1 /* 2 * Copyright (C) 2007,2008 Apple Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #ifndef SecurityOrigin_h 30 #define SecurityOrigin_h 31 32 #include <wtf/HashSet.h> 33 #include <wtf/RefCounted.h> 34 #include <wtf/PassRefPtr.h> 35 #include <wtf/Threading.h> 36 37 #include "FrameLoaderTypes.h" 38 #include "PlatformString.h" 39 #include "StringHash.h" 40 41 namespace WebCore { 42 43 typedef HashSet<String, CaseFoldingHash> URLSchemesMap; 44 45 class Document; 46 class KURL; 47 48 class SecurityOrigin : public ThreadSafeShared<SecurityOrigin> { 49 public: 50 static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&); 51 static PassRefPtr<SecurityOrigin> createFromString(const String&); 52 static PassRefPtr<SecurityOrigin> create(const KURL&, SandboxFlags = SandboxNone); 53 static PassRefPtr<SecurityOrigin> createEmpty(); 54 55 // Create a deep copy of this SecurityOrigin. This method is useful 56 // when marshalling a SecurityOrigin to another thread. 57 PassRefPtr<SecurityOrigin> threadsafeCopy(); 58 59 // Set the domain property of this security origin to newDomain. This 60 // function does not check whether newDomain is a suffix of the current 61 // domain. The caller is responsible for validating newDomain. 62 void setDomainFromDOM(const String& newDomain); 63 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } 64 65 static void setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String&); 66 static bool isDomainRelaxationForbiddenForURLScheme(const String&); 67 68 String protocol() const { return m_protocol; } 69 String host() const { return m_host; } 70 String domain() const { return m_domain; } 71 unsigned short port() const { return m_port; } 72 73 // Returns true if this SecurityOrigin can script objects in the given 74 // SecurityOrigin. For example, call this function before allowing 75 // script from one security origin to read or write objects from 76 // another SecurityOrigin. 77 bool canAccess(const SecurityOrigin*) const; 78 79 // Returns true if this SecurityOrigin can read content retrieved from 80 // the given URL. For example, call this function before issuing 81 // XMLHttpRequests. 82 bool canRequest(const KURL&) const; 83 84 // Returns true if drawing an image from this URL taints a canvas from 85 // this security origin. For example, call this function before 86 // drawing an image onto an HTML canvas element with the drawImage API. 87 bool taintsCanvas(const KURL&) const; 88 89 // Returns true for any non-local URL. If document parameter is supplied, 90 // its local load policy dictates, otherwise if referrer is non-empty and 91 // represents a local file, then the local load is allowed. 92 static bool canLoad(const KURL&, const String& referrer, Document* document); 93 94 // Returns true if this SecurityOrigin can load local resources, such 95 // as images, iframes, and style sheets, and can link to local URLs. 96 // For example, call this function before creating an iframe to a 97 // file:// URL. 98 // 99 // Note: A SecurityOrigin might be allowed to load local resources 100 // without being able to issue an XMLHttpRequest for a local URL. 101 // To determine whether the SecurityOrigin can issue an 102 // XMLHttpRequest for a URL, call canRequest(url). 103 bool canLoadLocalResources() const { return m_canLoadLocalResources; } 104 105 // Explicitly grant the ability to load local resources to this 106 // SecurityOrigin. 107 // 108 // Note: This method exists only to support backwards compatibility 109 // with older versions of WebKit. 110 void grantLoadLocalResources(); 111 112 // Explicitly grant the ability to access very other SecurityOrigin. 113 // 114 // WARNING: This is an extremely powerful ability. Use with caution! 115 void grantUniversalAccess(); 116 117 bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; } 118 119 bool canAccessDatabase() const { return !isUnique(); } 120 bool canAccessStorage() const { return !isUnique(); } 121 bool canAccessCookies() const { return !isUnique(); } 122 123 bool isSecureTransitionTo(const KURL&) const; 124 125 // The local SecurityOrigin is the most privileged SecurityOrigin. 126 // The local SecurityOrigin can script any document, navigate to local 127 // resources, and can set arbitrary headers on XMLHttpRequests. 128 bool isLocal() const; 129 130 // The empty SecurityOrigin is the least privileged SecurityOrigin. 131 bool isEmpty() const; 132 133 // The origin is a globally unique identifier assigned when the Document is 134 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin 135 // 136 // There's a subtle difference between a unique origin and an origin that 137 // has the SandboxOrigin flag set. The latter implies the former, and, in 138 // addition, the SandboxOrigin flag is inherited by iframes. 139 bool isUnique() const { return m_isUnique; } 140 141 // Convert this SecurityOrigin into a string. The string 142 // representation of a SecurityOrigin is similar to a URL, except it 143 // lacks a path component. The string representation does not encode 144 // the value of the SecurityOrigin's domain property. 145 // 146 // When using the string value, it's important to remember that it might be 147 // "null". This happens when this SecurityOrigin is unique. For example, 148 // this SecurityOrigin might have come from a sandboxed iframe, the 149 // SecurityOrigin might be empty, or we might have explicitly decided that 150 // we shouldTreatURLSchemeAsNoAccess. 151 String toString() const; 152 153 // Serialize the security origin to a string that could be used as part of 154 // file names. This format should be used in storage APIs only. 155 String databaseIdentifier() const; 156 157 // This method checks for equality between SecurityOrigins, not whether 158 // one origin can access another. It is used for hash table keys. 159 // For access checks, use canAccess(). 160 // FIXME: If this method is really only useful for hash table keys, it 161 // should be refactored into SecurityOriginHash. 162 bool equal(const SecurityOrigin*) const; 163 164 // This method checks for equality, ignoring the value of document.domain 165 // (and whether it was set) but considering the host. It is used for postMessage. 166 bool isSameSchemeHostPort(const SecurityOrigin*) const; 167 168 static void registerURLSchemeAsLocal(const String&); 169 static void removeURLSchemeRegisteredAsLocal(const String&); 170 static const URLSchemesMap& localURLSchemes(); 171 static bool shouldTreatURLAsLocal(const String&); 172 static bool shouldTreatURLSchemeAsLocal(const String&); 173 174 static bool shouldHideReferrer(const KURL&, const String& referrer); 175 176 enum LocalLoadPolicy { 177 AllowLocalLoadsForAll, // No restriction on local loads. 178 AllowLocalLoadsForLocalAndSubstituteData, 179 AllowLocalLoadsForLocalOnly, 180 }; 181 static void setLocalLoadPolicy(LocalLoadPolicy); 182 static bool restrictAccessToLocal(); 183 static bool allowSubstituteDataAccessToLocal(); 184 185 static void registerURLSchemeAsNoAccess(const String&); 186 static bool shouldTreatURLSchemeAsNoAccess(const String&); 187 188 static void whiteListAccessFromOrigin(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains); 189 static void resetOriginAccessWhiteLists(); 190 191 private: 192 SecurityOrigin(const KURL&, SandboxFlags); 193 explicit SecurityOrigin(const SecurityOrigin*); 194 195 SandboxFlags m_sandboxFlags; 196 String m_protocol; 197 String m_host; 198 String m_domain; 199 unsigned short m_port; 200 bool m_isUnique; 201 bool m_universalAccess; 202 bool m_domainWasSetInDOM; 203 bool m_canLoadLocalResources; 204 }; 205 206 } // namespace WebCore 207 208 #endif // SecurityOrigin_h 209