Form: POST form checks Http\Request::isSameSite() as CSRF protection

Author: dg

composer.json

@@ -17,7 +17,7 @@
 	"require": {
 		"php": ">=7.2 <8.1",
 		"nette/component-model": "^3.0",
-		"nette/http": "^3.0",
+		"nette/http": "^3.1",
 		"nette/utils": "^3.2"
 	},
 	"require-dev": {

src/Forms/Form.php

@@ -96,6 +96,9 @@ class Form extends Container implements Nette\HtmlStringable
 	/** @internal @var Nette\Http\IRequest  used only by standalone form */
 	public $httpRequest;
 
+	/** @var bool */
+	protected $crossOrigin = false;
+
 	/** @var mixed or null meaning: not detected yet */
 	private $submittedBy;
 
@@ -214,6 +217,15 @@ public function setHtmlAttribute(string $name, $value = true)
 	}
 
 
+	/**
+	 * Disables CSRF protection using a SameSite cookie.
+	 */
+	public function allowCrossOrigin(): void
+	{
+		$this->crossOrigin = true;
+	}
+
+
 	/**
 	 * Cross-Site Request Forgery (CSRF) form protection.
 	 */
@@ -474,6 +486,9 @@ protected function receiveHttpData(): ?array
 		}
 
 		if ($httpRequest->isMethod('post')) {
+			if (!$this->crossOrigin && !$httpRequest->isSameSite()) {
+				return null;
+			}
 			$data = Nette\Utils\Arrays::mergeTree($httpRequest->getPost(), $httpRequest->getFiles());
 		} else {
 			$data = $httpRequest->getQuery();
@@ -658,6 +673,7 @@ private function getHttpRequest(): Nette\Http\IRequest
 		if (!$this->httpRequest) {
 			$factory = new Nette\Http\RequestFactory;
 			$this->httpRequest = $factory->createHttpRequest();
+			Nette\Http\Helpers::initCookie($this->httpRequest, new Nette\Http\Response);
 		}
 		return $this->httpRequest;
 	}

tests/Forms/Container.values.ArrayHash.phpt

@@ -10,6 +10,7 @@ use Tester\Assert;
 require __DIR__ . '/../bootstrap.php';
 
 
+$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 $_POST = [
 	'title' => 'sent title',
 	'first' => [

tests/Forms/Container.values.array.phpt

@@ -10,6 +10,7 @@ use Tester\Assert;
 require __DIR__ . '/../bootstrap.php';
 
 
+$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 $_POST = [
 	'title' => 'sent title',
 	'first' => [

tests/Forms/Container.values.mapping.phpt

@@ -50,6 +50,7 @@ function hydrate(string $class, array $data)
 }
 
 
+$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 $_POST = [
 	'title' => 'sent title',
 	'first' => [

tests/Forms/Controls.BaseControl.phpt

@@ -126,6 +126,7 @@ test('disabled', function () {
 test('disabled & submitted', function () {
 	$_SERVER['REQUEST_METHOD'] = 'POST';
 	$_POST = ['disabled' => 'submitted value'];
+	$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 
 	$form = new Form;
 	$form->addText('disabled')

tests/Forms/Controls.Button.loadData.phpt

@@ -16,6 +16,7 @@ require __DIR__ . '/../bootstrap.php';
 before(function () {
 	$_SERVER['REQUEST_METHOD'] = 'POST';
 	$_POST = $_FILES = [];
+	$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 });
 
 

tests/Forms/Controls.Checkbox.loadData.phpt

@@ -16,6 +16,7 @@ require __DIR__ . '/../bootstrap.php';
 before(function () {
 	$_SERVER['REQUEST_METHOD'] = 'POST';
 	$_POST = $_FILES = [];
+	$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 });
 
 

tests/Forms/Controls.CheckboxList.loadData.phpt

@@ -18,6 +18,7 @@ require __DIR__ . '/../bootstrap.php';
 before(function () {
 	$_SERVER['REQUEST_METHOD'] = 'POST';
 	$_POST = $_FILES = [];
+	$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 });
 
 

tests/Forms/Controls.ChoiceControl.loadData.phpt

@@ -22,6 +22,7 @@ class ChoiceControl extends Nette\Forms\Controls\ChoiceControl
 before(function () {
 	$_SERVER['REQUEST_METHOD'] = 'POST';
 	$_POST = $_FILES = [];
+	$_COOKIE[Nette\Http\Helpers::STRICT_COOKIE_NAME] = '1';
 });