From 1beafc9976bacbeda69d92fbd68a5e55bec721b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Tue, 2 May 2023 17:06:24 +0800
Subject: [PATCH] =?UTF-8?q?=E9=98=B2=E7=9B=97=E9=93=BE=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E2=80=9D=E5=90=8C=E6=97=B6=E6=A3=80=E6=9F=A5Origin=E9=80=89?=
 =?UTF-8?q?=E9=A1=B9=E2=80=9C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/nodes/http_request_referers.go           | 7 +++++++
 internal/waf/checkpoints/request_referer_block.go | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/internal/nodes/http_request_referers.go b/internal/nodes/http_request_referers.go
index 32f13ae..cc18c1f 100644
--- a/internal/nodes/http_request_referers.go
+++ b/internal/nodes/http_request_referers.go
@@ -15,6 +15,13 @@ func (this *HTTPRequest) doCheckReferers() (shouldStop bool) {
 	const cacheSeconds = "3600" // 时间不能过长，防止修改设置后长期无法生效
 
 	var refererURL = this.RawReq.Header.Get("Referer")
+	if len(refererURL) == 0 && this.web.Referers.CheckOrigin {
+		var origin = this.RawReq.Header.Get("Origin")
+		if len(origin) > 0 && origin != "null" {
+			refererURL = "https://" + origin // 因为Origin都只有域名部分，所以为了下面的URL 分析需要加上https://
+		}
+	}
+
 	if len(refererURL) == 0 {
 		if this.web.Referers.MatchDomain(this.ReqHost, "") {
 			return
diff --git a/internal/waf/checkpoints/request_referer_block.go b/internal/waf/checkpoints/request_referer_block.go
index 44223d4..0e79e4d 100644
--- a/internal/waf/checkpoints/request_referer_block.go
+++ b/internal/waf/checkpoints/request_referer_block.go
@@ -18,7 +18,14 @@ type RequestRefererBlockCheckpoint struct {
 // RequestValue 计算checkpoint值
 // 选项：allowEmpty, allowSameDomain, allowDomains
 func (this *RequestRefererBlockCheckpoint) RequestValue(req requests.Request, param string, options maps.Map, ruleId int64) (value interface{}, hasRequestBody bool, sysErr error, userErr error) {
+	var checkOrigin = options.GetBool("checkOrigin")
 	var referer = req.WAFRaw().Referer()
+	if len(referer) == 0 && checkOrigin {
+		var origin = req.WAFRaw().Header.Get("Origin")
+		if len(origin) > 0 && origin != "null" {
+			referer = "https://" + origin // 因为Origin都只有域名部分，所以为了下面的URL 分析需要加上https://
+		}
+	}
 
 	if len(referer) == 0 {
 		if options.GetBool("allowEmpty") {