sec fetch breaks snappymail

[gene-git]

Commit 2a44aea causes Snappymail to exit with
'Invalid Sec-Fetch

Reverting this commit and it works as usual.

I don't follow what it's actually doing - but the domain has valid certs. Web server is nginx. We use :

X-Frame-Options SAMEORIGIN;
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'" ;

The mail app runs with same domain as home page.

Shy of reverting this commit, what is your recommendation?

thanks

[gene-git]

Seems like this check looks for header HTTP_SEC_FETCH_SITE.

In case browser versions come into play with compatibility, the browser being used is Firefox 91.0a1 nightly build 20210710094507

[the-djmaze]

Yes, it's a work in progress to implement (only safari doesn't support it yet).
I will upgrade my firefox to find the issue.

[gene-git]

Thanks - In case it's helpful - I checked on both Firefox nightly and chrome dev they both show
`"HTTP_SEC_FETCH_SITE"]=> string(4) "none"

[the-djmaze]

Sec-Fetch-Site: "none" is the initial document request.
After that they should be 'same-origin'.

It works here with Chromium 90.0.4430.212, Firefox 89.0.2 (has no Sec-Fetch) and Firefox 91.0b2.

The problem i encountered were:

1. user clicks link on example.com to webmail.com (cross-site)
2. user clicks link on example.com to example.com:port (same-site)

In both cases the Sec-Fetch-User is set and i will relax the security for these cases.

[gene-git]

In my case I either:

• Go to dom.com and then click dom.com/mail
• Go directly to dom.com/mail

Is it possible in latter case to get 'none' ?

The fail I saw yesterday was the first scenario - which shouldn't have happened right - I'm happy to test any changes.

[gene-git]

With latest commit c46a28a it is now crashing with :

2021/07/14 07:57:34 [error] 66276#66276: *3599 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Error: Undefined constant "RainLoop\Config\APP_USE_APC_CACHE" in /usr/share/webapps/snappymail/snappymail/v/0.0.0/app/libraries/RainLoop/Config/AbstractConfig.php:44

Should this have APC -> APCU maybe?
Making this change in AbstractConfig.php i now get the login prompt

thanks,

[gene-git]

Thank you for fixing so quickly - all seems ok now.

[m-i-k-e-y]

Hi!

I recently upgraded to snappymail 2.6.0 and everything is working fine on desktop PCs.

However, on mobile (Mozilla Firefox on Android, latest stable Version from Play Store), I'm greeted with this error: "Disallowed Sec-Fetch-Site: cross-site".

See this screenshot:

Could you please take a look again at this? Or should I open a new issue?

[gene-git]

Works for me using firefox nightly - would you mind trying that to eliminate older firefox as cause?

thanks

[gene-git]

to confirm - both desktop and phone are on same network for this right? Anything of use in web server logs by chance?

[m-i-k-e-y]

Both, desktop and phone are on the same network. The only difference in the server logs (nginx) is, that the first and only request from the phone is replied with a 403 error whereas the same first request from desktop is replied with 200 (I obfuscated the source IP):

194...114 - - [09/Aug/2021:07:07:10 +0200] "GET / HTTP/2.0" 403 55 "-" "Mozilla/5.0 (Android 10; Mobile; rv:90.0) Gecko/90.0 Firefox/90.0"
194...114 - - [09/Aug/2021:07:07:20 +0200] "GET / HTTP/2.0" 200 33062 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
194...114 - - [09/Aug/2021:07:07:21 +0200] "GET /snappymail/v/2.6.0/static/css/app.min.css HTTP/2.0" 200 17238 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
194...114 - - [09/Aug/2021:07:07:21 +0200] "GET /?/AppData/0/3555607075253159/ HTTP/2.0" 200 1139 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
194...114 - - [09/Aug/2021:07:07:21 +0200] "GET /snappymail/v/2.6.0/themes/Default/images/background.jpg HTTP/2.0" 200 4457 "https://mail.i*.*/snappymail/v/2.6.0/static/css/app.min.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
194...114 - - [09/Aug/2021:07:07:21 +0200] "GET /snappymail/v/2.6.0/static/apple-touch-icon.png HTTP/2.0" 200 992 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"
194...114 - - [09/Aug/2021:07:07:21 +0200] "GET /snappymail/v/2.6.0/static/apple-touch-icon.png HTTP/2.0" 200 992 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0"

