Request::isSameSite() uses isFrom() and is deprecated; strict cookie sent only without Sec-Fetch-Site

Author: dg

src/Http/Helpers.php

@@ -113,10 +113,13 @@ public static function ipMatch(string $ip, string $mask): bool
 
 
 	/**
-	 * Sends the strict same-site cookie used to detect same-site requests.
+	 * Sends the SameSite=Strict cookie used as a fallback for detecting same-site requests
+	 * in browsers that don't support the Sec-Fetch-Site header (Safari < 16.4).
 	 */
 	public static function initCookie(IRequest $request, IResponse $response): void
 	{
-		$response->setCookie(self::StrictCookieName, '1', null, '/', sameSite: IResponse::SameSiteStrict);
+		if ($request->getHeader('Sec-Fetch-Site') === null) {
+			$response->setCookie(self::StrictCookieName, '1', null, '/', sameSite: IResponse::SameSiteStrict);
+		}
 	}
 }

src/Http/IRequest.php

@@ -11,7 +11,6 @@
 /**
  * HTTP request contract providing access to URL, headers, cookies, uploaded files, and body.
  * @method ?UrlImmutable getReferer() Returns the referrer URL.
- * @method bool isSameSite() Checks whether the request is coming from the same site.
  * @method bool isFrom(self::From*|list<self::From*> $site, string|list<string>|null $dest = null, ?bool $user = null)
  */
 interface IRequest

src/Http/Request.php

@@ -230,11 +230,13 @@ public function isSecured(): bool
 
 
 	/**
-	 * Checks whether the request is coming from the same site and was initiated by clicking on a link.
+	 * Checks whether the request originated from your own site (same-site), i.e. it was not
+	 * triggered from a foreign website. Serves as a CSRF-like protection for forms and signals.
+	 * @deprecated use isFrom()
 	 */
 	public function isSameSite(): bool
 	{
-		return isset($this->cookies[Helpers::StrictCookieName]);
+		return $this->isFrom([self::FromSameSite, self::FromSameOrigin]);
 	}
 
 

tests/Http/Request.isFrom.phpt

@@ -123,3 +123,25 @@ test('cookie fallback not used when Sec-Fetch-Site present', function () {
 	Assert::false($request->isFrom('same-origin'));
 	Assert::true($request->isFrom('cross-site'));
 });
+
+
+test('isSameSite() via Sec-Fetch-Site', function () {
+	foreach (['same-origin', 'same-site', 'none'] as $site) {
+		$request = new Http\Request(new Http\UrlScript, headers: ['Sec-Fetch-Site' => $site]);
+		Assert::true($request->isSameSite(), $site);
+	}
+
+	$request = new Http\Request(new Http\UrlScript, headers: ['Sec-Fetch-Site' => 'cross-site']);
+	Assert::false($request->isSameSite());
+});
+
+
+test('isSameSite() via cookie fallback', function () {
+	$request = new Http\Request(new Http\UrlScript, cookies: [
+		Http\Helpers::StrictCookieName => '1',
+	]);
+	Assert::true($request->isSameSite());
+
+	$request = new Http\Request(new Http\UrlScript);
+	Assert::false($request->isSameSite());
+});