Skip to content

Vaadin Flow 25.2.0-beta2

Pre-release
Pre-release

Choose a tag to compare

View all tags
@vaadin-bot vaadin-bot released this 12 Jun 10:43
· 7 commits to 25.2 since this release
25.2.0-beta2
f4263f7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Changes since 25.2.0-beta1

All changes

Breaking changes

  • NativeLabel.setFor() lazily resolves and auto-generates IDs (#24425) (CP: 25.2)
    Commit · Pull request

    setFor(Component) now resolves the component's ID lazily at sync time instead of requiring it immediately, generating one automatically if still missing. Developers no longer need to manually assign IDs when using setFor().

New features

  • Validate URL schemes in Anchor, IFrame and Page#open (#24539) (CP: 25.2)
    Commit · Pull request

    Reintroduces URL-scheme validation for link and navigation sinks using application-wide configuration plus a per-instance opt-out. Safe schemes default to http, https, mailto, tel and ftp, rejecting script-capable schemes such as javascript and data; each sink offers an unsafe variant (setUnsafeHref, setUnsafeSrc, openUnsafe) for trusted hard-coded URLs.

  • Set X-Frame-Options header by default (#24525) (CP: 25.2)
    Commit · Pull request

    Sends the X-Frame-Options response header with a default of SAMEORIGIN so browsers opt in to clickjacking protection out of the box. The value is configurable through the new frameOptions init parameter, and an empty value disables the header for apps meant to be embedded in a frame.

  • Add Safelist overloads to Html component (#24528) (CP: 25.2)
    Commit · Pull request

    Adds Safelist overloads to the Html component.

  • Add UI.triggerAfter for deferred server-side callbacks (#24538) (CP: 25.2)
    Commit · Pull request

    Adds UI.triggerAfter(Duration, SerializableRunnable), which runs a task on the server once the given delay has elapsed. The delay is measured by the browser via a one-shot client timer that makes a normal round trip when it elapses, so a deferred event can be handled without enabling push, and removing the returned Registration clears the timer so a cancelled task does not run.

  • Add route hierarchy with dynamic titles (#24550) (CP: 25.2)
    Commit · Pull request

    Introduces an instance-free mechanism for resolving page titles and logical route hierarchies, enabling dynamic titles and hierarchical navigation aids like breadcrumbs and menus without instantiating navigation targets. Adds the @DynamicPageTitle and @RouteParent annotations, the PageTitleGenerator interface, and RouteConfiguration methods to resolve a route's parent and hierarchy statelessly.

  • Add Clipboard.onFilePaste for server-side file paste handling (#24485) (CP: 25.2)
    Commit · Pull request

    Pastes carrying files flow through the supplied UploadHandler as one fetch POST per file, with X-Paste-Id and X-Paste-File-Count headers so handlers can correlate the parallel uploads of one paste. PasteFileHandler offers an inMemory(consumer) flavour delivering each file as a PasteFile and a session() flavour with onStart/onFile/onComplete, and onFilePaste is independent of onPaste.

  • Add Clipboard.onPaste for server-side paste handling (#24483) (CP: 25.2)
    Commit · Pull request

    Adds Clipboard.onPaste(Component, listener), with a PasteOptions overload, that forwards the browser's native paste event to a server-side listener as a PasteEvent carrying text/plain, text/html, the source Component, and the closest Flow-tracked target Element. The listener fires for pastes targeting the given component or its descendants, with default options that filter out pastes on input fields client-side.

  • Public read API on ClipboardBinding (#24480) (CP: 25.2)
    Commit · Pull request

    Clipboard.onClick(button).read(onPayload, onError), and the readText/readHtml convenience variants, make the read side reachable from the same binding entry point as the write side. ClipboardPayload moves out of trigger.internal into the public clipboard package so it can appear in the read method signatures without leaking an internal type.

  • Add image/png to the Clipboard write API (#24470) (CP: 25.2)
    Commit · Pull request

    Lets an app copy an image to the system clipboard as image/png on a trigger, alongside the existing text/plain and text/html slots. Two image sources are supported, an <img>-rooted component already on the page or a DownloadHandler that serves bytes from the server, and both image-only and multi-format writes are supported.

