Different Sec-Fetch approach

This commit is contained in:
djmaze 2021-07-14 12:51:34 +02:00
parent d5f0b1d06c
commit 18b3bdc4fc
2 changed files with 12 additions and 21 deletions

View file

@ -28,9 +28,8 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH'))
if (\class_exists('RainLoop\Api')) if (\class_exists('RainLoop\Api'))
{ {
if (!\SnappyMail\HTTP\SecFetch::isSameOrigin()) { if (!\SnappyMail\HTTP\SecFetch::isEntering() && !\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
\http_response_code(403); \MailSo\Base\Http::StatusHeader(403);
\header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden', true, 403);
exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? '')); exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? ''));
} }

View file

@ -93,30 +93,22 @@ abstract class SecFetch
return '?1' === ($_SERVER['HTTP_SEC_FETCH_USER'] ?? ''); return '?1' === ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
} }
public static function isSameOrigin() : bool public static function isEntering() : bool
{ {
if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) { if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) {
return true; return true;
} }
if (static::user()) { return static::user()
return static::dest('document') && static::dest('document')
&& static::mode('navigate') && static::mode('navigate')
&& 'GET' === $_SERVER['REQUEST_METHOD']; && 'GET' === $_SERVER['REQUEST_METHOD'];
} }
/** public static function isSameOrigin() : bool
<script> {
sec-fetch-dest: script return !isset($_SERVER['HTTP_SEC_FETCH_SITE'])
sec-fetch-mode: no-cors || 'same-origin' === $_SERVER['HTTP_SEC_FETCH_SITE'];
window.Fetch
sec-fetch-dest: empty
sec-fetch-mode: same-origin
reload:
sec-fetch-dest: document
sec-fetch-mode: navigate
*/
return 'same-origin' === $_SERVER['HTTP_SEC_FETCH_SITE'];
} }
} }