From 753de9fc0ac17d5e85a464ee4827eec3494d67c8 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sun, 7 Jan 2024 13:09:25 -0500 Subject: [PATCH] enforce fetch metadata headers being present These are implemented in Chromium since July 2019, Firefox since July 2021 and Safari since March 2023. --- .../java/app/attestation/server/AttestationServer.java | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/main/java/app/attestation/server/AttestationServer.java b/src/main/java/app/attestation/server/AttestationServer.java index d704bf7b..52f54730 100644 --- a/src/main/java/app/attestation/server/AttestationServer.java +++ b/src/main/java/app/attestation/server/AttestationServer.java @@ -360,16 +360,14 @@ public void checkRequestHeaders(final HttpExchange exchange) throws GeneralSecur if (!"application/json".equals(getRequestHeaderValue(exchange, "Content-Type"))) { throw new GeneralSecurityException(); } - final String fetchMode = getRequestHeaderValue(exchange, "Sec-Fetch-Mode"); - if (fetchMode != null && !fetchMode.equals("same-origin")) { + if (!"same-origin".equals(getRequestHeaderValue(exchange, "Sec-Fetch-Mode"))) { throw new GeneralSecurityException(); } - final String fetchSite = getRequestHeaderValue(exchange, "Sec-Fetch-Site"); - if (fetchSite != null && !fetchSite.equals("same-origin")) { + if (!"same-origin".equals(getRequestHeaderValue(exchange, "Sec-Fetch-Site"))) { throw new GeneralSecurityException(); } - final String fetchDest = getRequestHeaderValue(exchange, "Sec-Fetch-Dest"); - if (fetchDest != null && !fetchDest.equals("empty")) { + final String fetchDest = ; + if (!"empty".equals(getRequestHeaderValue(exchange, "Sec-Fetch-Dest"))) { throw new GeneralSecurityException(); } }