1/* 2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#ifndef SecurityOrigin_h 30#define SecurityOrigin_h 31 32#include <wtf/ThreadSafeRefCounted.h> 33#include <wtf/text/WTFString.h> 34 35namespace WebCore { 36 37class URL; 38 39class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> { 40public: 41 enum Policy { 42 AlwaysDeny = 0, 43 AlwaysAllow, 44 Ask 45 }; 46 47 enum StorageBlockingPolicy { 48 AllowAllStorage = 0, 49 BlockThirdPartyStorage, 50 BlockAllStorage 51 }; 52 53 static PassRefPtr<SecurityOrigin> create(const URL&); 54 static PassRefPtr<SecurityOrigin> createUnique(); 55 56 static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&); 57 // Alternate form of createFromDatabaseIdentifier that returns a nullptr on failure, instead of an empty origin. 58 // FIXME: Many users of createFromDatabaseIdentifier seem to expect maybeCreateFromDatabaseIdentifier behavior, 59 // but they aren't getting it so they might be buggy. 60 static PassRefPtr<SecurityOrigin> maybeCreateFromDatabaseIdentifier(const String&); 61 62 static PassRefPtr<SecurityOrigin> createFromString(const String&); 63 static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port); 64 65 // Some URL schemes use nested URLs for their security context. For example, 66 // filesystem URLs look like the following: 67 // 68 // filesystem:http://example.com/temporary/path/to/file.png 69 // 70 // We're supposed to use "http://example.com" as the origin. 71 // 72 // Generally, we add URL schemes to this list when WebKit support them. For 73 // example, we don't include the "jar" scheme, even though Firefox 74 // understands that "jar" uses an inner URL for it's security origin. 75 static bool shouldUseInnerURL(const URL&); 76 static URL extractInnerURL(const URL&); 77 78 // Create a deep copy of this SecurityOrigin. This method is useful 79 // when marshalling a SecurityOrigin to another thread. 80 PassRefPtr<SecurityOrigin> isolatedCopy() const; 81 82 // Set the domain property of this security origin to newDomain. This 83 // function does not check whether newDomain is a suffix of the current 84 // domain. The caller is responsible for validating newDomain. 85 void setDomainFromDOM(const String& newDomain); 86 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } 87 88 String protocol() const { return m_protocol; } 89 String host() const { return m_host; } 90 String domain() const { return m_domain; } 91 unsigned short port() const { return m_port; } 92 93 // Returns true if a given URL is secure, based either directly on its 94 // own protocol, or, when relevant, on the protocol of its "inner URL" 95 // Protocols like blob: and filesystem: fall into this latter category. 96 static bool isSecure(const URL&); 97 98 // Returns true if this SecurityOrigin can script objects in the given 99 // SecurityOrigin. For example, call this function before allowing 100 // script from one security origin to read or write objects from 101 // another SecurityOrigin. 102 bool canAccess(const SecurityOrigin*) const; 103 104 // Returns true if this SecurityOrigin can read content retrieved from 105 // the given URL. For example, call this function before issuing 106 // XMLHttpRequests. 107 bool canRequest(const URL&) const; 108 109 // Returns true if drawing an image from this URL taints a canvas from 110 // this security origin. For example, call this function before 111 // drawing an image onto an HTML canvas element with the drawImage API. 112 bool taintsCanvas(const URL&) const; 113 114 // Returns true if this SecurityOrigin can receive drag content from the 115 // initiator. For example, call this function before allowing content to be 116 // dropped onto a target. 117 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const; 118 119 // Returns true if |document| can display content from the given URL (e.g., 120 // in an iframe or as an image). For example, web sites generally cannot 121 // display content from the user's files system. 122 bool canDisplay(const URL&) const; 123 124 // Returns true if this SecurityOrigin can load local resources, such 125 // as images, iframes, and style sheets, and can link to local URLs. 126 // For example, call this function before creating an iframe to a 127 // file:// URL. 128 // 129 // Note: A SecurityOrigin might be allowed to load local resources 130 // without being able to issue an XMLHttpRequest for a local URL. 131 // To determine whether the SecurityOrigin can issue an 132 // XMLHttpRequest for a URL, call canRequest(url). 133 bool canLoadLocalResources() const { return m_canLoadLocalResources; } 134 135 // Explicitly grant the ability to load local resources to this 136 // SecurityOrigin. 137 // 138 // Note: This method exists only to support backwards compatibility 139 // with older versions of WebKit. 140 void grantLoadLocalResources(); 141 142 // Explicitly grant the ability to access very other SecurityOrigin. 143 // 144 // WARNING: This is an extremely powerful ability. Use with caution! 145 void grantUniversalAccess(); 146 147 void setStorageBlockingPolicy(StorageBlockingPolicy policy) { m_storageBlockingPolicy = policy; } 148 149#if ENABLE(CACHE_PARTITIONING) 150 String cachePartition() const; 151#endif 152 153 bool canAccessDatabase(const SecurityOrigin* topOrigin = 0) const { return canAccessStorage(topOrigin); }; 154 bool canAccessSessionStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin, AlwaysAllowFromThirdParty); } 155 bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }; 156 bool canAccessSharedWorkers(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); } 157 bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); } 158 bool canAccessApplicationCache(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); } 159 bool canAccessCookies() const { return !isUnique(); } 160 bool canAccessPasswordManager() const { return !isUnique(); } 161 bool canAccessFileSystem() const { return !isUnique(); } 162 Policy canShowNotifications() const; 163 164 // The local SecurityOrigin is the most privileged SecurityOrigin. 165 // The local SecurityOrigin can script any document, navigate to local 166 // resources, and can set arbitrary headers on XMLHttpRequests. 167 bool isLocal() const; 168 169 // The origin is a globally unique identifier assigned when the Document is 170 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin 171 // 172 // There's a subtle difference between a unique origin and an origin that 173 // has the SandboxOrigin flag set. The latter implies the former, and, in 174 // addition, the SandboxOrigin flag is inherited by iframes. 175 bool isUnique() const { return m_isUnique; } 176 177 // Marks a file:// origin as being in a domain defined by its path. 178 // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files 179 // still can have other privileges that can be remembered, thereby not making them unique. 180 void enforceFilePathSeparation(); 181 182 // Convert this SecurityOrigin into a string. The string 183 // representation of a SecurityOrigin is similar to a URL, except it 184 // lacks a path component. The string representation does not encode 185 // the value of the SecurityOrigin's domain property. 186 // 187 // When using the string value, it's important to remember that it might be 188 // "null". This happens when this SecurityOrigin is unique. For example, 189 // this SecurityOrigin might have come from a sandboxed iframe, the 190 // SecurityOrigin might be empty, or we might have explicitly decided that 191 // we shouldTreatURLSchemeAsNoAccess. 192 String toString() const; 193 194 // Similar to toString(), but does not take into account any factors that 195 // could make the string return "null". 196 String toRawString() const; 197 198 // Serialize the security origin to a string that could be used as part of 199 // file names. This format should be used in storage APIs only. 200 String databaseIdentifier() const; 201 202 // This method checks for equality between SecurityOrigins, not whether 203 // one origin can access another. It is used for hash table keys. 204 // For access checks, use canAccess(). 205 // FIXME: If this method is really only useful for hash table keys, it 206 // should be refactored into SecurityOriginHash. 207 bool equal(const SecurityOrigin*) const; 208 209 // This method checks for equality, ignoring the value of document.domain 210 // (and whether it was set) but considering the host. It is used for postMessage. 211 bool isSameSchemeHostPort(const SecurityOrigin*) const; 212 213 static URL urlWithUniqueSecurityOrigin(); 214 215private: 216 SecurityOrigin(); 217 explicit SecurityOrigin(const URL&); 218 explicit SecurityOrigin(const SecurityOrigin*); 219 220 // FIXME: Rename this function to something more semantic. 221 bool passesFileCheck(const SecurityOrigin*) const; 222 bool isThirdParty(const SecurityOrigin*) const; 223 224 // This method checks that the scheme for this origin is an HTTP-family 225 // scheme, e.g. HTTP and HTTPS. 226 bool isHTTPFamily() const { return m_protocol == "http" || m_protocol == "https"; } 227 228 enum ShouldAllowFromThirdParty { AlwaysAllowFromThirdParty, MaybeAllowFromThirdParty }; 229 bool canAccessStorage(const SecurityOrigin*, ShouldAllowFromThirdParty = MaybeAllowFromThirdParty) const; 230 231 String m_protocol; 232 String m_host; 233 String m_domain; 234 String m_filePath; 235 unsigned short m_port; 236 bool m_isUnique; 237 bool m_universalAccess; 238 bool m_domainWasSetInDOM; 239 bool m_canLoadLocalResources; 240 StorageBlockingPolicy m_storageBlockingPolicy; 241 bool m_enforceFilePathSeparation; 242 bool m_needsDatabaseIdentifierQuirkForFiles; 243}; 244 245} // namespace WebCore 246 247#endif // SecurityOrigin_h 248