Sec-Fetch improvements

Also see issue #99
This commit is contained in:
djmaze 2021-07-14 10:10:24 +02:00
parent 0251c583b9
commit e73e81664f
2 changed files with 33 additions and 5 deletions

View file

@ -28,9 +28,10 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH'))
if (\class_exists('RainLoop\Api')) if (\class_exists('RainLoop\Api'))
{ {
if (!\SnappyMail\HTTP\SecFetch::site('same-origin') if (!\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
&& !\SnappyMail\HTTP\SecFetch::site('none')) { \http_response_code(403);
exit('Invalid Sec-Fetch'); \header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden', true, 403);
exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? ''));
} }
\MailSo\Base\Loader::Init(); \MailSo\Base\Loader::Init();

View file

@ -50,7 +50,7 @@ abstract class SecFetch
*/ */
public static function dest(string $type) : bool public static function dest(string $type) : bool
{ {
return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? ''); return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? 'document');
} }
/** /**
@ -67,7 +67,7 @@ abstract class SecFetch
*/ */
public static function mode(string $type) : bool public static function mode(string $type) : bool
{ {
return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? ''); return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? 'navigate');
} }
/** /**
@ -92,4 +92,31 @@ abstract class SecFetch
{ {
return '?1' == ($_SERVER['HTTP_SEC_FETCH_USER'] ?? ''); return '?1' == ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
} }
public static function isSameOrigin() : bool
{
if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) {
return true;
}
if ('none' == $_SERVER['HTTP_SEC_FETCH_SITE']) {
// sec-fetch-dest: document
// sec-fetch-mode: navigate
return static::user();
}
/**
<script>
sec-fetch-dest: script
sec-fetch-mode: no-cors
window.Fetch
sec-fetch-dest: empty
sec-fetch-mode: same-origin
reload:
sec-fetch-dest: document
sec-fetch-mode: navigate
*/
return 'same-origin' == $_SERVER['HTTP_SEC_FETCH_SITE'];
}
} }