1/* 2 * Copyright (C) 2007 Apple Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#include "config.h" 30#include "SecurityOrigin.h" 31 32#include "BlobURL.h" 33#include "FileSystem.h" 34#include "URL.h" 35#include "SchemeRegistry.h" 36#include "SecurityPolicy.h" 37#include "ThreadableBlobRegistry.h" 38#include <wtf/MainThread.h> 39#include <wtf/NeverDestroyed.h> 40#include <wtf/StdLibExtras.h> 41#include <wtf/text/StringBuilder.h> 42 43namespace WebCore { 44 45const int InvalidPort = 0; 46const int MaxAllowedPort = 65535; 47 48static bool schemeRequiresHost(const URL& url) 49{ 50 // We expect URLs with these schemes to have authority components. If the 51 // URL lacks an authority component, we get concerned and mark the origin 52 // as unique. 53 return url.protocolIsInHTTPFamily() || url.protocolIs("ftp"); 54} 55 56bool SecurityOrigin::shouldUseInnerURL(const URL& url) 57{ 58 // FIXME: Blob URLs don't have inner URLs. Their form is "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL is incorrect. 59 if (url.protocolIs("blob")) 60 return true; 61 UNUSED_PARAM(url); 62 return false; 63} 64 65// In general, extracting the inner URL varies by scheme. It just so happens 66// that all the URL schemes we currently support that use inner URLs for their 67// security origin can be parsed using this algorithm. 68URL SecurityOrigin::extractInnerURL(const URL& url) 69{ 70 if (url.innerURL()) 71 return *url.innerURL(); 72 // FIXME: Update this callsite to use the innerURL member function when 73 // we finish implementing it. 74 return URL(ParsedURLString, decodeURLEscapeSequences(url.path())); 75} 76 77static PassRefPtr<SecurityOrigin> getCachedOrigin(const URL& url) 78{ 79 if (url.protocolIs("blob")) 80 return ThreadableBlobRegistry::getCachedOrigin(url); 81 return 0; 82} 83 84static bool shouldTreatAsUniqueOrigin(const URL& url) 85{ 86 if (!url.isValid()) 87 return true; 88 89 // FIXME: Do we need to unwrap the URL further? 90 URL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; 91 92 // FIXME: Check whether innerURL is valid. 93 94 // For edge case URLs that were probably misparsed, make sure that the origin is unique. 95 // This is an additional safety net against bugs in URL parsing, and for network back-ends that parse URLs differently, 96 // and could misinterpret another component for hostname. 97 if (schemeRequiresHost(innerURL) && innerURL.host().isEmpty()) 98 return true; 99 100 // SchemeRegistry needs a lower case protocol because it uses HashMaps 101 // that assume the scheme has already been canonicalized. 102 String protocol = innerURL.protocol().lower(); 103 104 if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(protocol)) 105 return true; 106 107 // This is the common case. 108 return false; 109} 110 111SecurityOrigin::SecurityOrigin(const URL& url) 112 : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) 113 , m_host(url.host().isNull() ? "" : url.host().lower()) 114 , m_port(url.port()) 115 , m_isUnique(false) 116 , m_universalAccess(false) 117 , m_domainWasSetInDOM(false) 118 , m_storageBlockingPolicy(AllowAllStorage) 119 , m_enforceFilePathSeparation(false) 120 , m_needsDatabaseIdentifierQuirkForFiles(false) 121{ 122 // document.domain starts as m_host, but can be set by the DOM. 123 m_domain = m_host; 124 125 if (isDefaultPortForProtocol(m_port, m_protocol)) 126 m_port = InvalidPort; 127 128 // By default, only local SecurityOrigins can load local resources. 129 m_canLoadLocalResources = isLocal(); 130 131 if (m_canLoadLocalResources) 132 m_filePath = url.path(); // In case enforceFilePathSeparation() is called. 133} 134 135SecurityOrigin::SecurityOrigin() 136 : m_protocol("") 137 , m_host("") 138 , m_domain("") 139 , m_port(InvalidPort) 140 , m_isUnique(true) 141 , m_universalAccess(false) 142 , m_domainWasSetInDOM(false) 143 , m_canLoadLocalResources(false) 144 , m_storageBlockingPolicy(AllowAllStorage) 145 , m_enforceFilePathSeparation(false) 146 , m_needsDatabaseIdentifierQuirkForFiles(false) 147{ 148} 149 150SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) 151 : m_protocol(other->m_protocol.isolatedCopy()) 152 , m_host(other->m_host.isolatedCopy()) 153 , m_domain(other->m_domain.isolatedCopy()) 154 , m_filePath(other->m_filePath.isolatedCopy()) 155 , m_port(other->m_port) 156 , m_isUnique(other->m_isUnique) 157 , m_universalAccess(other->m_universalAccess) 158 , m_domainWasSetInDOM(other->m_domainWasSetInDOM) 159 , m_canLoadLocalResources(other->m_canLoadLocalResources) 160 , m_storageBlockingPolicy(other->m_storageBlockingPolicy) 