package org.apache.wicket.protocol.http;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.apache.wicket.protocol.http.IResourceIsolationPolicy;
import org.apache.wicket.request.component.IRequestablePage;
import org.apache.wicket.util.string.Strings;

/* loaded from: input_file:WEB-INF/lib/wicket-core-10.0.0-M1.jar:org/apache/wicket/protocol/http/FetchMetadataResourceIsolationPolicy.class */
public class FetchMetadataResourceIsolationPolicy implements IResourceIsolationPolicy {
    public static final String SEC_FETCH_SITE_HEADER = "sec-fetch-site";
    public static final String SEC_FETCH_MODE_HEADER = "sec-fetch-mode";
    public static final String SEC_FETCH_DEST_HEADER = "sec-fetch-dest";
    public static final String SAME_ORIGIN = "same-origin";
    public static final String SAME_SITE = "same-site";
    public static final String NONE = "none";
    public static final String MODE_NAVIGATE = "navigate";
    public static final String DEST_OBJECT = "object";
    public static final String DEST_EMBED = "embed";
    public static final String CROSS_SITE = "cross-site";
    public static final String CORS = "cors";
    public static final String DEST_SCRIPT = "script";
    public static final String DEST_IMAGE = "image";
    public static final String VARY_HEADER = "Vary";
    private static final String VARY_HEADER_VALUE = "sec-fetch-dest, sec-fetch-site, sec-fetch-mode";

    @Override // org.apache.wicket.protocol.http.IResourceIsolationPolicy
    public IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed(HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
        String header = httpServletRequest.getHeader(SEC_FETCH_SITE_HEADER);
        return Strings.isEmpty(header) ? IResourceIsolationPolicy.ResourceIsolationOutcome.UNKNOWN : (SAME_ORIGIN.equals(header) || SAME_SITE.equals(header) || NONE.equals(header)) ? IResourceIsolationPolicy.ResourceIsolationOutcome.ALLOWED : isAllowedTopLevelNavigation(httpServletRequest) ? IResourceIsolationPolicy.ResourceIsolationOutcome.ALLOWED : IResourceIsolationPolicy.ResourceIsolationOutcome.DISALLOWED;
    }

    private boolean isAllowedTopLevelNavigation(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(SEC_FETCH_MODE_HEADER);
        String header2 = httpServletRequest.getHeader(SEC_FETCH_DEST_HEADER);
        return (MODE_NAVIGATE.equals(header) || "GET".equals(httpServletRequest.getMethod())) && (!DEST_EMBED.equals(header2) && !DEST_OBJECT.equals(header2));
    }

    @Override // org.apache.wicket.protocol.http.IResourceIsolationPolicy
    public void setHeaders(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader(VARY_HEADER, VARY_HEADER_VALUE);
    }
}
