Presenter: signal must be sent from the same origin unless they have annotation @crossorigin (BC break)

dg · dg · commit 7d02982cc963 · 2019-02-11T14:02:58.000+01:00
Experimental
diff --git a/src/Application/UI/Component.php b/src/Application/UI/Component.php
@@ -104,6 +104,14 @@ protected function tryCall(string $method, array $params): bool
 	 */
 	public function checkRequirements($element): void
 	{
+		if (
+			$element instanceof \ReflectionMethod
+			&& substr($element->getName(), 0, 6) === 'handle'
+			&& !ComponentReflection::parseAnnotation($element, 'crossOrigin')
+			&& !$this->getPresenter()->getHttpRequest()->isSameSite()
+		) {
+			throw new Nette\Application\ForbiddenRequestException('The signal was not sent from the same domain. It can be allowed using @crossOrigin annotation.');
+		}
 	}
 
 
diff --git a/src/Application/UI/Presenter.php b/src/Application/UI/Presenter.php
@@ -299,6 +299,7 @@ protected function shutdown(Application\IResponse $response)
 	 */
 	public function checkRequirements($element): void
 	{
+		parent::checkRequirements($element);
 		$user = (array) ComponentReflection::parseAnnotation($element, 'User');
 		if (in_array('loggedIn', $user, true)) {
 			trigger_error(__METHOD__ . '() annotation @User is deprecated', E_USER_DEPRECATED);

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,14 @@ protected function tryCall(string $method, array $params): bool`
`104`	`104`	`*/`
`105`	`105`	`public function checkRequirements($element): void`
`106`	`106`	`{`
	`107`	`+ if (`
	`108`	`+ $element instanceof \ReflectionMethod`
	`109`	`+ && substr($element->getName(), 0, 6) === 'handle'`
	`110`	`+ && !ComponentReflection::parseAnnotation($element, 'crossOrigin')`
	`111`	`+ && !$this->getPresenter()->getHttpRequest()->isSameSite()`
	`112`	`+ ) {`
	`113`	`+ throw new Nette\Application\ForbiddenRequestException('The signal was not sent from the same domain. It can be allowed using @crossOrigin annotation.');`
	`114`	`+ }`
`107`	`115`	`}`
`108`	`116`
`109`	`117`
Original file line number	Diff line number	Diff line change
`@@ -299,6 +299,7 @@ protected function shutdown(Application\IResponse $response)`
`299`	`299`	`*/`
`300`	`300`	`public function checkRequirements($element): void`
`301`	`301`	`{`
	`302`	`+ parent::checkRequirements($element);`
`302`	`303`	`$user = (array) ComponentReflection::parseAnnotation($element, 'User');`
`303`	`304`	`if (in_array('loggedIn', $user, true)) {`
`304`	`305`	`trigger_error(__METHOD__ . '() annotation @User is deprecated', E_USER_DEPRECATED);`