161 , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation) 162 , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles) 163{ 164} 165 166PassRefPtr<SecurityOrigin> SecurityOrigin::create(const URL& url) 167{ 168 RefPtr<SecurityOrigin> cachedOrigin = getCachedOrigin(url); 169 if (cachedOrigin.get()) 170 return cachedOrigin; 171 172 if (shouldTreatAsUniqueOrigin(url)) { 173 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); 174 175 if (url.protocolIs("file")) { 176 // Unfortunately, we can't represent all unique origins exactly 177 // the same way because we need to produce a quirky database 178 // identifier for file URLs due to persistent storage in some 179 // embedders of WebKit. 180 origin->m_needsDatabaseIdentifierQuirkForFiles = true; 181 } 182 183 return origin.release(); 184 } 185 186 if (shouldUseInnerURL(url)) 187 return adoptRef(new SecurityOrigin(extractInnerURL(url))); 188 189 return adoptRef(new SecurityOrigin(url)); 190} 191 192PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique() 193{ 194 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); 195 ASSERT(origin->isUnique()); 196 return origin.release(); 197} 198 199PassRefPtr<SecurityOrigin> SecurityOrigin::isolatedCopy() const 200{ 201 return adoptRef(new SecurityOrigin(this)); 202} 203 204void SecurityOrigin::setDomainFromDOM(const String& newDomain) 205{ 206 m_domainWasSetInDOM = true; 207 m_domain = newDomain.lower(); 208} 209 210bool SecurityOrigin::isSecure(const URL& url) 211{ 212 // Invalid URLs are secure, as are URLs which have a secure protocol. 213 if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol())) 214 return true; 215 216 // URLs that wrap inner URLs are secure if those inner URLs are secure. 217 if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol())) 218 return true; 219 220 return false; 221} 222 223bool SecurityOrigin::canAccess(const SecurityOrigin* other) const 224{ 225 if (m_universalAccess) 226 return true; 227 228 if (this == other) 229 return true; 230 231 if (isUnique() || other->isUnique()) 232 return false; 233 234 // Here are two cases where we should permit access: 235 // 236 // 1) Neither document has set document.domain. In this case, we insist 237 // that the scheme, host, and port of the URLs match. 238 // 239 // 2) Both documents have set document.domain. In this case, we insist 240 // that the documents have set document.domain to the same value and 241 // that the scheme of the URLs match. 242 // 243 // This matches the behavior of Firefox 2 and Internet Explorer 6. 244 // 245 // Internet Explorer 7 and Opera 9 are more strict in that they require 246 // the port numbers to match when both pages have document.domain set. 247 // 248 // FIXME: Evaluate whether we can tighten this policy to require matched 249 // port numbers. 250 // 251 // Opera 9 allows access when only one page has set document.domain, but 252 // this is a security vulnerability. 253 254 bool canAccess = false; 255 if (m_protocol == other->m_protocol) { 256 if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) { 257 if (m_host == other->m_host && m_port == other->m_port) 258 canAccess = true; 259 } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) { 260 if (m_domain == other->m_domain) 261 canAccess = true; 262 } 263 } 264 265 if (canAccess && isLocal()) 266 canAccess = passesFileCheck(other); 267 268 return canAccess; 269} 270 271bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const 272{ 273 ASSERT(isLocal() && other->isLocal()); 274 275 if (!m_enforceFilePathSeparation && !other->m_enforceFilePathSeparation) 276 return true; 277 278 return (m_filePath == other->m_filePath); 279} 280 281bool SecurityOrigin::canRequest(const URL& url) const 282{ 283 if (m_universalAccess) 284 return true; 285 286 if (getCachedOrigin(url) == this) 287 return true; 288 289 if (isUnique()) 290 return false; 291 292 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url); 293 294 if (targetOrigin->isUnique()) 295 return false; 296 297 // We call isSameSchemeHostPort here instead of canAccess because we want 298 // to ignore document.domain effects. 299 if (isSameSchemeHostPort(targetOrigin.get())) 300 return true; 301 302 if (SecurityPolicy::isAccessWhiteListed(this, targetOrigin.get())) 303 return true; 304 305 return false; 306} 307 308bool SecurityOrigin::taintsCanvas(const URL& url) const 309{ 310 if (canRequest(url)) 311 return false; 312 313 // This function exists because we treat data URLs as having a unique origin, 314 // contrary to the current (9/19/2009) draft of the HTML5 specification. 