1 /* 2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #ifndef SecurityOrigin_h 30 #define SecurityOrigin_h 31 32 #include "platform/PlatformExport.h" 33 #include "wtf/ThreadSafeRefCounted.h" 34 #include "wtf/text/WTFString.h" 35 36 namespace blink { 37 38 class KURL; 39 class SecurityOriginCache; 40 41 class PLATFORM_EXPORT SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> { 42 public: 43 enum Policy { 44 AlwaysDeny = 0, 45 AlwaysAllow, 46 Ask 47 }; 48 49 static PassRefPtr<SecurityOrigin> create(const KURL&); 50 static PassRefPtr<SecurityOrigin> createUnique(); 51 52 static PassRefPtr<SecurityOrigin> createFromString(const String&); 53 static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port); 54 55 static void setCache(SecurityOriginCache*); 56 57 // Some URL schemes use nested URLs for their security context. For example, 58 // filesystem URLs look like the following: 59 // 60 // filesystem:http://example.com/temporary/path/to/file.png 61 // 62 // We're supposed to use "http://example.com" as the origin. 63 // 64 // Generally, we add URL schemes to this list when WebKit support them. For 65 // example, we don't include the "jar" scheme, even though Firefox 66 // understands that "jar" uses an inner URL for it's security origin. 67 static bool shouldUseInnerURL(const KURL&); 68 static KURL extractInnerURL(const KURL&); 69 70 // Create a deep copy of this SecurityOrigin. This method is useful 71 // when marshalling a SecurityOrigin to another thread. 72 PassRefPtr<SecurityOrigin> isolatedCopy() const; 73 74 // Set the domain property of this security origin to newDomain. This 75 // function does not check whether newDomain is a suffix of the current 76 // domain. The caller is responsible for validating newDomain. 77 void setDomainFromDOM(const String& newDomain); 78 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } 79 80 String protocol() const { return m_protocol; } 81 String host() const { return m_host; } 82 String domain() const { return m_domain; } 83 unsigned short port() const { return m_port; } 84 85 // Returns true if a given URL is secure, based either directly on its 86 // own protocol, or, when relevant, on the protocol of its "inner URL" 87 // Protocols like blob: and filesystem: fall into this latter category. 88 static bool isSecure(const KURL&); 89 90 // Returns true if this SecurityOrigin can script objects in the given 91 // SecurityOrigin. For example, call this function before allowing 92 // script from one security origin to read or write objects from 93 // another SecurityOrigin. 94 bool canAccess(const SecurityOrigin*) const; 95 96 // Returns true if this SecurityOrigin can read content retrieved from 97 // the given URL. For example, call this function before issuing 98 // XMLHttpRequests. 99 bool canRequest(const KURL&) const; 100 101 // Returns true if drawing an image from this URL taints a canvas from 102 // this security origin. For example, call this function before 103 // drawing an image onto an HTML canvas element with the drawImage API. 104 bool taintsCanvas(const KURL&) const; 105 106 // Returns true if this SecurityOrigin can receive drag content from the 107 // initiator. For example, call this function before allowing content to be 108 // dropped onto a target. 109 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const; 110 111 // Returns true if |document| can display content from the given URL (e.g., 112 // in an iframe or as an image). For example, web sites generally cannot 113 // display content from the user's files system. 114 bool canDisplay(const KURL&) const; 115 116 // A "secure origin" as defined by [1] are those that load resources either 117 // from the local machine (necessarily trusted) or over the network from a 118 // cryptographically-authenticated server. 119 // 120 // [1] http://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure- 121 bool canAccessFeatureRequiringSecureOrigin(String& errorMessage) const; 122 123 // Returns true if this SecurityOrigin can load local resources, such 124 // as images, iframes, and style sheets, and can link to local URLs. 125 // For example, call this function before creating an iframe to a 126 // file:// URL. 127 // 128 // Note: A SecurityOrigin might be allowed to load local resources 129 // without being able to issue an XMLHttpRequest for a local URL. 130 // To determine whether the SecurityOrigin can issue an 131 // XMLHttpRequest for a URL, call canRequest(url). 