Home | History | Annotate | Download | only in web 
      1 /*
      2  * Copyright (C) 2009 Google Inc. All rights reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions are
      6  * met:
      7  *
      8  *     * Redistributions of source code must retain the above copyright
      9  * notice, this list of conditions and the following disclaimer.
     10  *     * Redistributions in binary form must reproduce the above
     11  * copyright notice, this list of conditions and the following disclaimer
     12  * in the documentation and/or other materials provided with the
     13  * distribution.
     14  *     * Neither the name of Google Inc. nor the names of its
     15  * contributors may be used to endorse or promote products derived from
     16  * this software without specific prior written permission.
     17  *
     18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
     21  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
     22  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     23  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
     24  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     25  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     26  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     28  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     29  */
     30 
     31 #ifndef WebSecurityPolicy_h
     32 #define WebSecurityPolicy_h
     33 
     34 #include "../platform/WebCommon.h"
     35 #include "../platform/WebReferrerPolicy.h"
     36 
     37 namespace WebKit {
     38 
     39 class WebString;
     40 class WebURL;
     41 
     42 class WebSecurityPolicy {
     43 public:
     44     // Registers a URL scheme to be treated as a local scheme (i.e., with the
     45     // same security rules as those applied to "file" URLs). This means that
     46     // normal pages cannot link to or access URLs of this scheme.
     47     WEBKIT_EXPORT static void registerURLSchemeAsLocal(const WebString&);
     48 
     49     // Registers a URL scheme to be treated as a noAccess scheme. This means
     50     // that pages loaded with this URL scheme cannot access pages loaded with
     51     // any other URL scheme.
     52     WEBKIT_EXPORT static void registerURLSchemeAsNoAccess(const WebString&);
     53 
     54     // Registers a URL scheme to be treated as display-isolated. This means
     55     // that pages cannot display these URLs unless they are from the same
     56     // scheme. For example, pages in other origin cannot create iframes or
     57     // hyperlinks to URLs with the scheme.
     58     WEBKIT_EXPORT static void registerURLSchemeAsDisplayIsolated(const WebString&);
     59 
     60     // Registers a URL scheme to not generate mixed content warnings when
     61     // included by an HTTPS page.
     62     WEBKIT_EXPORT static void registerURLSchemeAsSecure(const WebString&);
     63 
     64     // Registers a non-HTTP URL scheme which can be sent CORS requests.
     65     WEBKIT_EXPORT static void registerURLSchemeAsCORSEnabled(const WebString&);
     66 
     67     // Registers a URL scheme whose resources can be loaded regardless of a page's Content Security Policy.
     68     WEBKIT_EXPORT static void registerURLSchemeAsBypassingContentSecurityPolicy(const WebString&);
     69 
     70     // Registers a URL scheme as strictly empty documents, allowing them to
     71     // commit synchronously.
     72     WEBKIT_EXPORT static void registerURLSchemeAsEmptyDocument(const WebString&);
     73 
     74     // Support for whitelisting access to origins beyond the same-origin policy.
     75     WEBKIT_EXPORT static void addOriginAccessWhitelistEntry(
     76         const WebURL& sourceOrigin, const WebString& destinationProtocol,
     77         const WebString& destinationHost, bool allowDestinationSubdomains);
     78     WEBKIT_EXPORT static void removeOriginAccessWhitelistEntry(
     79         const WebURL& sourceOrigin, const WebString& destinationProtocol,
     80         const WebString& destinationHost, bool allowDestinationSubdomains);
     81     WEBKIT_EXPORT static void resetOriginAccessWhitelists();
     82 
     83     // Returns the referrer modified according to the referrer policy for a
     84     // navigation to a given URL. If the referrer returned is empty, the
     85     // referrer header should be omitted.
     86     WEBKIT_EXPORT static WebString generateReferrerHeader(WebReferrerPolicy, const WebURL&, const WebString& referrer);
     87 
     88     // Registers an URL scheme to not allow manipulation of the loaded page
     89     // by bookmarklets or javascript: URLs typed in the omnibox.
     90     WEBKIT_EXPORT static void registerURLSchemeAsNotAllowingJavascriptURLs(const WebString&);
     91 
     92 private:
     93     WebSecurityPolicy();
     94 };
     95 
     96 } // namespace WebKit
     97 
     98 #endif
     99