From 60a141219f686a9f1311b641c63db1de4258e95b Mon Sep 17 00:00:00 2001
From: Dom Eales <dom@harvestdp.com>
Date: Tue, 18 Jun 2019 20:16:30 +1000
Subject: [PATCH] Added option to check that request comes from same origin

---
 proxy.php | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/proxy.php b/proxy.php
index a778efc..e5a4b1f 100644
--- a/proxy.php
+++ b/proxy.php
@@ -16,6 +16,12 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+/**
+ * Enables or disables checking that HTTP_REFERRER and HTTP_HOST have the same hostname.
+ * Recommended value: false for public CORS proxy, true for private CORS proxy
+ */
+define('CSAJAX_SAME_ORIGIN_ONLY', false);
+
 /**
  * Enables or disables filtering for cross domain requests.
  * Recommended value: true
@@ -61,6 +67,24 @@
 
 /* * * STOP EDITING HERE UNLESS YOU KNOW WHAT YOU ARE DOING * * */
 
+// check for same origin
+if (CSAJAX_SAME_ORIGIN_ONLY) {
+    if (isset($_SERVER['HTTP_REFERER']) && isset($_SERVER['HTTP_HOST']) && isset($_SERVER['REQUEST_SCHEME'])) {
+        $p_referrer_url = parse_url($_SERVER['HTTP_REFERER']);
+        if ($p_referrer_url['host'] != $_SERVER['HTTP_HOST']) {
+            csajax_debug_message('Referrer hostname is not same origin');
+            exit;
+        }
+        if ($p_referrer_url['scheme'] != $_SERVER['REQUEST_SCHEME']) {
+            csajax_debug_message('Referrer hostname is same origin, not same scheme');
+            exit;
+        }
+    } else {
+        csajax_debug_message('Cannot verify same origin without HTTP_REFERER, HTTP_HOST, REQUEST_SCHEME');
+        exit;
+    }
+}
+
 // identify request headers
 $request_headers = array( );
 foreach ($_SERVER as $key => $value) {