Home | History | Annotate | Download | only in weborigin
      1 /*
      2  * Copyright (C) 2007 Apple Inc. All rights reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  *
      8  * 1.  Redistributions of source code must retain the above copyright
      9  *     notice, this list of conditions and the following disclaimer.
     10  * 2.  Redistributions in binary form must reproduce the above copyright
     11  *     notice, this list of conditions and the following disclaimer in the
     12  *     documentation and/or other materials provided with the distribution.
     13  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
     14  *     its contributors may be used to endorse or promote products derived
     15  *     from this software without specific prior written permission.
     16  *
     17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
     18  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
     19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
     20  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
     21  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
     22  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     23  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
     24  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     27  */
     28 
     29 #include "config.h"
     30 #include "platform/weborigin/SecurityOrigin.h"
     31 
     32 #include "platform/weborigin/KURL.h"
     33 #include "platform/weborigin/KnownPorts.h"
     34 #include "platform/weborigin/SchemeRegistry.h"
     35 #include "platform/weborigin/SecurityOriginCache.h"
     36 #include "platform/weborigin/SecurityPolicy.h"
     37 #include "wtf/HexNumber.h"
     38 #include "wtf/MainThread.h"
     39 #include "wtf/StdLibExtras.h"
     40 #include "wtf/text/StringBuilder.h"
     41 
     42 namespace WebCore {
     43 
     44 const int InvalidPort = 0;
     45 const int MaxAllowedPort = 65535;
     46 
     47 static SecurityOriginCache* s_originCache = 0;
     48 
     49 static bool schemeRequiresAuthority(const KURL& url)
     50 {
     51     // We expect URLs with these schemes to have authority components. If the
     52     // URL lacks an authority component, we get concerned and mark the origin
     53     // as unique.
     54     return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
     55 }
     56 
     57 static SecurityOrigin* cachedOrigin(const KURL& url)
     58 {
     59     if (s_originCache)
     60         return s_originCache->cachedOrigin(url);
     61     return 0;
     62 }
     63 
     64 bool SecurityOrigin::shouldUseInnerURL(const KURL& url)
     65 {
     66     // FIXME: Blob URLs don't have inner URLs. Their form is "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL is incorrect.
     67     if (url.protocolIs("blob"))
     68         return true;
     69     if (url.protocolIs("filesystem"))
     70         return true;
     71     return false;
     72 }
     73 
     74 // In general, extracting the inner URL varies by scheme. It just so happens
     75 // that all the URL schemes we currently support that use inner URLs for their
     76 // security origin can be parsed using this algorithm.
     77 KURL SecurityOrigin::extractInnerURL(const KURL& url)
     78 {
     79     if (url.innerURL())
     80         return *url.innerURL();
     81     // FIXME: Update this callsite to use the innerURL member function when
     82     // we finish implementing it.
     83     return KURL(ParsedURLString, decodeURLEscapeSequences(url.path()));
     84 }
     85 
     86 void SecurityOrigin::setCache(SecurityOriginCache* originCache)
     87 {
     88     s_originCache = originCache;
     89 }
     90 
     91 static bool shouldTreatAsUniqueOrigin(const KURL& url)
     92 {
     93     if (!url.isValid())
     94         return true;
     95 
     96     // FIXME: Do we need to unwrap the URL further?
     97     KURL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
     98 
     99     // FIXME: Check whether innerURL is valid.
    100 
    101     // For edge case URLs that were probably misparsed, make sure that the origin is unique.
    102     // FIXME: Do we really need to do this? This looks to be a hack around a
    103     // security bug in CFNetwork that might have been fixed.
    104     if (schemeRequiresAuthority(innerURL) && innerURL.host().isEmpty())
    105         return true;
    106 
    107     // SchemeRegistry needs a lower case protocol because it uses HashMaps
    108     // that assume the scheme has already been canonicalized.
    109     String protocol = innerURL.protocol().lower();
    110 
    111     if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(protocol))
    112         return true;
    113 
    114     // This is the common case.
