防盗链增加”同时检查Origin选项“

internal/nodes/http_request_referers.go

@@ -15,6 +15,13 @@ func (this *HTTPRequest) doCheckReferers() (shouldStop bool) {
 	const cacheSeconds = "3600" // 时间不能过长，防止修改设置后长期无法生效
 
 	var refererURL = this.RawReq.Header.Get("Referer")
+	if len(refererURL) == 0 && this.web.Referers.CheckOrigin {
+		var origin = this.RawReq.Header.Get("Origin")
+		if len(origin) > 0 && origin != "null" {
+			refererURL = "https://" + origin // 因为Origin都只有域名部分，所以为了下面的URL 分析需要加上https://
+		}
+	}
+
 	if len(refererURL) == 0 {
 		if this.web.Referers.MatchDomain(this.ReqHost, "") {
 			return

internal/waf/checkpoints/request_referer_block.go

@@ -18,7 +18,14 @@ type RequestRefererBlockCheckpoint struct {
 // RequestValue 计算checkpoint值
 // 选项：allowEmpty, allowSameDomain, allowDomains
 func (this *RequestRefererBlockCheckpoint) RequestValue(req requests.Request, param string, options maps.Map, ruleId int64) (value interface{}, hasRequestBody bool, sysErr error, userErr error) {
+	var checkOrigin = options.GetBool("checkOrigin")
 	var referer = req.WAFRaw().Referer()
+	if len(referer) == 0 && checkOrigin {
+		var origin = req.WAFRaw().Header.Get("Origin")
+		if len(origin) > 0 && origin != "null" {
+			referer = "https://" + origin // 因为Origin都只有域名部分，所以为了下面的URL 分析需要加上https://
+		}
+	}
 
 	if len(referer) == 0 {
 		if options.GetBool("allowEmpty") {