core/src/main/java/org/apache/struts2/interceptor/DefaultResourceIsolationPolicy.java - struts - Git at Google

 package org.apache.struts2.interceptor;

 import org.apache.logging.log4j.util.Strings;

 import javax.servlet.http.HttpServletRequest;

 /**
  *
  * Default resource isolation policy used in {@link FetchMetadataInterceptor} that
  * implements the {@link ResourceIsolationPolicy} interface. This default policy is based on
  * <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>.
  *
  * @see <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
  *
  * @author Santiago Diaz - saldiaz@google.com
  * @author Giannis Chatziveroglou - giannic@google.com
  **/

 public final class DefaultResourceIsolationPolicy implements ResourceIsolationPolicy {

     @Override
     public boolean isRequestAllowed(HttpServletRequest request) {
         String site = request.getHeader(SEC_FETCH_SITE_HEADER);

         // Allow requests from browsers which don't send Fetch Metadata
         if (Strings.isEmpty((site))){
             return true;
         }

         // Allow same-site and browser-initiated requests
         if (SAME_ORIGIN.equals(site) || SAME_SITE.equals(site) || NONE.equals(site)) {
             return true;
         }

         // Allow simple top-level navigations except <object> and <embed>
         return isAllowedTopLevelNavigation(request);
     }

     private boolean isAllowedTopLevelNavigation(HttpServletRequest request)
     {
         String mode = request.getHeader(SEC_FETCH_MODE_HEADER);
         String dest = request.getHeader(SEC_FETCH_DEST_HEADER);

         boolean isSimpleTopLevelNavigation = MODE_NAVIGATE.equals(mode) || "GET".equals(request.getMethod());
         boolean isNotObjectOrEmbedRequest = !DEST_EMBED.equals(dest) && !DEST_OBJECT.equals(dest);

         return isSimpleTopLevelNavigation && isNotObjectOrEmbedRequest;
     }
 }
	package org.apache.struts2.interceptor;

	import org.apache.logging.log4j.util.Strings;

	import javax.servlet.http.HttpServletRequest;

	/**
	*
	* Default resource isolation policy used in {@link FetchMetadataInterceptor} that
	* implements the {@link ResourceIsolationPolicy} interface. This default policy is based on
	* <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>.
	*
	* @see <a href="https://web.dev/fetch-metadata/">https://web.dev/fetch-metadata/</a>
	*
	* @author Santiago Diaz - saldiaz@google.com
	* @author Giannis Chatziveroglou - giannic@google.com
	**/

	public final class DefaultResourceIsolationPolicy implements ResourceIsolationPolicy {

	@Override
	public boolean isRequestAllowed(HttpServletRequest request) {
	String site = request.getHeader(SEC_FETCH_SITE_HEADER);

	// Allow requests from browsers which don't send Fetch Metadata
	if (Strings.isEmpty((site))){
	return true;
	}

	// Allow same-site and browser-initiated requests
	if (SAME_ORIGIN.equals(site) \|\| SAME_SITE.equals(site) \|\| NONE.equals(site)) {
	return true;
	}

	// Allow simple top-level navigations except <object> and <embed>
	return isAllowedTopLevelNavigation(request);
	}

	private boolean isAllowedTopLevelNavigation(HttpServletRequest request)
	{
	String mode = request.getHeader(SEC_FETCH_MODE_HEADER);
	String dest = request.getHeader(SEC_FETCH_DEST_HEADER);

	boolean isSimpleTopLevelNavigation = MODE_NAVIGATE.equals(mode) \|\| "GET".equals(request.getMethod());
	boolean isNotObjectOrEmbedRequest = !DEST_EMBED.equals(dest) && !DEST_OBJECT.equals(dest);

	return isSimpleTopLevelNavigation && isNotObjectOrEmbedRequest;
	}
	}