[m-i-k-e-y]

I've tried now with the latest release of Mozilla Firefox from Github https://github.com/mozilla-mobile/fenix/releases/tag/v91.1.0, same error:

194...114 - - [09/Aug/2021:08:50:21 +0200] "GET / HTTP/2.0" 403 55 "-" "Mozilla/5.0 (Android 10; Mobile; rv:91.0) Gecko/91.0 Firefox/91.0"

[the-djmaze]

@m-i-k-e-y
cross-site:
The request initiator and the server hosting the resource have a different site (i.e. a request by "potentially-evil.com" for a resource at "example.com").

Somehow your requests don't match correctly.
SnappyMail has several checks:

1. Is HTTP_SEC_FETCH_SITE set?

• No: old browser
• Yes: HTTP_SEC_FETCH_SITE must be 'same-origin' OR:
  ** HTTP_SEC_FETCH_USER must be '?1'
  ** and HTTP_SEC_FETCH_DEST must be 'document'
  ** and HTTP_SEC_FETCH_MODE must be 'navigate'

I know this security is useless when a MitM modifies the headers.

I've made a change in the above mentioned commit to trace your issue a bit better.
So try it with the modified handle.php and post the result here.

[gene-git]

Aside: Agree re MitM, but every bit helps strengthen the overall security. Its also a good idea to use a different CSP for different web server locations - i.e. very stringent policy for everywhere its not needed and lighter policy where its needed, If possible require password login for those areas with milder CSP.

[m-i-k-e-y]

I'll test later after working hours and will let you know the outcome.

[m-i-k-e-y]

@the-djmaze
thanks for taking your time to look into this. This is the result after changing handle.php:

and in the log of nginx the same 403 error:

194...114 - - [09/Aug/2021:16:46:13 +0200] "GET / HTTP/2.0" 403 100 "-" "Mozilla/5.0 (Android 10; Mobile; rv:91.0) Gecko/91.0 Firefox/91.0"

@gene-git

I've downloaded and tried with the latest Firefox Nightly from the PlayStore, too. But it makes no difference, Nightly shows the same behaviour. Only Desktop works for me.

[the-djmaze]

https://www.w3.org/TR/fetch-metadata/#sec-fetch-user-header

The Sec-Fetch-User HTTP request header exposes whether or not a navigation request was triggered by user activation.

Are you not directly accessing https://mail.i*.*/ but through a redirect of some-kind?
Say: domain.com/mail => header "Location: https://snappymail.eu/demo/" ?

[m-i-k-e-y]

I am directly accessing the domain. Either by typing the address or by using a bookmark stored in the profile. There is only a redirect from http to https for the domain on the server side.

[m-i-k-e-y]

@the-djmaze

Your latest commit seems to do the trick. I could access snappymail now with 3 different versions of Firefox on Android:

Next stable version from Github:

194...114 - - [10/Aug/2021:07:18:00 +0200] "GET / HTTP/2.0" 200 33064 "-" "Mozilla/5.0 (Android 10; Mobile; rv:91.0) Gecko/91.0 Firefox/91.0"

Nightly from PlayStore:

194...114 - - [10/Aug/2021:07:19:37 +0200] "GET / HTTP/2.0" 200 33060 "-" "Mozilla/5.0 (Android 10; Mobile; rv:92.0) Gecko/92.0 Firefox/92.0"

Current stable version from PlayStore on an older device:

194...114 - - [10/Aug/2021:07:21:12 +0200] "GET / HTTP/2.0" 200 33063 "-" "Mozilla/5.0 (Android 6.0.1; Mobile; rv:90.0) Gecko/90.0 Firefox/90.0"

Thanks a lot!

[the-djmaze]

Sorry these last two commits should belong to #96