oci/zeronet
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

More sophisticated detection of cross-site info leak

Browse source 
see previous commit for more info
This commit is contained in:
caryoscelus 2023-07-25 20:55:40 +00:00
parent 0811902ff6
commit f336cd02bd
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/Ui/UiRequest.py
View file

@ -282,9 +282,15 @@ class UiRequest(object):
# Send response headers # Send response headers
def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]): def sendHeader(self, status=200, content_type="text/html", noscript=False, allow_ajax=False, script_nonce=None, extra_headers=[]):
ref = self.env.get("HTTP_REFERER")
url = self.getRequestUrl() url = self.getRequestUrl()
if status != 404 and ref and not self.isSameHost(ref, url): referer = self.env.get('HTTP_REFERER')
origin = self.env.get('HTTP_ORIGIN')
fetch_site = self.env.get('HTTP_SEC_FETCH_SITE')
fetch_mode = self.env.get('HTTP_SEC_FETCH_MODE')
not_same_ref = referer and not self.isSameHost(referer, url)
not_same_origin = origin and not self.isSameHost(origin, url)
cross_site_not_navigate = not referer and fetch_site == 'cross-site' and not fetch_mode == 'navigate'
if status != 404 and (not_same_ref or not_same_origin or cross_site_not_navigate):
# pretend nothing is here for third-party access # pretend nothing is here for third-party access
return self.error404() return self.error404()