132 bool canLoadLocalResources() const { return m_canLoadLocalResources; } 133 134 // Explicitly grant the ability to load local resources to this 135 // SecurityOrigin. 136 // 137 // Note: This method exists only to support backwards compatibility 138 // with older versions of WebKit. 139 void grantLoadLocalResources(); 140 141 // Explicitly grant the ability to access every other SecurityOrigin. 142 // 143 // WARNING: This is an extremely powerful ability. Use with caution! 144 void grantUniversalAccess(); 145 146 bool canAccessDatabase() const { return !isUnique(); }; 147 bool canAccessLocalStorage() const { return !isUnique(); }; 148 bool canAccessSharedWorkers() const { return !isUnique(); } 149 bool canAccessCookies() const { return !isUnique(); } 150 bool canAccessPasswordManager() const { return !isUnique(); } 151 bool canAccessFileSystem() const { return !isUnique(); } 152 Policy canShowNotifications() const; 153 154 // Technically, we should always allow access to sessionStorage, but we 155 // currently don't handle creating a sessionStorage area for unique 156 // origins. 157 bool canAccessSessionStorage() const { return !isUnique(); } 158 159 // The local SecurityOrigin is the most privileged SecurityOrigin. 160 // The local SecurityOrigin can script any document, navigate to local 161 // resources, and can set arbitrary headers on XMLHttpRequests. 162 bool isLocal() const; 163 164 // Returns true if the host is one of 127.0.0.1/8, ::1/128, or "localhost". 165 bool isLocalhost() const; 166 167 // The origin is a globally unique identifier assigned when the Document is 168 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin 169 // 170 // There's a subtle difference between a unique origin and an origin that 171 // has the SandboxOrigin flag set. The latter implies the former, and, in 172 // addition, the SandboxOrigin flag is inherited by iframes. 173 bool isUnique() const { return m_isUnique; } 174 175 // Marks a file:// origin as being in a domain defined by its path. 176 // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files 177 // still can have other privileges that can be remembered, thereby not making them unique. 178 void enforceFilePathSeparation(); 179 180 // Convert this SecurityOrigin into a string. The string 181 // representation of a SecurityOrigin is similar to a URL, except it 182 // lacks a path component. The string representation does not encode 183 // the value of the SecurityOrigin's domain property. 184 // 185 // When using the string value, it's important to remember that it might be 186 // "null". This happens when this SecurityOrigin is unique. For example, 187 // this SecurityOrigin might have come from a sandboxed iframe, the 188 // SecurityOrigin might be empty, or we might have explicitly decided that 189 // we shouldTreatURLSchemeAsNoAccess. 190 String toString() const; 191 AtomicString toAtomicString() const; 192 193 // Similar to toString(), but does not take into account any factors that 194 // could make the string return "null". 195 String toRawString() const; 196 AtomicString toRawAtomicString() const; 197 198 // This method checks for equality, ignoring the value of document.domain 199 // (and whether it was set) but considering the host. It is used for postMessage. 200 bool isSameSchemeHostPort(const SecurityOrigin*) const; 201 202 bool needsDatabaseIdentifierQuirkForFiles() const { return m_needsDatabaseIdentifierQuirkForFiles; } 203 204 static const String& urlWithUniqueSecurityOrigin(); 205 206 private: 207 SecurityOrigin(); 208 explicit SecurityOrigin(const KURL&); 209 explicit SecurityOrigin(const SecurityOrigin*); 210 211 // FIXME: Rename this function to something more semantic. 212 bool passesFileCheck(const SecurityOrigin*) const; 213 void buildRawString(StringBuilder&) const; 214 215 String m_protocol; 216 String m_host; 217 String m_domain; 218 String m_filePath; 219 unsigned short m_port; 220 bool m_isUnique; 221 bool m_universalAccess; 222 bool m_domainWasSetInDOM; 223 bool m_canLoadLocalResources; 224 bool m_enforceFilePathSeparation; 225 bool m_needsDatabaseIdentifierQuirkForFiles; 226 }; 227 228 } // namespace blink 229 230 #endif // SecurityOrigin_h 231