@@ -92,6 +92,8 @@ public class AttestationServer {
9292 private static final long SESSION_LENGTH = 48 * 60 * 60 * 1000 ;
9393 private static final int HISTORY_PER_PAGE = 20 ;
9494
95+ private static final String ORIGIN = "https://attestation.app" ;
96+
9597 private static final Logger logger = Logger .getLogger (AttestationServer .class .getName ());
9698
9799 // This should be moved to a table in the database so that it can be modified dynamically
@@ -388,6 +390,17 @@ public static void main(final String[] args) throws Exception {
388390 private abstract static class PostHandler implements HttpHandler {
389391 protected abstract void handlePost (final HttpExchange exchange ) throws IOException , SQLiteException ;
390392
393+ public void checkOrigin (final HttpExchange exchange ) throws GeneralSecurityException {
394+ final List <String > origin = exchange .getRequestHeaders ().get ("Origin" );
395+ if (origin != null && !origin .get (0 ).equals (ORIGIN )) {
396+ throw new GeneralSecurityException ();
397+ }
398+ final List <String > fetchSite = exchange .getRequestHeaders ().get ("Sec-Fetch-Site" );
399+ if (fetchSite != null && !fetchSite .get (0 ).equals ("same-origin" )) {
400+ throw new GeneralSecurityException ();
401+ }
402+ }
403+
391404 @ Override
392405 public final void handle (final HttpExchange exchange ) throws IOException {
393406 try {
@@ -396,6 +409,12 @@ public final void handle(final HttpExchange exchange) throws IOException {
396409 exchange .sendResponseHeaders (405 , -1 );
397410 return ;
398411 }
412+ try {
413+ checkOrigin (exchange );
414+ } catch (final GeneralSecurityException e ) {
415+ exchange .sendResponseHeaders (403 , -1 );
416+ return ;
417+ }
399418 handlePost (exchange );
400419 } catch (final Exception e ) {
401420 logger .log (Level .SEVERE , "unhandled error handling request" , e );
@@ -406,6 +425,13 @@ public final void handle(final HttpExchange exchange) throws IOException {
406425 }
407426 }
408427
428+ private abstract static class AppPostHandler extends PostHandler {
429+ protected abstract void handlePost (final HttpExchange exchange ) throws IOException , SQLiteException ;
430+
431+ @ Override
432+ public void checkOrigin (final HttpExchange exchange ) {}
433+ }
434+
409435 private static final SecureRandom random = new SecureRandom ();
410436
411437 private static byte [] generateRandomToken () {
@@ -1248,7 +1274,7 @@ private static void writeAttestationHistoryJson(final HttpExchange exchange, fin
12481274 }
12491275 }
12501276
1251- private static class ChallengeHandler extends PostHandler {
1277+ private static class ChallengeHandler extends AppPostHandler {
12521278 @ Override
12531279 public void handlePost (final HttpExchange exchange ) throws IOException {
12541280 final byte [] challenge = AttestationProtocol .getChallenge ();
@@ -1265,7 +1291,7 @@ public void handlePost(final HttpExchange exchange) throws IOException {
12651291 }
12661292 }
12671293
1268- private static class VerifyHandler extends PostHandler {
1294+ private static class VerifyHandler extends AppPostHandler {
12691295 @ Override
12701296 public void handlePost (final HttpExchange exchange ) throws IOException , SQLiteException {
12711297 final List <String > authorization = exchange .getRequestHeaders ().get ("Authorization" );
@@ -1347,7 +1373,7 @@ public void handlePost(final HttpExchange exchange) throws IOException, SQLiteEx
13471373 }
13481374 }
13491375
1350- private static class SubmitHandler extends PostHandler {
1376+ private static class SubmitHandler extends AppPostHandler {
13511377 @ Override
13521378 public void handlePost (final HttpExchange exchange ) throws IOException , SQLiteException {
13531379 final InputStream input = exchange .getRequestBody ();
0 commit comments