Home | History | Annotate | Download | only in Api 
      1 /*
      2     Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
      3 
      4     This library is free software; you can redistribute it and/or
      5     modify it under the terms of the GNU Library General Public
      6     License as published by the Free Software Foundation; either
      7     version 2 of the License, or (at your option) any later version.
      8 
      9     This library is distributed in the hope that it will be useful,
     10     but WITHOUT ANY WARRANTY; without even the implied warranty of
     11     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
     12     Library General Public License for more details.
     13 
     14     You should have received a copy of the GNU Library General Public License
     15     along with this library; see the file COPYING.LIB.  If not, write to
     16     the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
     17     Boston, MA 02110-1301, USA.
     18 */
     19 
     20 #include "config.h"
     21 #include "qwebsecurityorigin.h"
     22 
     23 #include "ApplicationCacheStorage.h"
     24 #include "DatabaseTracker.h"
     25 #include "KURL.h"
     26 #include "SchemeRegistry.h"
     27 #include "SecurityOrigin.h"
     28 #include "qwebdatabase.h"
     29 #include "qwebdatabase_p.h"
     30 #include "qwebsecurityorigin_p.h"
     31 #include <QStringList>
     32 
     33 using namespace WebCore;
     34 
     35 /*!
     36     \class QWebSecurityOrigin
     37     \since 4.5
     38     \brief The QWebSecurityOrigin class defines a security boundary for web sites.
     39 
     40     \inmodule QtWebKit
     41 
     42     QWebSecurityOrigin provides access to the security domains defined by web sites.
     43     An origin consists of a host name, a scheme, and a port number. Web sites
     44     with the same security origin can access each other's resources for client-side
     45     scripting or databases.
     46 
     47     For example the site \c{http://www.example.com/my/page.html} is allowed to share the same
     48     database as \c{http://www.example.com/my/overview.html}, or access each other's
     49     documents when used in HTML frame sets and JavaScript. At the same time it prevents
     50     \c{http://www.malicious.com/evil.html} from accessing \c{http://www.example.com/}'s resources,
     51     because they are of a different security origin.
     52 
     53     By default local schemes like \c{file://} and \c{qrc://} are concidered to be in the same
     54     security origin, and can access each other's resources. You can add additional local schemes
     55     by using QWebSecurityOrigin::addLocalScheme(), or override the default same-origin behavior
     56     by setting QWebSettings::LocalContentCanAccessFileUrls to \c{false}.
     57 
     58     \note Local resources are by default restricted from accessing remote content, which
     59     means your \c{file://} will not be able to access \c{http://domain.com/foo.html}. You
     60     can relax this restriction by setting QWebSettings::LocalContentCanAccessRemoteUrls to
     61     \c{true}.
     62 
     63     Call QWebFrame::securityOrigin() to get the QWebSecurityOrigin for a frame in a
     64     web page, and use host(), scheme() and port() to identify the security origin.
     65 
     66     Use databases() to access the databases defined within a security origin. The
     67     disk usage of the origin's databases can be limited with setDatabaseQuota().
     68     databaseQuota() and databaseUsage() report the current limit as well as the
     69     current usage.
     70 
     71     For more information refer to the
     72     \l{http://en.wikipedia.org/wiki/Same_origin_policy}{"Same origin policy" Wikipedia Article}.
     73 
     74     \sa QWebFrame::securityOrigin()
     75 */
     76 
     77 /*!
     78     Constructs a security origin from \a other.
     79 */
     80 QWebSecurityOrigin::QWebSecurityOrigin(const QWebSecurityOrigin& other) : d(other.d)
     81 {
     82 }
     83 
     84 /*!
     85     Assigns the \a other security origin to this.
     86 */
     87 QWebSecurityOrigin& QWebSecurityOrigin::operator=(const QWebSecurityOrigin& other)
     88 {
     89     d = other.d;
     90     return *this;
     91 }
     92 
     93 /*!
     94     Returns the scheme defining the security origin.
     95 */
     96 QString QWebSecurityOrigin::scheme() const
     97 {
     98     return d->origin->protocol();
     99 }
    100 
    101 /*!
    102     Returns the host name defining the security origin.
    103 */
    104 QString QWebSecurityOrigin::host() const
    105 {
    106     return d->origin->host();
    107 }
    108 
    109 /*!
    110     Returns the port number defining the security origin.
    111 */
    112 int QWebSecurityOrigin::port() const
    113 {
    114     return d->origin->port();
    115 }
    116 
    117 /*!
    118     Returns the number of bytes all databases in the security origin
    119     use on the disk.
    120 */
    121 qint64 QWebSecurityOrigin::databaseUsage() const
    122 {
    123 #if ENABLE(DATABASE)
    124     return DatabaseTracker::tracker().usageForOrigin(d->origin.get());
    125 #else
    126     return 0;
    127 #endif
    128 }
    129 
    130 /*!
