From 2813a9c3309db1962c7a37857d17dea520d83d07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20Aleksandrovi=C4=8D=20Klimov?=
 <alexander.klimov@icinga.com>
Date: Wed, 2 Jul 2025 10:48:30 +0200
Subject: [PATCH] CsrfCounterMeasure: accept Sec-Fetch-Site header, if
 available, instead of token

This is especially useful if the session and token change suddenly, e.g. due to mod_auth_openidc.
---
 src/Common/CsrfCounterMeasure.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/Common/CsrfCounterMeasure.php b/src/Common/CsrfCounterMeasure.php
index ae2dace23..9082b5350 100644
--- a/src/Common/CsrfCounterMeasure.php
+++ b/src/Common/CsrfCounterMeasure.php
@@ -26,6 +26,12 @@ protected function createCsrfCounterMeasure($uniqueId)
             'ignore'        => true,
             'required'      => true,
             'validators'    => ['Callback' => function ($token) use ($uniqueId, $hashAlgo) {
+                switch ($_SERVER['HTTP_SEC_FETCH_SITE'] ?? '') {
+                    case 'same-origin': // same scheme, host and port
+                    case 'none': // a user-originated operation
+                        return true;
+                }
+
                 if (empty($token) || strpos($token, '|') === false) {
                     throw new Error('Invalid CSRF token provided');
                 }