}
 
 
-	/** @deprecated use isFrom(['same-site', 'same-origin']) */
-	public function isSameSite(): bool
-	{
-		return isset($this->cookies[Helpers::StrictCookieName]);
-	}
-
-
 	/**
 	 * Checks whether Sec-Fetch headers match the expected values.
 	 * @param string|list<string>|null  $site
diff --git a/tests/Http.DI/HttpExtension.sameSiteProtection.disabled.phpt b/tests/Http.DI/HttpExtension.sameSiteProtection.disabled.phpt
diff --git a/tests/Http.DI/HttpExtension.sameSiteProtection.phpt b/tests/Http.DI/HttpExtension.sameSiteProtection.phpt

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ public function getConfigSchema(): Nette\Schema\Schema`
`41`	`41`	`'cookiePath' => Expect::string()->dynamic(),`
`42`	`42`	`'cookieDomain' => Expect::string()->dynamic(),`
`43`	`43`	`'cookieSecure' => Expect::anyOf('auto', null, true, false)->firstIsDefault()->dynamic(), // Whether the cookie is available only through HTTPS`
`44`		`- 'disableNetteCookie' => Expect::bool(false), // disables cookie use by Nette`
	`44`	`+ 'disableNetteCookie' => Expect::bool(false)->deprecated(),`
`45`	`45`	`]);`
`46`	`46`	`}`
`47`	`47`
`@@ -140,13 +140,6 @@ private function sendHeaders(): void`
`140`	`140`	`$this->initialization->addBody('$response->setHeader(?, ?);', [$key, $value]);`
`141`	`141`	`}`
`142`	`142`	`}`
`143`		`-`
`144`		`- if (!$config->disableNetteCookie) {`
`145`		`- $this->initialization->addBody(`
`146`		`- 'Nette\Http\Helpers::initCookie($this->getService(?), $response);',`
`147`		`- [$this->prefix('request')],`
`148`		`- );`
`149`		`- }`
`150`	`143`	`}`
`151`	`144`
`152`	`145`
Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,6 @@ final class Helpers`
`21`	`21`	`{`
`22`	`22`	`use Nette\StaticClass;`
`23`	`23`
`24`		`- /** @internal */`
`25`		`- public const StrictCookieName = '_nss';`
`26`		`-`
`27`	`24`
`28`	`25`	`/**`
`29`	`26`	`* Returns HTTP valid date format.`
`@@ -51,10 +48,4 @@ public static function ipMatch(string $ip, string $mask): bool`
`51`	`48`
`52`	`49`	`return strncmp($ip, $mask, $size === '' ? $max : (int) $size) === 0;`
`53`	`50`	`}`
`54`		`-`
`55`		`-`
`56`		`- public static function initCookie(IRequest $request, IResponse $response): void`
`57`		`- {`
`58`		`- $response->setCookie(self::StrictCookieName, '1', 0, '/', sameSite: IResponse::SameSiteStrict);`
`59`		`- }`
`60`	`51`	`}`