the-djmaze/snappymail
1
1
Fork 0
mirror of https://github.com/the-djmaze/snappymail.git synced 2025-01-04 14:02:17 +08:00
Code Issues Projects Releases Packages Wiki Activity

Added Sec-Fetch security

Browse source
This commit is contained in:
djmaze 2021-07-13 20:42:58 +02:00
parent 9859bab9c3
commit 2a44aeaf07
2 changed files with 100 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
snappymail/v/0.0.0/app/handle.php
View file

@ -28,6 +28,11 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH'))
if (\class_exists('RainLoop\Api')) if (\class_exists('RainLoop\Api'))
{ {
if (!\SnappyMail\HTTP\SecFetch::site('same-origin')
&& !\SnappyMail\HTTP\SecFetch::site('none')) {
exit('Invalid Sec-Fetch');
}
\MailSo\Base\Loader::Init(); \MailSo\Base\Loader::Init();
if (!empty($_ENV['RAINLOOP_INCLUDE_AS_API'])) if (!empty($_ENV['RAINLOOP_INCLUDE_AS_API']))

95
snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php Normal file
View file

@ -0,0 +1,95 @@
<?php
namespace SnappyMail\HTTP;
abstract class SecFetch
{
/**
* audio
* The destination is audio data. This might originate from an HTML <audio> tag.
* audioworklet
* The destination is data being fetched for use by an audio worklet. This might originate from a call to audioWorklet.addModule().
* document
* The destination is a document (HTML or XML), and the request is the result of a user-initiated top-level navigation (e.g. resulting from a user clicking a link).
* embed
* The destination is embedded content. This might originate from an HTML <embed> tag.
* empty
* The destination is the empty string. This is used for destinations that do not have their own value. For exmaple fetch(), navigator.sendBeacon(), EventSource, XMLHttpRequest, WebSocket, etc.
* font
* The destination is a font. This might originate from CSS @font-face.
* frame
* The destination is a frame. This might originate from an HTML <frame> tag.
* iframe
* The destination is an iframe. This might originate from an HTML <iframe> tag.
* image
* The destination is an image. This might originate from an HTML <image>, SVG <image>, CSS background-image, CSS cursor, CSS list-style-image, etc.
* manifest
* The destination is a manifest. This might originate from an HTML <link rel=manifest>).
* object
* The destination is an object. This might originate from an HTML <object> tag.
* paintworklet
* The destination is a paint worklet. This might originate from a call to CSS.PaintWorklet.addModule().
* report
* The destination is a report (for exmaple, a content security policy report).
* script
* The destination is a script. This might originate from an HTML <script> tag or a call to WorkerGlobalScope.importScripts().
* serviceworker
* The destination is a service worker. This might originate from a call to navigator.serviceWorker.register().
* sharedworker
* The destination is a shared worker. This might originate from a SharedWorker.
* style
* The destination is a style. This might originate from an HTML <link rel=stylesheet> or a CSS @import.
* track
* The destination is an HTML text track. This might originate from an HTML <track> tag.
* video
* The destination is video data. This might originate from an HTML <video> tag.
* worker
* The destination is a Worker.
* xslt
* The destination is an XLST transform.
*/
public static function dest(string $type) : bool
{
return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? '');
}
/**
* cors
* The request is a CORS protocol request.
* navigate
* The request is initiated by navigation between HTML documents.
* no-cors
* The request is a no-cors request.
* same-origin
* The request is made from the same origin as the resource that is being requested.
* websocket
* The request is being made to establish a WebSocket connection.
*/
public static function mode(string $type) : bool
{
return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? '');
}
/**
* cross-site
* The request initiator and the server hosting the resource have a different
* site (i.e. a request by "potentially-evil.com" for a resource at "example.com").
* same-origin
* The request initiator and the server hosting the resource have the same origin (same scheme, host and port).
* same-site
* The request initiator and the server hosting the resource have the same scheme,
* domain and/or subdomain, but not necessarily the same port.
* none
* This request is a user-originated operation. For example: entering a URL into the address bar,
* opening a bookmark, or dragging-and-dropping a file into the browser window.
*/
public static function site(string $type) : bool
{
return $type == ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? 'none');
}
public static function user() : bool
{
return '?1' == ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
}
}