    115     return false;
    116 }
    117 
    118 SecurityOrigin::SecurityOrigin(const KURL& url)
    119     : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
    120     , m_host(url.host().isNull() ? "" : url.host().lower())
    121     , m_port(url.port())
    122     , m_isUnique(false)
    123     , m_universalAccess(false)
    124     , m_domainWasSetInDOM(false)
    125     , m_enforceFilePathSeparation(false)
    126     , m_needsDatabaseIdentifierQuirkForFiles(false)
    127 {
    128     // document.domain starts as m_host, but can be set by the DOM.
    129     m_domain = m_host;
    130 
    131     if (isDefaultPortForProtocol(m_port, m_protocol))
    132         m_port = InvalidPort;
    133 
    134     // By default, only local SecurityOrigins can load local resources.
    135     m_canLoadLocalResources = isLocal();
    136 
    137     if (m_canLoadLocalResources)
    138         m_filePath = url.path(); // In case enforceFilePathSeparation() is called.
    139 }
    140 
    141 SecurityOrigin::SecurityOrigin()
    142     : m_protocol("")
    143     , m_host("")
    144     , m_domain("")
    145     , m_port(InvalidPort)
    146     , m_isUnique(true)
    147     , m_universalAccess(false)
    148     , m_domainWasSetInDOM(false)
    149     , m_canLoadLocalResources(false)
    150     , m_enforceFilePathSeparation(false)
    151     , m_needsDatabaseIdentifierQuirkForFiles(false)
    152 {
    153 }
    154 
    155 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
    156     : m_protocol(other->m_protocol.isolatedCopy())
    157     , m_host(other->m_host.isolatedCopy())
    158     , m_domain(other->m_domain.isolatedCopy())
    159     , m_filePath(other->m_filePath.isolatedCopy())
    160     , m_port(other->m_port)
    161     , m_isUnique(other->m_isUnique)
    162     , m_universalAccess(other->m_universalAccess)
    163     , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
    164     , m_canLoadLocalResources(other->m_canLoadLocalResources)
    165     , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
    166     , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles)
    167 {
    168 }
    169 
    170 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url)
    171 {
    172     if (RefPtr<SecurityOrigin> origin = cachedOrigin(url))
    173         return origin.release();
    174 
    175     if (shouldTreatAsUniqueOrigin(url)) {
    176         RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin());
    177 
    178         if (url.protocolIs("file")) {
    179             // Unfortunately, we can't represent all unique origins exactly
    180             // the same way because we need to produce a quirky database
    181             // identifier for file URLs due to persistent storage in some
    182             // embedders of WebKit.
    183             origin->m_needsDatabaseIdentifierQuirkForFiles = true;
    184         }
    185 
    186         return origin.release();
    187     }
    188 
    189     if (shouldUseInnerURL(url))
    190         return adoptRef(new SecurityOrigin(extractInnerURL(url)));
    191 
    192     return adoptRef(new SecurityOrigin(url));
    193 }
    194 
    195 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique()
    196 {
    197     RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin());
    198     ASSERT(origin->isUnique());
    199     return origin.release();
    200 }
    201 
    202 PassRefPtr<SecurityOrigin> SecurityOrigin::isolatedCopy() const
    203 {
    204     return adoptRef(new SecurityOrigin(this));
    205 }
    206 
    207 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
    208 {
    209     m_domainWasSetInDOM = true;
    210     m_domain = newDomain.lower();
    211 }
    212 
    213 bool SecurityOrigin::isSecure(const KURL& url)
    214 {
    215     // Invalid URLs are secure, as are URLs which have a secure protocol.
    216     if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol()))
    217         return true;
    218 
    219     // URLs that wrap inner URLs are secure if those inner URLs are secure.
    220     if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol()))
    221         return true;
    222 
    223     return false;
    224 }
    225 
    226 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
    227 {
    228     if (m_universalAccess)
    229         return true;
    230 
    231     if (this == other)
    232         return true;
    233 
    234     if (isUnique() || other->isUnique())
    235         return false;
    236 
    237     // Here are two cases where we should permit access:
    238     //
    239     // 1) Neither document has set document.domain. In this case, we insist
    240     //    that the scheme, host, and port of the URLs match.
    241     //
    242     // 2) Both documents have set document.domain. In this case, we insist
    243     //    that the documents have set document.domain to the same value and
    244     //    that the scheme of the URLs match.
    245     //
    246     // This matches the behavior of Firefox 2 and Internet Explorer 6.
    247     //
    248     // Internet Explorer 7 and Opera 9 are more strict in that they require
    249     // the port numbers to match when both pages have document.domain set.
    250     //
    251     // FIXME: Evaluate whether we can tighten this policy to require matched
    252     //        port numbers.
    253     //
    254     // Opera 9 allows access when only one page has set document.domain, but
    255     // this is a security vulnerability.
    256 
    257     bool canAccess = false;
    258     if (m_protocol == other->m_protocol) {
    259         if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) {
    260             if (m_host == other->m_host && m_port == other->m_port)
    261                 canAccess = true;
    262         } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) {
    263             if (m_domain == other->m_domain)
    264                 canAccess = true;
    265         }
    266     }
    267 
    268     if (canAccess && isLocal())
    269         canAccess = passesFileCheck(other);
    270 
    271     return canAccess;
    272 }
    273 
    274 bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const
    275 {
    276     ASSERT(isLocal() && other->isLocal());
    277 
    278     if (!m_enforceFilePathSeparation && !other->m_enforceFilePathSeparation)
    279         return true;
    280 
    281     return (m_filePath == other->m_filePath);
    282 }
    283 
    284 bool SecurityOrigin::canRequest(const KURL& url) const
    285 {
    286     if (m_universalAccess)
    287         return true;
    288 
    289     if (cachedOrigin(url) == this)
    290         return true;
    291 
    292     if (isUnique())
    293         return false;
    294 
    295     RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
    296 
    297     if (targetOrigin->isUnique())
    298         return false;
    299 
    300     // We call isSameSchemeHostPort here instead of canAccess because we want
    301     // to ignore document.domain effects.
    302     if (isSameSchemeHostPort(targetOrigin.get()))
    303         return true;
    304 
    305     if (SecurityPolicy::isAccessWhiteListed(this, targetOrigin.get()))
    306         return true;
    307 
    308     return false;
    309 }
    310 
    311 bool SecurityOrigin::taintsCanvas(const KURL& url) const
    312 {
    313     if (canRequest(url))
    314         return false;
    315 
    316     // This function exists because we treat data URLs as having a unique origin,
    317     // contrary to the current (9/19/2009) draft of the HTML5 specification.
    318     // We still want to let folks paint data URLs onto untainted canvases, so
    319     // we special case data URLs below. If we change to match HTML5 w.r.t.
    320     // data URL security, then we can remove this function in favor of
    321     // !canRequest.
    322     if (url.protocolIsData())
    323         return false;
    324 
    325     return true;
    326 }
    327 
    328 bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const
    329 {
    330     if (this == dragInitiator)
    331         return true;
    332 
    333     return canAccess(dragInitiator);
    334 }
    335 
    336 // This is a hack to allow keep navigation to http/https feeds working. To remove this
    337 // we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
    338 // protocols navigation policy.
    339 // feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be
    340 // local or remote depending on what is nested. Currently we just check if we are nesting
    341 // http or https, otherwise we ignore the nesting for the purpose of a security check. We need
    342 // a facility for registering nesting schemes, and some generalized logic for them.
