From 0811902ff6849320b19bcb336e748f64a66eb409 Mon Sep 17 00:00:00 2001
From: caryoscelus <caryoscelus@gmx.com>
Date: Tue, 25 Jul 2023 18:59:09 +0000
Subject: [PATCH] Disable third-party access to 0net server.

This previously enabled clearnet sites to detect if user is running 0net instance
on their machine as well as to detect which 0net sites are downloaded.

Check online at https://riza-committee.github.io/demos/0scan.html

Intra-0net version of this is still available at
http://127.0.0.1:43110/1ScanCY9fjmjanDt7NwvyNQCL16hqWnVM/
---
 src/Ui/UiRequest.py | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 281a5e5c..8f1e4c18 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -282,13 +282,17 @@ class UiRequest(object):
 
     # Send response headers
     def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]):
+        ref = self.env.get("HTTP_REFERER")
+        url = self.getRequestUrl()
+        if status != 404 and ref and not self.isSameHost(ref, url):
+            # pretend nothing is here for third-party access
+            return self.error404()
+
         headers = {}
         headers["Version"] = "HTTP/1.1"
         headers["Connection"] = "Keep-Alive"
         headers["Keep-Alive"] = "max=25, timeout=30"
         headers["X-Frame-Options"] = "SAMEORIGIN"
-        if content_type != "text/html" and self.env.get("HTTP_REFERER") and self.isSameOrigin(self.getReferer(), self.getRequestUrl()):
-            headers["Access-Control-Allow-Origin"] = "*"  # Allow load font files from css
 
         if noscript:
             headers["Content-Security-Policy"] = "default-src 'none'; sandbox allow-top-navigation allow-forms; img-src *; font-src * data:; media-src *; style-src * 'unsafe-inline';"
@@ -605,7 +609,23 @@ class UiRequest(object):
         self.server.add_nonces.append(add_nonce)
         return add_nonce
 
+    def isSameHost(self, url_a, url_b):
+        """Check if urls have the same HOST (to prevent leaking resources to clearnet sites)"""
+        if not url_a or not url_b:
+            return False
+
+        url_a = url_a.replace("/raw/", "/")
+        url_b = url_b.replace("/raw/", "/")
+
+        origin_pattern = "http[s]{0,1}://(.*?/).*"
+
+        origin_a = re.sub(origin_pattern, "\\1", url_a)
+        origin_b = re.sub(origin_pattern, "\\1", url_b)
+
+        return origin_a == origin_b
+
     def isSameOrigin(self, url_a, url_b):
+        """Check if 0net origin is the same"""
         if not url_a or not url_b:
             return False