  • DownloadAction for the action trigger framework (#24432) (CP: 25.2)
    Commit · Pull request

    Introduces a server-side action for triggering browser downloads from static URLs, server-generated streams, or client-resolved values, with optional filename suggestions. The client-side support synthesizes and clicks an anchor element, exposed under window.Vaadin.Flow.download.start.

  • OpenInNewTabAction for the action trigger framework (#24431) (CP: 25.2)
    Commit · Pull request

    Introduces OpenInNewTabAction for opening URLs in a new browser tab or window in response to user actions, with configurable popup features. Dangerous javascript: URLs are blocked both server-side and client-side.

  • Screen Wake Lock API on Page (#24324) (CP: 25.2)
    Commit · Pull request

    Adds a per-UI WakeLock facade reached through Page#getWakeLock(), exposing request(), release(), and an active-state Signal, matching the PageVisibility and Geolocation conventions. The client transparently re-acquires the lock on visibilitychange so a single request() covers the lifetime of a view.

  • SizeTrigger + ElementResize.ts — trigger that fires on element resize (#24437) (CP: 25.2)
    Commit · Pull request

    Adds a SizeTrigger that wires the browser's ResizeObserver into the trigger framework, exposing width(), height() and size() inputs. Combined with SetSignalAction this provides a purely server-side equivalent of an Element.sizeSignal() facade.

  • Add Fullscreen API wrapping the browser Fullscreen API (#24326) (CP: 25.2)
    Commit · Pull request

    Introduces a cross-platform Fullscreen API with both client-side and server-side support for entering, exiting, and observing fullscreen state for the whole page or a single component. Adds the Fullscreen entry point, the FullscreenBinding fluent binding, and the FullscreenState enum, plus per-UI server-side synchronization of fullscreen state.

  • CallbackAction + SetSignalAction — trigger actions for server-side callbacks (#24436) (CP: 25.2)
    Commit · Pull request

    CallbackAction forwards a value from a trigger's handler scope back to the server, decodes it as T, and hands it to a SerializableConsumer on the UI thread, bridging any client-side trigger into arbitrary server-side state. SetSignalAction is a thin named subclass for the common signal::set case.

  • SignalInput — read a server-side Signal at trigger fire time (#24428) (CP: 25.2)
    Commit · Pull request

    Adds SignalInput(Component owner, Signal signal), which mirrors the signal value to a uniquely-named JS property on the owner element so the input's rendered expression reads it at fire time. This lets actions such as CopyTextToClipboardAction use a server-side signal as their value source without first projecting it onto a DOM property.

  • Add virtual-aware component tree traversal helpers (#24408) (CP: 25.2)
    Commit · Pull request

    Adds ComponentUtil.getAllChildren and ComponentUtil.streamDescendants, which, unlike Component.getChildren, include components attached as virtual children such as slotted helpers, overlays, and the client-side routing wrapper. Tools needing a complete component tree no longer have to reach into internal APIs like VirtualChildrenList.

Fixes

  • Unpack prod bundle on Windows mapped network drives (#24560) (CP: 25.2)
    Commit · Pull request

    The Zip Slip guard in CompressUtil.newFile canonicalized the target dir and the not-yet-created entry separately, and on mapped/subst drives getCanonicalPath() returns inconsistent forms so legitimate entries were rejected. The destination is now canonicalized once and entries resolved lexically, checking containment with Path.startsWith.

  • Revert "fix: Add Url validation in Anchor and Page#open (#24371)" (#24502) (CP: 25.2)
    Commit · Pull request

    Reverts commit a35f9be, since a different approach is needed for configuration and more care is needed when changing behavior for old versions.

  • Add Url validation in Anchor and Page#open (#24371) (CP: 25.2)
    Commit · Pull request

    Adds URL validation in Anchor and Page#open.

  • Ios home screen app height (#24435) (CP: 25.2)
    Commit · Pull request

    Updates the bootstrap page so the app covers the entire viewport height on iOS when opened as a standalone/home screen app.

  • Avoid false infinite loop detection when cached signal self-updates
    Commit · Pull request · Issue

    When an effect reads a cached signal that recomputes a stale value and submits an update, the resulting change notification was incorrectly detected as an infinite loop. A ThreadLocal flag now marks read-triggered updates so loop detection is skipped during lazy evaluation while still catching real write loops.

Assets 2
Loading