315 // We still want to let folks paint data URLs onto untainted canvases, so 316 // we special case data URLs below. If we change to match HTML5 w.r.t. 317 // data URL security, then we can remove this function in favor of 318 // !canRequest. 319 if (url.protocolIsData()) 320 return false; 321 322 return true; 323} 324 325bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const 326{ 327 if (this == dragInitiator) 328 return true; 329 330 return canAccess(dragInitiator); 331} 332 333// This is a hack to allow keep navigation to http/https feeds working. To remove this 334// we need to introduce new API akin to registerURLSchemeAsLocal, that registers a 335// protocols navigation policy. 336// feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be 337// local or remote depending on what is nested. Currently we just check if we are nesting 338// http or https, otherwise we ignore the nesting for the purpose of a security check. We need 339// a facility for registering nesting schemes, and some generalized logic for them. 340// This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196 341static bool isFeedWithNestedProtocolInHTTPFamily(const URL& url) 342{ 343 const String& urlString = url.string(); 344 if (!urlString.startsWith("feed", false)) 345 return false; 346 347 return urlString.startsWith("feed://", false) 348 || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false) 349 || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false) 350 || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false); 351} 352 353bool SecurityOrigin::canDisplay(const URL& url) const 354{ 355 if (m_universalAccess) 356 return true; 357 358 String protocol = url.protocol().lower(); 359 360 if (isFeedWithNestedProtocolInHTTPFamily(url)) 361 return true; 362 363 if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol)) 364 return canRequest(url); 365 366 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) 367 return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListed(this, url); 368 369 if (SecurityPolicy::restrictAccessToLocal() && SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) 370 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteListed(this, url); 371 372 return true; 373} 374 375bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin, ShouldAllowFromThirdParty shouldAllowFromThirdParty) const 376{ 377 if (isUnique()) 378 return false; 379 380 if (m_storageBlockingPolicy == BlockAllStorage) 381 return false; 382 383 // FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null. 384 if (!topOrigin) 385 return true; 386 387 if (topOrigin->m_storageBlockingPolicy == BlockAllStorage) 388 return false; 389 390 if (shouldAllowFromThirdParty == AlwaysAllowFromThirdParty) 391 return true; 392 393 if ((m_storageBlockingPolicy == BlockThirdPartyStorage || topOrigin->m_storageBlockingPolicy == BlockThirdPartyStorage) && topOrigin->isThirdParty(this)) 394 return false; 395 396 return true; 397} 398 399SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const 400{ 401 if (m_universalAccess) 402 return AlwaysAllow; 403 if (isUnique()) 404 return AlwaysDeny; 405 return Ask; 406} 407 408bool SecurityOrigin::isThirdParty(const SecurityOrigin* child) const 409{ 410 if (child->m_universalAccess) 411 return false; 412 413 if (this == child) 414 return false; 415 416 if (isUnique() || child->isUnique()) 417 return true; 418 419 return !isSameSchemeHostPort(child); 420} 421 422void SecurityOrigin::grantLoadLocalResources() 423{ 424 // Granting privileges to some, but not all, documents in a SecurityOrigin 425 // is a security hazard because the documents without the privilege can 426 // obtain the privilege by injecting script into the documents that have 427 // been granted the privilege. 428 m_canLoadLocalResources = true; 429} 430 431void SecurityOrigin::grantUniversalAccess() 432{ 433 m_universalAccess = true; 434} 435 436#if ENABLE(CACHE_PARTITIONING) 437String SecurityOrigin::cachePartition() const 438{ 439 if (m_storageBlockingPolicy != BlockThirdPartyStorage) 440 return String(); 441 442 if (isHTTPFamily()) 443 return host(); 444 445 if (SchemeRegistry::shouldPartitionCacheForURLScheme(m_protocol)) 446 return host(); 447 448 return String(); 449} 450#endif 451 452void SecurityOrigin::enforceFilePathSeparation() 453{ 454 ASSERT(isLocal()); 455 m_enforceFilePathSeparation = true; 456} 457 458bool SecurityOrigin::isLocal() const 459{ 460 return SchemeRegistry::shouldTreatURLSchemeAsLocal(m_protocol); 461} 462 463String SecurityOrigin::toString() const 