mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Different Sec-Fetch approach
This commit is contained in:
parent
d5f0b1d06c
commit
18b3bdc4fc
2 changed files with 12 additions and 21 deletions
|
|
@ -28,9 +28,8 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH'))
|
||||||
|
|
||||||
if (\class_exists('RainLoop\Api'))
|
if (\class_exists('RainLoop\Api'))
|
||||||
{
|
{
|
||||||
if (!\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
|
if (!\SnappyMail\HTTP\SecFetch::isEntering() && !\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
|
||||||
\http_response_code(403);
|
\MailSo\Base\Http::StatusHeader(403);
|
||||||
\header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden', true, 403);
|
|
||||||
exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? ''));
|
exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? ''));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -93,30 +93,22 @@ abstract class SecFetch
|
||||||
return '?1' === ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
|
return '?1' === ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function isSameOrigin() : bool
|
public static function isEntering() : bool
|
||||||
{
|
{
|
||||||
if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) {
|
if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (static::user()) {
|
return static::user()
|
||||||
return static::dest('document')
|
&& static::dest('document')
|
||||||
&& static::mode('navigate')
|
&& static::mode('navigate')
|
||||||
&& 'GET' === $_SERVER['REQUEST_METHOD'];
|
&& 'GET' === $_SERVER['REQUEST_METHOD'];
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
public static function isSameOrigin() : bool
|
||||||
<script>
|
{
|
||||||
sec-fetch-dest: script
|
return !isset($_SERVER['HTTP_SEC_FETCH_SITE'])
|
||||||
sec-fetch-mode: no-cors
|
|| 'same-origin' === $_SERVER['HTTP_SEC_FETCH_SITE'];
|
||||||
window.Fetch
|
|
||||||
sec-fetch-dest: empty
|
|
||||||
sec-fetch-mode: same-origin
|
|
||||||
reload:
|
|
||||||
sec-fetch-dest: document
|
|
||||||
sec-fetch-mode: navigate
|
|
||||||
*/
|
|
||||||
return 'same-origin' === $_SERVER['HTTP_SEC_FETCH_SITE'];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue