1 /* 2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #ifndef SecurityOrigin_h 30 #define SecurityOrigin_h 31 32 #include "platform/PlatformExport.h" 33 #include "wtf/ThreadSafeRefCounted.h" 34 #include "wtf/text/WTFString.h" 35 36 namespace WebCore { 37 38 class KURL; 39 class SecurityOriginCache; 40 41 class PLATFORM_EXPORT SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> { 42 public: 43 enum Policy { 44 AlwaysDeny = 0, 45 AlwaysAllow, 46 Ask 47 }; 48 49 static PassRefPtr<SecurityOrigin> create(const KURL&); 50 static PassRefPtr<SecurityOrigin> createUnique(); 51 52 static PassRefPtr<SecurityOrigin> createFromString(const String&); 53 static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port); 54 55 static void setCache(SecurityOriginCache*); 56 57 // Some URL schemes use nested URLs for their security context. For example, 58 // filesystem URLs look like the following: 59 // 60 // filesystem:http://example.com/temporary/path/to/file.png 61 // 62 // We're supposed to use "http://example.com" as the origin. 63 // 64 // Generally, we add URL schemes to this list when WebKit support them. For 65 // example, we don't include the "jar" scheme, even though Firefox 66 // understands that "jar" uses an inner URL for it's security origin. 67 static bool shouldUseInnerURL(const KURL&); 68 static KURL extractInnerURL(const KURL&); 69 70 // Create a deep copy of this SecurityOrigin. This method is useful 71 // when marshalling a SecurityOrigin to another thread. 72 PassRefPtr<SecurityOrigin> isolatedCopy() const; 73 74 // Set the domain property of this security origin to newDomain. This 75 // function does not check whether newDomain is a suffix of the current 76 // domain. The caller is responsible for validating newDomain. 77 void setDomainFromDOM(const String& newDomain); 78 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } 79 80 String protocol() const { return m_protocol; } 81 String host() const { return m_host; } 82 String domain() const { return m_domain; } 83 unsigned short port() const { return m_port; } 84 85 // Returns true if a given URL is secure, based either directly on its 86 // own protocol, or, when relevant, on the protocol of its "inner URL" 87 // Protocols like blob: and filesystem: fall into this latter category. 88 static bool isSecure(const KURL&); 89 90 // Returns true if this SecurityOrigin can script objects in the given 91 // SecurityOrigin. For example, call this function before allowing 92 // script from one security origin to read or write objects from 93 // another SecurityOrigin. 94 bool canAccess(const SecurityOrigin*) const; 95 96 // Returns true if this SecurityOrigin can read content retrieved from 97 // the given URL. For example, call this function before issuing 98 // XMLHttpRequests. 99 bool canRequest(const KURL&) const; 100 101 // Returns true if drawing an image from this URL taints a canvas from 102 // this security origin. For example, call this function before 103 // drawing an image onto an HTML canvas element with the drawImage API. 104 bool taintsCanvas(const KURL&) const; 105 106 // Returns true if this SecurityOrigin can receive drag content from the 107 // initiator. For example, call this function before allowing content to be 108 // dropped onto a target. 109 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const; 110 111 // Returns true if |document| can display content from the given URL (e.g., 112 // in an iframe or as an image). For example, web sites generally cannot 113 // display content from the user's files system. 114 bool canDisplay(const KURL&) const; 115 116 // Returns true if this SecurityOrigin can load local resources, such 117 // as images, iframes, and style sheets, and can link to local URLs. 118 // For example, call this function before creating an iframe to a 119 // file:// URL. 120 // 121 // Note: A SecurityOrigin might be allowed to load local resources 122 // without being able to issue an XMLHttpRequest for a local URL. 123 // To determine whether the SecurityOrigin can issue an 124 // XMLHttpRequest for a URL, call canRequest(url). 125 bool canLoadLocalResources() const { return m_canLoadLocalResources; } 126 127 // Explicitly grant the ability to load local resources to this 128 // SecurityOrigin. 