Merge pull request #71 from geoadmin/fix-BGDIINF_SB-3115-IOS_16_6-403…

…-forbidden BGDIINF_SB-3115: Apparently IOS 16 has a bug
geoadmin · Oct 10, 2023 · 2f1aa6f · 2f1aa6f
2 parents 1e76fc1 + 7d91ee8
commit 2f1aa6f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 14 deletions.
diff --git a/Makefile b/Makefile
@@ -60,7 +60,6 @@ help:
 	@echo "Possible targets:"
 	@echo -e " \033[1mSetup TARGETS\033[0m "
 	@echo "- setup              Create the python virtual environment and activate it"
-	@echo "- dev                Create the python virtual environment with developper tools and activate it"
 	@echo "- ci                 Create the python virtual environment and install requirements based on the Pipfile.lock"
 	@echo -e " \033[1mFORMATING, LINTING AND TESTING TOOLS TARGETS\033[0m "
 	@echo "- format             Format the python source code"
@@ -84,15 +83,9 @@ help:
 
 # Build targets. Calling setup is all that is needed for the local files to be installed as needed.
 
-.PHONY: dev
-dev:
-	pipenv install --dev
-	pipenv shell
-
-
 .PHONY: setup
 setup:
-	pipenv install
+	pipenv install --dev
 	pipenv shell
 
 

diff --git a/app/__init__.py b/app/__init__.py
@@ -81,18 +81,22 @@ def validate_origin():
         logger.error('Origin=%s does not match %s', origin, ALLOWED_DOMAINS_PATTERN)
         abort(403, 'Permission denied')
 
-    if sec_fetch_site is not None:
-        if sec_fetch_site in ['same-origin', 'same-site']:
-            return
-        logger.error('Sec-Fetch-Site=%s is not allowed', sec_fetch_site)
-        abort(403, 'Permission denied')
-
+    # BGDIINF_SB-3115: Apparently IOS 16 has a bug and set Sec-Fetch-Site=cross-site even if the
+    # request is originated (same origin and/or referrer) from the same site ! Therefore to avoid
+    # issue on IOS we first checks the referrer before checking Sec-Fetch-Site even if this not
+    # correct.
     if referrer is not None:
         if is_domain_allowed(referrer):
             return
         logger.error('Referer=%s does not match %s', referrer, ALLOWED_DOMAINS_PATTERN)
         abort(403, 'Permission denied')
 
+    if sec_fetch_site is not None:
+        if sec_fetch_site in ['same-origin', 'same-site']:
+            return
+        logger.error('Sec-Fetch-Site=%s is not allowed', sec_fetch_site)
+        abort(403, 'Permission denied')
+
     logger.error('Referer and/or Origin and/or Sec-Fetch-Site headers not set')
     abort(403, 'Permission denied')