added cookie fallback to Request::isFrom() for browsers without Sec-Fetch (Safari < 16.4)

Author: dg

src/Http/Request.php

@@ -8,7 +8,7 @@
 namespace Nette\Http;
 
 use Nette;
-use function array_change_key_case, base64_decode, count, explode, func_num_args, in_array, preg_match, strcasecmp, strlen, strtr;
+use function array_change_key_case, array_intersect, base64_decode, count, explode, func_num_args, in_array, preg_match, strcasecmp, strlen, strtr;
 
 
 /**
@@ -240,6 +240,8 @@ public function isSameSite(): bool
 
 	/**
 	 * Checks whether the request matches the given Sec-Fetch-Site, Sec-Fetch-Dest and Sec-Fetch-User values.
+	 * Falls back to the SameSite=Strict cookie in browsers without Sec-Fetch (Safari < 16.4), which only
+	 * proves the request is not cross-site, so checks on $dest or $user then fail.
 	 * @param  self::From*|list<self::From*>  $site
 	 * @param  string|list<string>|null  $dest
 	 */
@@ -253,8 +255,14 @@ public function isFrom(
 		$actualDest = $this->headers['sec-fetch-dest'] ?? null;
 		$actualUser = ($this->headers['sec-fetch-user'] ?? null) === '?1';
 
-		return $actualSite !== null
-			&& in_array($actualSite, (array) $site, strict: true)
+		if ($actualSite === null) { // fallback for browsers without Sec-Fetch (Safari < 16.4)
+			return $dest === null
+				&& $user === null
+				&& isset($this->cookies[Helpers::StrictCookieName])
+				&& array_intersect((array) $site, [self::FromSameOrigin, self::FromSameSite, self::FromNone]) !== [];
+		}
+
+		return in_array($actualSite, (array) $site, strict: true)
 			&& ($dest === null || ($actualDest !== null && in_array($actualDest, (array) $dest, strict: true)))
 			&& ($user === null || $user === $actualUser);
 	}

tests/Http/Request.isFrom.phpt

@@ -71,15 +71,55 @@ test('accepts multiple expected values', function () {
 });
 
 
-test('invalid/typo site value fails', function () {
-	$request = new Http\Request(new Http\UrlScript, headers: ['Sec-Fetch-Site' => 'same-origin']);
-	Assert::false($request->isFrom('same-orgin'));
+test('invalid/typo site value fails consistently', function () {
+	$header = new Http\Request(new Http\UrlScript, headers: ['Sec-Fetch-Site' => 'same-origin']);
+	Assert::false($header->isFrom('same-orgin'));
+
+	$cookie = new Http\Request(new Http\UrlScript, cookies: [Http\Helpers::StrictCookieName => '1']);
+	Assert::false($cookie->isFrom('same-orgin'));
 });
 
 
-test('no Sec-Fetch-Site returns false', function () {
+test('no header, no cookie returns false', function () {
 	$request = new Http\Request(new Http\UrlScript);
 
 	Assert::false($request->isFrom('same-origin'));
 	Assert::false($request->isFrom('cross-site'));
 });
+
+
+test('cookie fallback proves only "not cross-site"', function () {
+	$request = new Http\Request(new Http\UrlScript, cookies: [
+		Http\Helpers::StrictCookieName => '1',
+	]);
+
+	Assert::true($request->isFrom('same-origin'));
+	Assert::true($request->isFrom('same-site'));
+	Assert::true($request->isFrom('none'));
+	Assert::true($request->isFrom(['same-origin', 'cross-site']));
+	Assert::false($request->isFrom('cross-site'));
+});
+
+
+test('cookie fallback fails closed for dest & user', function () {
+	$request = new Http\Request(new Http\UrlScript, cookies: [
+		Http\Helpers::StrictCookieName => '1',
+	]);
+
+	// dest/user can't be proven by the cookie alone, so a stricter check must not pass
+	Assert::false($request->isFrom('same-origin', 'document'));
+	Assert::false($request->isFrom('same-origin', user: true));
+	Assert::false($request->isFrom('same-origin', user: false));
+});
+
+
+test('cookie fallback not used when Sec-Fetch-Site present', function () {
+	$request = new Http\Request(new Http\UrlScript, cookies: [
+		Http\Helpers::StrictCookieName => '1',
+	], headers: [
+		'Sec-Fetch-Site' => 'cross-site',
+	]);
+
+	Assert::false($request->isFrom('same-origin'));
+	Assert::true($request->isFrom('cross-site'));
+});