Different Sec-Fetch approach

2025-01-01 20:42:19 +08:00 · 2021-07-14 12:51:34 +02:00 · 2021-07-14 12:51:34 +02:00 · 18b3bdc4fc
commit 18b3bdc4fc
parent d5f0b1d06c
2 changed files with 12 additions and 21 deletions
--- a/snappymail/v/0.0.0/app/handle.php
+++ b/snappymail/v/0.0.0/app/handle.php
@ -28,9 +28,8 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH'))

 if (\class_exists('RainLoop\Api'))
 {
-	if (!\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
-		\http_response_code(403);
-		\header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden', true, 403);
+	if (!\SnappyMail\HTTP\SecFetch::isEntering() && !\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
+		\MailSo\Base\Http::StatusHeader(403);
 		exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? ''));
 	}

--- a/snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php
+++ b/snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php
@ -93,30 +93,22 @@ abstract class SecFetch
 		return '?1' === ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
 	}

-	public static function isSameOrigin() : bool
+	public static function isEntering() : bool
 	{
 		if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) {
 			return true;
 		}

-		if (static::user()) {
-			return static::dest('document')
-				&& static::mode('navigate')
-				&& 'GET' === $_SERVER['REQUEST_METHOD'];
-		}
+		return static::user()
+			&& static::dest('document')
+			&& static::mode('navigate')
+			&& 'GET' === $_SERVER['REQUEST_METHOD'];
+	}

-		/**
-			<script>
-				sec-fetch-dest: script
-				sec-fetch-mode: no-cors
-			window.Fetch
-				sec-fetch-dest: empty
-				sec-fetch-mode: same-origin
-			reload:
-				sec-fetch-dest: document
-				sec-fetch-mode: navigate
-		 */
-		return 'same-origin' === $_SERVER['HTTP_SEC_FETCH_SITE'];
+	public static function isSameOrigin() : bool
+	{
+		return !isset($_SERVER['HTTP_SEC_FETCH_SITE'])
+			|| 'same-origin' === $_SERVER['HTTP_SEC_FETCH_SITE'];
 	}

 }