added Request::isFrom() WIP

dg · dg · commit be27298c8915 · 2026-05-26T18:59:16.000+02:00
diff --git a/src/Http/IRequest.php b/src/Http/IRequest.php
@@ -12,6 +12,7 @@
  * HTTP request contract providing access to URL, headers, cookies, uploaded files, and body.
  * @method ?UrlImmutable getReferer() Returns the referrer URL.
  * @method bool isSameSite() Checks whether the request is coming from the same site.
+ * @method bool isFrom(string|list<string>|null $site = null, string|list<string>|null $initiator = null)
  */
 interface IRequest
 {
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -8,7 +8,7 @@
 namespace Nette\Http;
 
 use Nette;
-use function array_change_key_case, base64_decode, count, explode, gethostbyaddr, implode, in_array, preg_match, preg_match_all, rsort, strcasecmp, strtr;
+use function array_change_key_case, base64_decode, count, explode, func_num_args, gethostbyaddr, implode, in_array, preg_match, preg_match_all, rsort, strcasecmp, strtr;
 
 
 /**
@@ -238,6 +238,30 @@ public function isSameSite(): bool
 	}
 
 
+	/**
+	 * Checks whether the request origin and initiator match the given Sec-Fetch-Site and Sec-Fetch-Dest values.
+	 * Falls back to the Origin header for browsers that don't send Sec-Fetch headers (Safari < 16.4).
+	 * @param  string|list<string>|null  $site       expected Sec-Fetch-Site values (e.g. 'same-origin', 'cross-site')
+	 * @param  string|list<string>|null  $initiator  expected Sec-Fetch-Dest values (e.g. 'document', 'empty')
+	 */
+	public function isFrom(string|array|null $site = null, string|array|null $initiator = null): bool
+	{
+		$actualSite = $this->headers['sec-fetch-site'] ?? null;
+		$actualDest = $this->headers['sec-fetch-dest'] ?? null;
+
+		if ($actualSite === null && ($origin = $this->getOrigin())) { // fallback for Safari < 16.4
+			$actualSite = strcasecmp($origin->getScheme(), $this->url->getScheme()) === 0
+					&& strcasecmp(rtrim($origin->getHost(), '.'), rtrim($this->url->getHost(), '.')) === 0
+					&& $origin->getPort() === $this->url->getPort()
+				? 'same-origin'
+				: 'cross-site';
+		}
+
+		return ($site === null || ($actualSite !== null && in_array($actualSite, (array) $site, strict: true)))
+			&& ($initiator === null || ($actualDest !== null && in_array($actualDest, (array) $initiator, strict: true)));
+	}
+
+
 	/**
 	 * Checks whether the request was made via AJAX (X-Requested-With: XMLHttpRequest).
 	 */
diff --git a/tests/Http/Request.isFrom.phpt b/tests/Http/Request.isFrom.phpt
@@ -0,0 +1,96 @@
+<?php declare(strict_types=1);
+
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+test('matches both headers', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Sec-Fetch-Site' => 'same-origin',
+		'Sec-Fetch-Dest' => 'document',
+	]);
+
+	Assert::true($request->isFrom('same-origin', 'document'));
+});
+
+
+test('fails when expected header missing', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Sec-Fetch-Site' => 'same-origin',
+	]);
+
+	Assert::false($request->isFrom('same-origin', 'document'));
+});
+
+
+test('accepts multiple expected values', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Sec-Fetch-Site' => 'cross-site',
+		'Sec-Fetch-Dest' => 'image',
+	]);
+
+	Assert::true($request->isFrom(['same-origin', 'cross-site'], ['document', 'image']));
+	Assert::false($request->isFrom(['cross-site'], ['Document']));
+	Assert::false($request->isFrom(['Cross-Site'], ['image']));
+});
+
+
+test('fallback same-origin from Origin header', function () {
+	$url = new Http\UrlScript('https://nette.org/app/');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'https://nette.org',
+	]);
+
+	Assert::true($request->isFrom('same-origin'));
+});
+
+
+test('fallback cross-site from Origin header', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'https://example.com',
+	]);
+
+	Assert::true($request->isFrom('cross-site'));
+});
+
+
+test('fallback missing without Origin header', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url);
+
+	Assert::false($request->isFrom('same-origin'));
+});
+
+
+test('fallback not used when header present', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url, headers: [
+		'Sec-Fetch-Site' => 'none',
+		'Origin' => 'https://nette.org',
+	]);
+
+	Assert::false($request->isFrom('same-origin'));
+});
+
+
+test('fallback cross-site when port differs', function () {
+	$url = new Http\UrlScript('https://nette.org:443');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'https://nette.org:444',
+	]);
+
+	Assert::true($request->isFrom('cross-site'));
+});
+
+
+test('fallback ignored for invalid Origin', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'null',
+	]);
+
+	Assert::false($request->isFrom('same-origin'));
+});

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`* HTTP request contract providing access to URL, headers, cookies, uploaded files, and body.`
`13`	`13`	`* @method ?UrlImmutable getReferer() Returns the referrer URL.`
`14`	`14`	`* @method bool isSameSite() Checks whether the request is coming from the same site.`
	`15`	`+ * @method bool isFrom(string\|list<string>\|null $site = null, string\|list<string>\|null $initiator = null)`
`15`	`16`	`*/`
`16`	`17`	`interface IRequest`
`17`	`18`	`{`