added Request::isFrom()

dg · dg · commit 917c6c4f0f57 · 2025-12-29T01:46:19.000+01:00
diff --git a/src/Http/IRequest.php b/src/Http/IRequest.php
@@ -14,6 +14,7 @@
  * HTTP request provides access scheme for request sent via HTTP.
  * @method UrlImmutable|null getReferer() Returns referrer.
  * @method bool isSameSite() Is the request sent from the same origin?
+ * @method bool isFrom(string|array|null $site = null, string|array|null $initiator = null)
  */
 interface IRequest
 {
diff --git a/src/Http/Request.php b/src/Http/Request.php
@@ -10,7 +10,7 @@
 namespace Nette\Http;
 
 use Nette;
-use function array_change_key_case, base64_decode, count, explode, func_num_args, gethostbyaddr, implode, preg_match, preg_match_all, rsort, strcasecmp, strtolower, strtr;
+use function array_change_key_case, base64_decode, count, explode, func_num_args, gethostbyaddr, implode, in_array, preg_match, preg_match_all, rsort, strcasecmp, strtr;
 use const CASE_LOWER;
 
 
@@ -230,6 +230,27 @@ public function isSameSite(): bool
 	}
 
 
+	/**
+	 * Checks whether Sec-Fetch headers match the expected values.
+	 */
+	public function isFrom(string|array|null $site = null, string|array|null $initiator = null): bool
+	{
+		$actualSite = $this->headers['sec-fetch-site'] ?? null;
+		$actualDest = $this->headers['sec-fetch-dest'] ?? null;
+
+		if ($actualSite === null && ($origin = $this->getOrigin())) { // fallback for Safari < 16.4
+			$actualSite = strcasecmp($origin->getScheme(), $this->url->getScheme()) === 0
+					&& strcasecmp(rtrim($origin->getHost(), '.'), rtrim($this->url->getHost(), '.')) === 0
+					&& $origin->getPort() === $this->url->getPort()
+				? 'same-origin'
+				: 'cross-site';
+		}
+
+		return ($site === null || ($actualSite !== null && in_array($actualSite, (array) $site, strict: true)))
+			&& ($initiator === null || ($actualDest !== null && in_array($actualDest, (array) $initiator, strict: true)));
+	}
+
+
 	/**
 	 * Is it an AJAX request?
 	 */
diff --git a/tests/Http/Request.isFrom.phpt b/tests/Http/Request.isFrom.phpt
@@ -0,0 +1,98 @@
+<?php
+
+declare(strict_types=1);
+
+use Nette\Http;
+use Tester\Assert;
+
+require __DIR__ . '/../bootstrap.php';
+
+
+test('matches both headers', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Sec-Fetch-Site' => 'same-origin',
+		'Sec-Fetch-Dest' => 'document',
+	]);
+
+	Assert::true($request->isFrom('same-origin', 'document'));
+});
+
+
+test('fails when expected header missing', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Sec-Fetch-Site' => 'same-origin',
+	]);
+
+	Assert::false($request->isFrom('same-origin', 'document'));
+});
+
+
+test('accepts multiple expected values', function () {
+	$request = new Http\Request(new Http\UrlScript, headers: [
+		'Sec-Fetch-Site' => 'cross-site',
+		'Sec-Fetch-Dest' => 'image',
+	]);
+
+	Assert::true($request->isFrom(['same-origin', 'cross-site'], ['document', 'image']));
+	Assert::false($request->isFrom(['cross-site'], ['Document']));
+	Assert::false($request->isFrom(['Cross-Site'], ['image']));
+});
+
+
+test('fallback same-origin from Origin header', function () {
+	$url = new Http\UrlScript('https://nette.org/app/');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'https://nette.org',
+	]);
+
+	Assert::true($request->isFrom('same-origin'));
+});
+
+
+test('fallback cross-site from Origin header', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'https://example.com',
+	]);
+
+	Assert::true($request->isFrom('cross-site'));
+});
+
+
+test('fallback missing without Origin header', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url);
+
+	Assert::false($request->isFrom('same-origin'));
+});
+
+
+test('fallback not used when header present', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url, headers: [
+		'Sec-Fetch-Site' => 'none',
+		'Origin' => 'https://nette.org',
+	]);
+
+	Assert::false($request->isFrom('same-origin'));
+});
+
+
+test('fallback cross-site when port differs', function () {
+	$url = new Http\UrlScript('https://nette.org:443');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'https://nette.org:444',
+	]);
+
+	Assert::true($request->isFrom('cross-site'));
+});
+
+
+test('fallback ignored for invalid Origin', function () {
+	$url = new Http\UrlScript('https://nette.org/');
+	$request = new Http\Request($url, headers: [
+		'Origin' => 'null',
+	]);
+
+	Assert::false($request->isFrom('same-origin'));
+});

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`	`* HTTP request provides access scheme for request sent via HTTP.`
`15`	`15`	`* @method UrlImmutable\|null getReferer() Returns referrer.`
`16`	`16`	`* @method bool isSameSite() Is the request sent from the same origin?`
	`17`	`+ * @method bool isFrom(string\|array\|null $site = null, string\|array\|null $initiator = null)`
`17`	`18`	`*/`
`18`	`19`	`interface IRequest`
`19`	`20`	`{`