464{ 465 if (isUnique()) 466 return "null"; 467 if (m_protocol == "file" && m_enforceFilePathSeparation) 468 return "null"; 469 return toRawString(); 470} 471 472String SecurityOrigin::toRawString() const 473{ 474 if (m_protocol == "file") 475 return "file://"; 476 477 StringBuilder result; 478 result.reserveCapacity(m_protocol.length() + m_host.length() + 10); 479 result.append(m_protocol); 480 result.append("://"); 481 result.append(m_host); 482 483 if (m_port) { 484 result.append(':'); 485 result.appendNumber(m_port); 486 } 487 488 return result.toString(); 489} 490 491PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString) 492{ 493 return SecurityOrigin::create(URL(URL(), originString)); 494} 495 496static const char separatorCharacter = '_'; 497 498PassRefPtr<SecurityOrigin> SecurityOrigin::maybeCreateFromDatabaseIdentifier(const String& databaseIdentifier) 499{ 500 // Make sure there's a first separator 501 size_t separator1 = databaseIdentifier.find(separatorCharacter); 502 if (separator1 == notFound) 503 return nullptr; 504 505 // Make sure there's a second separator 506 size_t separator2 = databaseIdentifier.reverseFind(separatorCharacter); 507 if (separator2 == notFound) 508 return nullptr; 509 510 // Ensure there were at least 2 separator characters. Some hostnames on intranets have 511 // underscores in them, so we'll assume that any additional underscores are part of the host. 512 if (separator1 == separator2) 513 return nullptr; 514 515 // Make sure the port section is a valid port number or doesn't exist 516 bool portOkay; 517 int port = databaseIdentifier.right(databaseIdentifier.length() - separator2 - 1).toInt(&portOkay); 518 bool portAbsent = (separator2 == databaseIdentifier.length() - 1); 519 if (!(portOkay || portAbsent)) 520 return nullptr; 521 522 if (port < 0 || port > MaxAllowedPort) 523 return nullptr; 524 525 // Split out the 3 sections of data 526 String protocol = databaseIdentifier.substring(0, separator1); 527 String host = databaseIdentifier.substring(separator1 + 1, separator2 - separator1 - 1); 528 529 host = decodeURLEscapeSequences(host); 530 return create(URL(URL(), protocol + "://" + host + ":" + String::number(port) + "/")); 531} 532 533PassRefPtr<SecurityOrigin> SecurityOrigin::createFromDatabaseIdentifier(const String& databaseIdentifier) 534{ 535 RefPtr<SecurityOrigin> origin = maybeCreateFromDatabaseIdentifier(databaseIdentifier); 536 if (origin) 537 return origin.release(); 538 return create(URL()); 539} 540 541PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port) 542{ 543 if (port < 0 || port > MaxAllowedPort) 544 return createUnique(); 545 String decodedHost = decodeURLEscapeSequences(host); 546 return create(URL(URL(), protocol + "://" + host + ":" + String::number(port) + "/")); 547} 548 549String SecurityOrigin::databaseIdentifier() const 550{ 551 // Historically, we've used the following (somewhat non-sensical) string 552 // for the databaseIdentifier of local files. We used to compute this 553 // string because of a bug in how we handled the scheme for file URLs. 554 // Now that we've fixed that bug, we still need to produce this string 555 // to avoid breaking existing persistent state. 556 if (m_needsDatabaseIdentifierQuirkForFiles) 557 return "file__0"; 558 559 StringBuilder stringBuilder; 560 stringBuilder.append(m_protocol); 561 stringBuilder.append(separatorCharacter); 562 stringBuilder.append(encodeForFileName(m_host)); 563 stringBuilder.append(separatorCharacter); 564 stringBuilder.appendNumber(m_port); 565 566 return stringBuilder.toString(); 567} 568 569bool SecurityOrigin::equal(const SecurityOrigin* other) const 570{ 571 if (other == this) 572 return true; 573 574 if (!isSameSchemeHostPort(other)) 575 return false; 576 577 if (m_domainWasSetInDOM != other->m_domainWasSetInDOM) 578 return false; 579 580 if (m_domainWasSetInDOM && m_domain != other->m_domain) 581 return false; 582 583 return true; 584} 585 586bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const 587{ 588 if (m_host != other->m_host) 589 return false; 590 591 if (m_protocol != other->m_protocol) 592 return false; 593 594 if (m_port != other->m_port) 595 return false; 596 597 if (isLocal() && !passesFileCheck(other)) 598 return false; 599 600 return true; 601} 602 603URL SecurityOrigin::urlWithUniqueSecurityOrigin() 604{ 605 ASSERT(isMainThread()); 606 static NeverDestroyed<URL> uniqueSecurityOriginURL(ParsedURLString, ASCIILiteral("data:,")); 607 return uniqueSecurityOriginURL; 608} 609 610} // namespace WebCore 611