Sec-Fetch improvements

Also see issue #99

snappymail/v/0.0.0/app/handle.php

@@ -28,9 +28,10 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH'))
 
 if (\class_exists('RainLoop\Api'))
 {
-	if (!\SnappyMail\HTTP\SecFetch::site('same-origin')
-	 && !\SnappyMail\HTTP\SecFetch::site('none')) {
-		 exit('Invalid Sec-Fetch');
+	if (!\SnappyMail\HTTP\SecFetch::isSameOrigin()) {
+		\http_response_code(403);
+		\header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden', true, 403);
+		exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? ''));
 	}
 
 	\MailSo\Base\Loader::Init();

snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php

@@ -50,7 +50,7 @@ abstract class SecFetch
 	 */
 	public static function dest(string $type) : bool
 	{
-		return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? '');
+		return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? 'document');
 	}
 
 	/**
@@ -67,7 +67,7 @@ abstract class SecFetch
 	 */
 	public static function mode(string $type) : bool
 	{
-		return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? '');
+		return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? 'navigate');
 	}
 
 	/**
@@ -92,4 +92,31 @@ abstract class SecFetch
 	{
 		return '?1' == ($_SERVER['HTTP_SEC_FETCH_USER'] ?? '');
 	}
+
+	public static function isSameOrigin() : bool
+	{
+		if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) {
+			return true;
+		}
+
+		if ('none' == $_SERVER['HTTP_SEC_FETCH_SITE']) {
+			// sec-fetch-dest: document
+			// sec-fetch-mode: navigate
+			return static::user();
+		}
+
+		/**
+			<script>
+				sec-fetch-dest: script
+				sec-fetch-mode: no-cors
+			window.Fetch
+				sec-fetch-dest: empty
+				sec-fetch-mode: same-origin
+			reload:
+				sec-fetch-dest: document
+				sec-fetch-mode: navigate
+		 */
+		return 'same-origin' == $_SERVER['HTTP_SEC_FETCH_SITE'];
+	}
+
 }