Home | History | Annotate | Download | only in weborigin
      1 /*
      2  * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  *
      8  * 1.  Redistributions of source code must retain the above copyright
      9  *     notice, this list of conditions and the following disclaimer.
     10  * 2.  Redistributions in binary form must reproduce the above copyright
     11  *     notice, this list of conditions and the following disclaimer in the
     12  *     documentation and/or other materials provided with the distribution.
     13  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
     14  *     its contributors may be used to endorse or promote products derived
     15  *     from this software without specific prior written permission.
     16  *
     17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
     18  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
     19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
     20  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
     21  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
     22  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     23  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
     24  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
     26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     27  */
     28 
     29 #ifndef SecurityOrigin_h
     30 #define SecurityOrigin_h
     31 
     32 #include "platform/PlatformExport.h"
     33 #include "wtf/ThreadSafeRefCounted.h"
     34 #include "wtf/text/WTFString.h"
     35 
     36 namespace blink {
     37 
     38 class KURL;
     39 class SecurityOriginCache;
     40 
     41 class PLATFORM_EXPORT SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
     42 public:
     43     enum Policy {
     44         AlwaysDeny = 0,
     45         AlwaysAllow,
     46         Ask
     47     };
     48 
     49     static PassRefPtr<SecurityOrigin> create(const KURL&);
     50     static PassRefPtr<SecurityOrigin> createUnique();
     51 
     52     static PassRefPtr<SecurityOrigin> createFromString(const String&);
     53     static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
     54 
     55     static void setCache(SecurityOriginCache*);
     56 
     57     // Some URL schemes use nested URLs for their security context. For example,
     58     // filesystem URLs look like the following:
     59     //
     60     //   filesystem:http://example.com/temporary/path/to/file.png
     61     //
     62     // We're supposed to use "http://example.com" as the origin.
     63     //
     64     // Generally, we add URL schemes to this list when WebKit support them. For
     65     // example, we don't include the "jar" scheme, even though Firefox
     66     // understands that "jar" uses an inner URL for it's security origin.
     67     static bool shouldUseInnerURL(const KURL&);
     68     static KURL extractInnerURL(const KURL&);
     69 
     70     // Create a deep copy of this SecurityOrigin. This method is useful
     71     // when marshalling a SecurityOrigin to another thread.
     72     PassRefPtr<SecurityOrigin> isolatedCopy() const;
     73 
     74     // Set the domain property of this security origin to newDomain. This
     75     // function does not check whether newDomain is a suffix of the current
     76     // domain. The caller is responsible for validating newDomain.
     77     void setDomainFromDOM(const String& newDomain);
     78     bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
     79 
     80     String protocol() const { return m_protocol; }
     81     String host() const { return m_host; }
     82     String domain() const { return m_domain; }
     83     unsigned short port() const { return m_port; }
     84 
     85     // Returns true if a given URL is secure, based either directly on its
     86     // own protocol, or, when relevant, on the protocol of its "inner URL"
     87     // Protocols like blob: and filesystem: fall into this latter category.
     88     static bool isSecure(const KURL&);
     89 
     90     // Returns true if this SecurityOrigin can script objects in the given
     91     // SecurityOrigin. For example, call this function before allowing
     92     // script from one security origin to read or write objects from
     93     // another SecurityOrigin.
     94     bool canAccess(const SecurityOrigin*) const;
     95 
     96     // Returns true if this SecurityOrigin can read content retrieved from
     97     // the given URL. For example, call this function before issuing
     98     // XMLHttpRequests.
     99     bool canRequest(const KURL&) const;
    100 
    101     // Returns true if drawing an image from this URL taints a canvas from
    102     // this security origin. For example, call this function before
    103     // drawing an image onto an HTML canvas element with the drawImage API.
    104     bool taintsCanvas(const KURL&) const;
    105 
    106     // Returns true if this SecurityOrigin can receive drag content from the
    107     // initiator. For example, call this function before allowing content to be
    108     // dropped onto a target.
    109     bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
    110 
    111     // Returns true if |document| can display content from the given URL (e.g.,
    112     // in an iframe or as an image). For example, web sites generally cannot
    113     // display content from the user's files system.
    114     bool canDisplay(const KURL&) const;
    115 
    116     // A "secure origin" as defined by [1] are those that load resources either
    117     // from the local machine (necessarily trusted) or over the network from a
    118     // cryptographically-authenticated server.
    119     //
    120     // [1] http://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure-
    121     bool canAccessFeatureRequiringSecureOrigin(String& errorMessage) const;
    122 
    123     // Returns true if this SecurityOrigin can load local resources, such
    124     // as images, iframes, and style sheets, and can link to local URLs.
    125     // For example, call this function before creating an iframe to a
    126     // file:// URL.
    127     //
    128     // Note: A SecurityOrigin might be allowed to load local resources
    129     //       without being able to issue an XMLHttpRequest for a local URL.
    130     //       To determine whether the SecurityOrigin can issue an
    131     //       XMLHttpRequest for a URL, call canRequest(url).
    132     bool canLoadLocalResources() const { return m_canLoadLocalResources; }
    133 
    134     // Explicitly grant the ability to load local resources to this
    135     // SecurityOrigin.
    136     //
    137     // Note: This method exists only to support backwards compatibility
    138     //       with older versions of WebKit.
    139     void grantLoadLocalResources();
    140 
    141     // Explicitly grant the ability to access every other SecurityOrigin.
    142     //
    143     // WARNING: This is an extremely powerful ability. Use with caution!
    144     void grantUniversalAccess();
    145 
    146     bool canAccessDatabase() const { return !isUnique(); };
    147     bool canAccessLocalStorage() const { return !isUnique(); };
    148     bool canAccessSharedWorkers() const { return !isUnique(); }
    149     bool canAccessCookies() const { return !isUnique(); }
    150     bool canAccessPasswordManager() const { return !isUnique(); }
    151     bool canAccessFileSystem() const { return !isUnique(); }
    152     Policy canShowNotifications() const;
    153 
    154     // Technically, we should always allow access to sessionStorage, but we
    155     // currently don't handle creating a sessionStorage area for unique
    156     // origins.
    157     bool canAccessSessionStorage() const { return !isUnique(); }
    158 
    159     // The local SecurityOrigin is the most privileged SecurityOrigin.
    160     // The local SecurityOrigin can script any document, navigate to local
    161     // resources, and can set arbitrary headers on XMLHttpRequests.
    162     bool isLocal() const;
    163 
    164     // Returns true if the host is one of 127.0.0.1/8, ::1/128, or "localhost".
    165     bool isLocalhost() const;
    166 
    167     // The origin is a globally unique identifier assigned when the Document is
    168     // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
    169     //
    170     // There's a subtle difference between a unique origin and an origin that
    171     // has the SandboxOrigin flag set. The latter implies the former, and, in
    172     // addition, the SandboxOrigin flag is inherited by iframes.
    173     bool isUnique() const { return m_isUnique; }
    174 
    175     // Marks a file:// origin as being in a domain defined by its path.
    176     // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
    177     // still can have other privileges that can be remembered, thereby not making them unique.
    178     void enforceFilePathSeparation();
    179 
    180     // Convert this SecurityOrigin into a string. The string
    181     // representation of a SecurityOrigin is similar to a URL, except it
    182     // lacks a path component. The string representation does not encode
    183     // the value of the SecurityOrigin's domain property.
    184     //
    185     // When using the string value, it's important to remember that it might be
    186     // "null". This happens when this SecurityOrigin is unique. For example,
    187     // this SecurityOrigin might have come from a sandboxed iframe, the
    188     // SecurityOrigin might be empty, or we might have explicitly decided that
    189     // we shouldTreatURLSchemeAsNoAccess.
    190     String toString() const;
    191     AtomicString toAtomicString() const;
    192 
    193     // Similar to toString(), but does not take into account any factors that
    194     // could make the string return "null".
    195     String toRawString() const;
    196     AtomicString toRawAtomicString() const;
    197 
    198     // This method checks for equality, ignoring the value of document.domain
    199     // (and whether it was set) but considering the host. It is used for postMessage.
    200     bool isSameSchemeHostPort(const SecurityOrigin*) const;
    201 
    202     bool needsDatabaseIdentifierQuirkForFiles() const { return m_needsDatabaseIdentifierQuirkForFiles; }
    203 
    204     static const String& urlWithUniqueSecurityOrigin();
    205 
    206 private:
    207     SecurityOrigin();
    208     explicit SecurityOrigin(const KURL&);
    209     explicit SecurityOrigin(const SecurityOrigin*);
    210 
    211     // FIXME: Rename this function to something more semantic.
    212     bool passesFileCheck(const SecurityOrigin*) const;
    213     void buildRawString(StringBuilder&) const;
    214 
    215     String m_protocol;
    216     String m_host;
    217     String m_domain;
    218     String m_filePath;
    219     unsigned short m_port;
    220     bool m_isUnique;
    221     bool m_universalAccess;
    222     bool m_domainWasSetInDOM;
    223     bool m_canLoadLocalResources;
    224     bool m_enforceFilePathSeparation;
    225     bool m_needsDatabaseIdentifierQuirkForFiles;
    226 };
    227 
    228 } // namespace blink
    229 
    230 #endif // SecurityOrigin_h
    231