    343 // This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196
    344 static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
    345 {
    346     const String& urlString = url.string();
    347     if (!urlString.startsWith("feed", false))
    348         return false;
    349 
    350     return urlString.startsWith("feed://", false)
    351         || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false)
    352         || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false)
    353         || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false);
    354 }
    355 
    356 bool SecurityOrigin::canDisplay(const KURL& url) const
    357 {
    358     if (m_universalAccess)
    359         return true;
    360 
    361     String protocol = url.protocol().lower();
    362 
    363     if (isFeedWithNestedProtocolInHTTPFamily(url))
    364         return true;
    365 
    366     if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol))
    367         return canRequest(url);
    368 
    369     if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol))
    370         return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListed(this, url);
    371 
    372     if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol))
    373         return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteListed(this, url);
    374 
    375     return true;
    376 }
    377 
    378 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const
    379 {
    380     if (m_universalAccess)
    381         return AlwaysAllow;
    382     if (isUnique())
    383         return AlwaysDeny;
    384     return Ask;
    385 }
    386 
    387 void SecurityOrigin::grantLoadLocalResources()
    388 {
    389     // Granting privileges to some, but not all, documents in a SecurityOrigin
    390     // is a security hazard because the documents without the privilege can
    391     // obtain the privilege by injecting script into the documents that have
    392     // been granted the privilege.
    393     m_canLoadLocalResources = true;
    394 }
    395 
    396 void SecurityOrigin::grantUniversalAccess()
    397 {
    398     m_universalAccess = true;
    399 }
    400 
    401 void SecurityOrigin::enforceFilePathSeparation()
    402 {
    403     ASSERT(isLocal());
    404     m_enforceFilePathSeparation = true;
    405 }
    406 
    407 bool SecurityOrigin::isLocal() const
    408 {
    409     return SchemeRegistry::shouldTreatURLSchemeAsLocal(m_protocol);
    410 }
    411 
    412 String SecurityOrigin::toString() const
    413 {
    414     if (isUnique())
    415         return "null";
    416     if (m_protocol == "file" && m_enforceFilePathSeparation)
    417         return "null";
    418     return toRawString();
    419 }
    420 
    421 String SecurityOrigin::toRawString() const
    422 {
    423     if (m_protocol == "file")
    424         return "file://";
    425 
    426     StringBuilder result;
    427     result.reserveCapacity(m_protocol.length() + m_host.length() + 10);
    428     result.append(m_protocol);
    429     result.append("://");
    430     result.append(m_host);
    431 
    432     if (m_port) {
    433         result.append(':');
    434         result.appendNumber(m_port);
    435     }
    436 
    437     return result.toString();
    438 }
    439 
    440 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
    441 {
    442     return SecurityOrigin::create(KURL(KURL(), originString));
    443 }
    444 
    445 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port)
    446 {
    447     if (port < 0 || port > MaxAllowedPort)
    448         return createUnique();
    449     String decodedHost = decodeURLEscapeSequences(host);
    450     return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port) + "/"));
    451 }
    452 
    453 bool SecurityOrigin::equal(const SecurityOrigin* other) const
    454 {
    455     if (other == this)
    456         return true;
    457 
    458     if (!isSameSchemeHostPort(other))
    459         return false;
    460 
    461     if (m_domainWasSetInDOM != other->m_domainWasSetInDOM)
    462         return false;
    463 
    464     if (m_domainWasSetInDOM && m_domain != other->m_domain)
    465         return false;
    466 
    467     return true;
    468 }
    469 
    470 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
    471 {
    472     if (m_host != other->m_host)
    473         return false;
    474 
    475     if (m_protocol != other->m_protocol)
    476         return false;
    477 
    478     if (m_port != other->m_port)
    479         return false;
    480 
    481     if (isLocal() && !passesFileCheck(other))
    482         return false;
    483 
    484     return true;
    485 }
    486 
    487 const String& SecurityOrigin::urlWithUniqueSecurityOrigin()
    488 {
    489     ASSERT(isMainThread());
    490     DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, ("data:,"));
    491     return uniqueSecurityOriginURL;
    492 }
    493 
    494 } // namespace WebCore
    495