Skip to content

Commit 49e2012

Browse files
committed
Compare the Origin as a fallback of the Sec-Fetch-Site header is not present
1 parent 9637208 commit 49e2012

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

Diff for: src/Movim/Daemon/Core.php

+5-1
Original file line numberDiff line numberDiff line change
@@ -306,7 +306,11 @@ private function isTrustedConnection(ConnectionInterface $conn): bool
306306
$daemonKeyHeader = $conn->httpRequest->getHeader('MOVIM_DAEMON_KEY');
307307
$secFetchSiteHeader = $conn->httpRequest->getHeader('Sec-Fetch-Site');
308308

309+
$sameOrigin = (is_array($secFetchSiteHeader) && !empty($secFetchSiteHeader))
310+
? $secFetchSiteHeader[0] == 'same-origin'
311+
: parse_url($conn->httpRequest->getHeader('Origin')[0], PHP_URL_HOST) == parse_url($this->baseuri, PHP_URL_HOST);
312+
309313
return (is_array($daemonKeyHeader) && !empty($daemonKeyHeader) && $daemonKeyHeader[0] === $this->key)
310-
|| (is_array($secFetchSiteHeader) && !empty($secFetchSiteHeader) && $secFetchSiteHeader[0] == 'same-origin');
314+
|| $sameOrigin;
311315
}
312316
}

0 commit comments

Comments
 (0)