diff --git a/snappymail/v/0.0.0/app/handle.php b/snappymail/v/0.0.0/app/handle.php index be12952aa..b83333eb5 100644 --- a/snappymail/v/0.0.0/app/handle.php +++ b/snappymail/v/0.0.0/app/handle.php @@ -28,9 +28,10 @@ if (!\defined('RAINLOOP_APP_LIBRARIES_PATH')) if (\class_exists('RainLoop\Api')) { - if (!\SnappyMail\HTTP\SecFetch::site('same-origin') - && !\SnappyMail\HTTP\SecFetch::site('none')) { - exit('Invalid Sec-Fetch'); + if (!\SnappyMail\HTTP\SecFetch::isSameOrigin()) { + \http_response_code(403); + \header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden', true, 403); + exit('Disallowed Sec-Fetch-Site: ' . ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? '')); } \MailSo\Base\Loader::Init(); diff --git a/snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php b/snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php index 34eb7f598..58116a197 100644 --- a/snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php +++ b/snappymail/v/0.0.0/app/libraries/snappymail/http/secfetch.php @@ -50,7 +50,7 @@ abstract class SecFetch */ public static function dest(string $type) : bool { - return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? ''); + return $type == ($_SERVER['HTTP_SEC_FETCH_DEST'] ?? 'document'); } /** @@ -67,7 +67,7 @@ abstract class SecFetch */ public static function mode(string $type) : bool { - return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? ''); + return $type == ($_SERVER['HTTP_SEC_FETCH_MODE'] ?? 'navigate'); } /** @@ -92,4 +92,31 @@ abstract class SecFetch { return '?1' == ($_SERVER['HTTP_SEC_FETCH_USER'] ?? ''); } + + public static function isSameOrigin() : bool + { + if (!isset($_SERVER['HTTP_SEC_FETCH_SITE'])) { + return true; + } + + if ('none' == $_SERVER['HTTP_SEC_FETCH_SITE']) { + // sec-fetch-dest: document + // sec-fetch-mode: navigate + return static::user(); + } + + /** +