Presenter: signal must be sent from the same origin unless they have …

…annotation @crossorigin (BC break) Experimental
nette · Feb 13, 2019 · e6c5c4f · e6c5c4f
1 parent 86b92fe
commit e6c5c4f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/src/Application/UI/Component.php b/src/Application/UI/Component.php
@@ -104,6 +104,14 @@ protected function tryCall(string $method, array $params): bool
 	 */
 	public function checkRequirements($element): void
 	{
+		if (
+			$element instanceof \ReflectionMethod
+			&& substr($element->getName(), 0, 6) === 'handle'
+			&& !ComponentReflection::parseAnnotation($element, 'crossOrigin')
+			&& !$this->getPresenter()->getHttpRequest()->isSameSite()
+		) {
+			throw new Nette\Application\ForbiddenRequestException('The signal was not sent from the same domain. It can be allowed using @crossOrigin annotation.');
+		}
 	}
 
 

diff --git a/src/Application/UI/Presenter.php b/src/Application/UI/Presenter.php
@@ -299,6 +299,7 @@ protected function shutdown(Application\IResponse $response)
 	 */
 	public function checkRequirements($element): void
 	{
+		parent::checkRequirements($element);
 		$user = (array) ComponentReflection::parseAnnotation($element, 'User');
 		if (in_array('loggedIn', $user, true)) {
 			trigger_error(__METHOD__ . '() annotation @User is deprecated', E_USER_DEPRECATED);