server: remove sec header filter

cmd/gomuks/main.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 
+	"go.mau.fi/util/exhttp"
 	flag "maunium.net/go/mauflag"
 
 	"go.mau.fi/gomuks/pkg/gomuks"
@@ -33,6 +34,7 @@ var wantVersion = flag.MakeFull("v", "version", "View gomuks version and quit.",
 
 func main() {
 	hicli.InitialDeviceDisplayName = "gomuks web"
+	exhttp.AutoAllowCORS = false
 	flag.SetHelpTitles(
 		"gomuks - A Matrix client written in Go.",
 		"gomuks [-hv]",

desktop/go.mod

@@ -6,7 +6,10 @@ toolchain go1.23.3
 
 require github.com/wailsapp/wails/v3 v3.0.0-alpha.7
 
-require go.mau.fi/gomuks v0.3.1
+require (
+	go.mau.fi/gomuks v0.3.1
+	go.mau.fi/util v0.8.3-0.20241207221539-07bba6a0c5eb
+)
 
 require (
 	dario.cat/mergo v1.0.0 // indirect
@@ -59,7 +62,6 @@ require (
 	github.com/wailsapp/mimetype v1.4.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
-	go.mau.fi/util v0.8.2 // indirect
 	go.mau.fi/zeroconfig v0.1.3 // indirect
 	golang.org/x/crypto v0.29.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect

desktop/go.sum

@@ -160,8 +160,8 @@ github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.7.8 h1:iERMLn0/QJeHFhxSt3p6PeN9mGnvIKSpG9YYorDMnic=
 github.com/yuin/goldmark v1.7.8/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
-go.mau.fi/util v0.8.2 h1:zWbVHwdRKwI6U9AusmZ8bwgcLosikwbb4GGqLrNr1YE=
-go.mau.fi/util v0.8.2/go.mod h1:BHHC9R2WLMJd1bwTZfTcFxUgRFmUgUmiWcT4RbzUgiA=
+go.mau.fi/util v0.8.3-0.20241207221539-07bba6a0c5eb h1:/iKi+4aRvd8LZJ3z1UQjxmFdDVfJuDWClc/4MToWnSY=
+go.mau.fi/util v0.8.3-0.20241207221539-07bba6a0c5eb/go.mod h1:BHHC9R2WLMJd1bwTZfTcFxUgRFmUgUmiWcT4RbzUgiA=
 go.mau.fi/zeroconfig v0.1.3 h1:As9wYDKmktjmNZW5i1vn8zvJlmGKHeVxHVIBMXsm4kM=
 go.mau.fi/zeroconfig v0.1.3/go.mod h1:NcSJkf180JT+1IId76PcMuLTNa1CzsFFZ0nBygIQM70=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

desktop/main.go

@@ -26,6 +26,7 @@ import (
 	"runtime"
 
 	"github.com/wailsapp/wails/v3/pkg/application"
+	"go.mau.fi/util/exhttp"
 
 	"go.mau.fi/gomuks/pkg/gomuks"
 	"go.mau.fi/gomuks/pkg/hicli"
@@ -100,6 +101,7 @@ func main() {
 	gmx.LinkifiedVersion = version.LinkifiedVersion
 	gmx.BuildTime = version.ParsedBuildTime
 	gmx.DisableAuth = true
+	exhttp.AutoAllowCORS = false
 	hicli.InitialDeviceDisplayName = "gomuks desktop"
 
 	gmx.InitDirectories()

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/tidwall/gjson v1.18.0
 	github.com/tidwall/sjson v1.2.5
 	github.com/yuin/goldmark v1.7.8
-	go.mau.fi/util v0.8.2
+	go.mau.fi/util v0.8.3-0.20241207221539-07bba6a0c5eb
 	go.mau.fi/zeroconfig v0.1.3
 	golang.org/x/crypto v0.29.0
 	golang.org/x/image v0.22.0

go.sum

@@ -63,8 +63,8 @@ github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/yuin/goldmark v1.7.8 h1:iERMLn0/QJeHFhxSt3p6PeN9mGnvIKSpG9YYorDMnic=
 github.com/yuin/goldmark v1.7.8/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
-go.mau.fi/util v0.8.2 h1:zWbVHwdRKwI6U9AusmZ8bwgcLosikwbb4GGqLrNr1YE=
-go.mau.fi/util v0.8.2/go.mod h1:BHHC9R2WLMJd1bwTZfTcFxUgRFmUgUmiWcT4RbzUgiA=
+go.mau.fi/util v0.8.3-0.20241207221539-07bba6a0c5eb h1:/iKi+4aRvd8LZJ3z1UQjxmFdDVfJuDWClc/4MToWnSY=
+go.mau.fi/util v0.8.3-0.20241207221539-07bba6a0c5eb/go.mod h1:BHHC9R2WLMJd1bwTZfTcFxUgRFmUgUmiWcT4RbzUgiA=
 go.mau.fi/zeroconfig v0.1.3 h1:As9wYDKmktjmNZW5i1vn8zvJlmGKHeVxHVIBMXsm4kM=
 go.mau.fi/zeroconfig v0.1.3/go.mod h1:NcSJkf180JT+1IId76PcMuLTNa1CzsFFZ0nBygIQM70=
 golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=

pkg/gomuks/server.go

@@ -249,12 +249,6 @@ func (gmx *Gomuks) Authenticate(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-func isUserFetch(header http.Header) bool {
-	return header.Get("Sec-Fetch-Mode") == "navigate" &&
-		header.Get("Sec-Fetch-Dest") == "document" &&
-		header.Get("Sec-Fetch-User") == "?1"
-}
-
 func isImageFetch(header http.Header) bool {
 	return header.Get("Sec-Fetch-Site") == "cross-site" &&
 		header.Get("Sec-Fetch-Mode") == "no-cors" &&
@@ -269,17 +263,6 @@ func (gmx *Gomuks) AuthMiddleware(next http.Handler) http.Handler {
 			r.URL.Query().Get("encrypted") == "false" {
 			next.ServeHTTP(w, r)
 			return
-		} else if r.Header.Get("Sec-Fetch-Site") != "" &&
-			r.Header.Get("Sec-Fetch-Site") != "same-origin" &&
-			!isUserFetch(r.Header) {
-			hlog.FromRequest(r).Debug().
-				Str("site", r.Header.Get("Sec-Fetch-Site")).
-				Str("dest", r.Header.Get("Sec-Fetch-Dest")).
-				Str("mode", r.Header.Get("Sec-Fetch-Mode")).
-				Str("user", r.Header.Get("Sec-Fetch-User")).
-				Msg("Invalid Sec-Fetch-Site header")
-			ErrInvalidHeader.WithMessage("Invalid Sec-Fetch-Site header").Write(w)
-			return
 		}
 		if r.URL.Path != "/auth" {
 			authCookie, err := r.Cookie("gomuks_auth")