Skip to content

Commit

Permalink
enforce fetch metadata headers being present
Browse files Browse the repository at this point in the history
These are implemented in Chromium since July 2019, Firefox since July
2021 and Safari since March 2023.
  • Loading branch information
thestinger committed Jan 9, 2024
1 parent 6310dd6 commit 3d480c4
Showing 1 changed file with 3 additions and 6 deletions.
9 changes: 3 additions & 6 deletions src/main/java/app/attestation/server/AttestationServer.java
Original file line number Diff line number Diff line change
Expand Up @@ -360,16 +360,13 @@ public void checkRequestHeaders(final HttpExchange exchange) throws GeneralSecur
if (!"application/json".equals(getRequestHeaderValue(exchange, "Content-Type"))) {
throw new GeneralSecurityException();
}
final String fetchMode = getRequestHeaderValue(exchange, "Sec-Fetch-Mode");
if (fetchMode != null && !fetchMode.equals("same-origin")) {
if (!"same-origin".equals(getRequestHeaderValue(exchange, "Sec-Fetch-Mode"))) {
throw new GeneralSecurityException();
}
final String fetchSite = getRequestHeaderValue(exchange, "Sec-Fetch-Site");
if (fetchSite != null && !fetchSite.equals("same-origin")) {
if (!"same-origin".equals(getRequestHeaderValue(exchange, "Sec-Fetch-Site"))) {
throw new GeneralSecurityException();
}
final String fetchDest = getRequestHeaderValue(exchange, "Sec-Fetch-Dest");
if (fetchDest != null && !fetchDest.equals("empty")) {
if (!"empty".equals(getRequestHeaderValue(exchange, "Sec-Fetch-Dest"))) {
throw new GeneralSecurityException();
}
}
Expand Down

0 comments on commit 3d480c4

Please sign in to comment.