    131     Returns the quota for the databases in the security origin.
    132 */
    133 qint64 QWebSecurityOrigin::databaseQuota() const
    134 {
    135 #if ENABLE(DATABASE)
    136     return DatabaseTracker::tracker().quotaForOrigin(d->origin.get());
    137 #else
    138     return 0;
    139 #endif
    140 }
    141 
    142 /*!
    143     Sets the quota for the databases in the security origin to \a quota bytes.
    144 
    145     If the quota is set to a value less than the current usage, the quota will remain
    146     and no data will be purged to meet the new quota. However, no new data can be added
    147     to databases in this origin.
    148 */
    149 void QWebSecurityOrigin::setDatabaseQuota(qint64 quota)
    150 {
    151 #if ENABLE(DATABASE)
    152     DatabaseTracker::tracker().setQuota(d->origin.get(), quota);
    153 #endif
    154 }
    155 
    156 void QWebSecurityOrigin::setApplicationCacheQuota(qint64 quota)
    157 {
    158 #if ENABLE(OFFLINE_WEB_APPLICATIONS)
    159     WebCore::cacheStorage().storeUpdatedQuotaForOrigin(d->origin.get(), quota);
    160 #endif
    161 }
    162 /*!
    163     Destroys the security origin.
    164 */
    165 QWebSecurityOrigin::~QWebSecurityOrigin()
    166 {
    167 }
    168 
    169 /*!
    170     \internal
    171 */
    172 QWebSecurityOrigin::QWebSecurityOrigin(QWebSecurityOriginPrivate* priv)
    173 {
    174     d = priv;
    175 }
    176 
    177 /*!
    178     Returns a list of all security origins with a database quota defined.
    179 */
    180 QList<QWebSecurityOrigin> QWebSecurityOrigin::allOrigins()
    181 {
    182     QList<QWebSecurityOrigin> webOrigins;
    183 
    184 #if ENABLE(DATABASE)
    185     Vector<RefPtr<SecurityOrigin> > coreOrigins;
    186     DatabaseTracker::tracker().origins(coreOrigins);
    187 
    188     for (unsigned i = 0; i < coreOrigins.size(); ++i) {
    189         QWebSecurityOriginPrivate* priv = new QWebSecurityOriginPrivate(coreOrigins[i].get());
    190         webOrigins.append(priv);
    191     }
    192 #endif
    193 
    194     return webOrigins;
    195 }
    196 
    197 /*!
    198     Returns a list of all databases defined in the security origin.
    199 */
    200 QList<QWebDatabase> QWebSecurityOrigin::databases() const
    201 {
    202     QList<QWebDatabase> databases;
    203 
    204 #if ENABLE(DATABASE)
    205     Vector<String> nameVector;
    206 
    207     if (!DatabaseTracker::tracker().databaseNamesForOrigin(d->origin.get(), nameVector))
    208         return databases;
    209     for (unsigned i = 0; i < nameVector.size(); ++i) {
    210         QWebDatabasePrivate* priv = new QWebDatabasePrivate();
    211         priv->name = nameVector[i];
    212         priv->origin = this->d->origin;
    213         QWebDatabase webDatabase(priv);
    214         databases.append(webDatabase);
    215     }
    216 #endif
    217 
    218     return databases;
    219 }
    220 
    221 /*!
    222     \since 4.6
    223 
    224     Adds the given \a scheme to the list of schemes that are considered equivalent
    225     to the \c file: scheme.
    226 
    227     Cross domain restrictions depend on the two web settings QWebSettings::LocalContentCanAccessFileUrls
    228     and QWebSettings::LocalContentCanAccessFileUrls. By default all local schemes are concidered to be
    229     in the same security origin, and local schemes can not access remote content.
    230 */
    231 void QWebSecurityOrigin::addLocalScheme(const QString& scheme)
    232 {
    233     SchemeRegistry::registerURLSchemeAsLocal(scheme);
    234 }
    235 
    236 /*!
    237     \since 4.6
    238 
    239     Removes the given \a scheme from the list of local schemes.
    240 
    241     \note You can not remove the \c{file://} scheme from the list
    242     of local schemes.
    243 
    244     \sa addLocalScheme()
    245 */
    246 void QWebSecurityOrigin::removeLocalScheme(const QString& scheme)
    247 {
    248     SchemeRegistry::removeURLSchemeRegisteredAsLocal(scheme);
    249 }
    250 
    251 /*!
    252     \since 4.6
    253     Returns a list of all the schemes concidered to be local.
    254 
    255     By default this is \c{file://} and \c{qrc://}.
    256 
    257     \sa addLocalScheme(), removeLocalScheme()
    258 */
    259 QStringList QWebSecurityOrigin::localSchemes()
    260 {
    261     QStringList list;
    262     const URLSchemesMap& map = SchemeRegistry::localSchemes();
    263     URLSchemesMap::const_iterator end = map.end();
    264     for (URLSchemesMap::const_iterator i = map.begin(); i != end; ++i) {
    265         const QString scheme = *i;
    266         list.append(scheme);
    267     }
    268     return list;
    269 }
    270