129 // 130 // Note: This method exists only to support backwards compatibility 131 // with older versions of WebKit. 132 void grantLoadLocalResources(); 133 134 // Explicitly grant the ability to access very other SecurityOrigin. 135 // 136 // WARNING: This is an extremely powerful ability. Use with caution! 137 void grantUniversalAccess(); 138 139 bool canAccessDatabase() const { return !isUnique(); }; 140 bool canAccessLocalStorage() const { return !isUnique(); }; 141 bool canAccessSharedWorkers() const { return !isUnique(); } 142 bool canAccessCookies() const { return !isUnique(); } 143 bool canAccessPasswordManager() const { return !isUnique(); } 144 bool canAccessFileSystem() const { return !isUnique(); } 145 Policy canShowNotifications() const; 146 147 // Technically, we should always allow access to sessionStorage, but we 148 // currently don't handle creating a sessionStorage area for unique 149 // origins. 150 bool canAccessSessionStorage() const { return !isUnique(); } 151 152 // The local SecurityOrigin is the most privileged SecurityOrigin. 153 // The local SecurityOrigin can script any document, navigate to local 154 // resources, and can set arbitrary headers on XMLHttpRequests. 155 bool isLocal() const; 156 157 // The origin is a globally unique identifier assigned when the Document is 158 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin 159 // 160 // There's a subtle difference between a unique origin and an origin that 161 // has the SandboxOrigin flag set. The latter implies the former, and, in 162 // addition, the SandboxOrigin flag is inherited by iframes. 163 bool isUnique() const { return m_isUnique; } 164 165 // Marks a file:// origin as being in a domain defined by its path. 166 // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files 167 // still can have other privileges that can be remembered, thereby not making them unique. 168 void enforceFilePathSeparation(); 169 170 // Convert this SecurityOrigin into a string. The string 171 // representation of a SecurityOrigin is similar to a URL, except it 172 // lacks a path component. The string representation does not encode 173 // the value of the SecurityOrigin's domain property. 174 // 175 // When using the string value, it's important to remember that it might be 176 // "null". This happens when this SecurityOrigin is unique. For example, 177 // this SecurityOrigin might have come from a sandboxed iframe, the 178 // SecurityOrigin might be empty, or we might have explicitly decided that 179 // we shouldTreatURLSchemeAsNoAccess. 180 String toString() const; 181 182 // Similar to toString(), but does not take into account any factors that 183 // could make the string return "null". 184 String toRawString() const; 185 186 // This method checks for equality between SecurityOrigins, not whether 187 // one origin can access another. It is used for hash table keys. 188 // For access checks, use canAccess(). 189 // FIXME: If this method is really only useful for hash table keys, it 190 // should be refactored into SecurityOriginHash. 191 bool equal(const SecurityOrigin*) const; 192 193 // This method checks for equality, ignoring the value of document.domain 194 // (and whether it was set) but considering the host. It is used for postMessage. 195 bool isSameSchemeHostPort(const SecurityOrigin*) const; 196 197 bool needsDatabaseIdentifierQuirkForFiles() const { return m_needsDatabaseIdentifierQuirkForFiles; } 198 199 static const String& urlWithUniqueSecurityOrigin(); 200 201 private: 202 SecurityOrigin(); 203 explicit SecurityOrigin(const KURL&); 204 explicit SecurityOrigin(const SecurityOrigin*); 205 206 // FIXME: Rename this function to something more semantic. 207 bool passesFileCheck(const SecurityOrigin*) const; 208 209 String m_protocol; 210 String m_host; 211 String m_domain; 212 String m_filePath; 213 unsigned short m_port; 214 bool m_isUnique; 215 bool m_universalAccess; 216 bool m_domainWasSetInDOM; 217 bool m_canLoadLocalResources; 218 bool m_enforceFilePathSeparation; 219 bool m_needsDatabaseIdentifierQuirkForFiles; 220 }; 221 222 } // namespace WebCore 223 224 #endif // SecurityOrigin_h 225