Presenter: signal must be sent from the same origin unless they have …

…annotation @crossorigin (BC break) Experimental
nette · Sep 4, 2018 · 8a654f3276cc5d71b351db4a0795b3a3ad6783a7 · 8a654f3
1 parent bf27ffc
commit 8a654f3276cc5d71b351db4a0795b3a3ad6783a7
Unified Split

Showing with 9 additions and 0 deletions.

+8 −0 src/Application/UI/Component.php

+1 −0 src/Application/UI/Presenter.php
diff --git a/src/Application/UI/Component.php b/src/Application/UI/Component.php
@@ -104,6 +104,14 @@ protected function tryCall(string $method, array $params): bool
 	 */
 	public function checkRequirements($element): void
 	{
+  
+		if (
+  
+			$element instanceof \ReflectionMethod
+  
+			&& substr($element->getName(), 0, 6) === 'handle'
+  
+			&& !ComponentReflection::parseAnnotation($element, 'crossOrigin')
+  
+			&& !$this->getPresenter()->getHttpRequest()->isSameSite()
+  
+		) {
+  
+			throw new Nette\Application\ForbiddenRequestException('The signal was not sent from the same domain. It can be allowed using @crossOrigin annotation.');
+  
+		}
 	}

diff --git a/src/Application/UI/Presenter.php b/src/Application/UI/Presenter.php
@@ -298,6 +298,7 @@ protected function shutdown(Application\IResponse $response)
 	 */
 	public function checkRequirements($element): void
 	{
+  
+		parent::checkRequirements($element);
 		$user = (array) ComponentReflection::parseAnnotation($element, 'User');
 		if (in_array('loggedIn', $user, true)) {
 			trigger_error(__METHOD__ . '() annotation @User is deprecated', E_USER_DEPRECATED);