1/* 2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29#ifndef SecurityOrigin_h 30#define SecurityOrigin_h 31 32#include <wtf/ThreadSafeRefCounted.h> 33#include <wtf/text/WTFString.h> 34 35namespace WebCore { 36 37class KURL; 38 39class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> { 40public: 41 enum Policy { 42 AlwaysDeny = 0, 43 AlwaysAllow, 44 Ask 45 }; 46 47 enum StorageBlockingPolicy { 48 AllowAllStorage = 0, 49 BlockThirdPartyStorage, 50 BlockAllStorage 51 }; 52 53 static PassRefPtr<SecurityOrigin> create(const KURL&); 54 static PassRefPtr<SecurityOrigin> createUnique(); 55 56 static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&); 57 static PassRefPtr<SecurityOrigin> createFromString(const String&); 58 static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port); 59 60 // Some URL schemes use nested URLs for their security context. For example, 61 // filesystem URLs look like the following: 62 // 63 // filesystem:http://example.com/temporary/path/to/file.png 64 // 65 // We're supposed to use "http://example.com" as the origin. 66 // 67 // Generally, we add URL schemes to this list when WebKit support them. For 68 // example, we don't include the "jar" scheme, even though Firefox 69 // understands that "jar" uses an inner URL for it's security origin. 70 static bool shouldUseInnerURL(const KURL&); 71 static KURL extractInnerURL(const KURL&); 72 73 // Create a deep copy of this SecurityOrigin. This method is useful 74 // when marshalling a SecurityOrigin to another thread. 75 PassRefPtr<SecurityOrigin> isolatedCopy() const; 76 77 // Set the domain property of this security origin to newDomain. This 78 // function does not check whether newDomain is a suffix of the current 79 // domain. The caller is responsible for validating newDomain. 80 void setDomainFromDOM(const String& newDomain); 81 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } 82 83 String protocol() const { return m_protocol; } 84 String host() const { return m_host; } 85 String domain() const { return m_domain; } 86 unsigned short port() const { return m_port; } 87 88 // Returns true if a given URL is secure, based either directly on its 89 // own protocol, or, when relevant, on the protocol of its "inner URL" 90 // Protocols like blob: and filesystem: fall into this latter category. 91 static bool isSecure(const KURL&); 92 93 // Returns true if this SecurityOrigin can script objects in the given 94 // SecurityOrigin. For example, call this function before allowing 95 // script from one security origin to read or write objects from 96 // another SecurityOrigin. 97 bool canAccess(const SecurityOrigin*) const; 98 99 // Returns true if this SecurityOrigin can read content retrieved from 100 // the given URL. For example, call this function before issuing 101 // XMLHttpRequests. 102 bool canRequest(const KURL&) const; 103 104 // Returns true if drawing an image from this URL taints a canvas from 105 // this security origin. For example, call this function before 106 // drawing an image onto an HTML canvas element with the drawImage API. 107 bool taintsCanvas(const KURL&) const; 108 109 // Returns true if this SecurityOrigin can receive drag content from the 110 // initiator. For example, call this function before allowing content to be 111 // dropped onto a target. 112 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const; 113 114 // Returns true if |document| can display content from the given URL (e.g., 115 // in an iframe or as an image). For example, web sites generally cannot 116 // display content from the user's files system. 117 bool canDisplay(const KURL&) const; 118 119 // Returns true if this SecurityOrigin can load local resources, such 120 // as images, iframes, and style sheets, and can link to local URLs. 121 // For example, call this function before creating an iframe to a 122 // file:// URL. 123 // 124 // Note: A SecurityOrigin might be allowed to load local resources 125 // without being able to issue an XMLHttpRequest for a local URL. 126 // To determine whether the SecurityOrigin can issue an 127 // XMLHttpRequest for a URL, call canRequest(url). 128 bool canLoadLocalResources() const { return m_canLoadLocalResources; } 129 130 // Explicitly grant the ability to load local resources to this 131 // SecurityOrigin. 132 // 133 // Note: This method exists only to support backwards compatibility 134 // with older versions of WebKit. 135 void grantLoadLocalResources(); 136 137 // Explicitly grant the ability to access very other SecurityOrigin. 138 // 139 // WARNING: This is an extremely powerful ability. Use with caution! 140 void grantUniversalAccess(); 141 142 void setStorageBlockingPolicy(StorageBlockingPolicy policy) { m_storageBlockingPolicy = policy; } 143 144#if ENABLE(CACHE_PARTITIONING) 145 String cachePartition() const; 146#endif 147 148 bool canAccessDatabase(const SecurityOrigin* topOrigin = 0) const { return canAccessStorage(topOrigin); }; 149 bool canAccessSessionStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin, AlwaysAllowFromThirdParty); } 150 bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }; 151 bool canAccessSharedWorkers(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); } 152 bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); } 153 bool canAccessApplicationCache(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); } 154 bool canAccessCookies() const { return !isUnique(); } 155 bool canAccessPasswordManager() const { return !isUnique(); } 156 bool canAccessFileSystem() const { return !isUnique(); } 157 Policy canShowNotifications() const; 158 159 // The local SecurityOrigin is the most privileged SecurityOrigin. 160 // The local SecurityOrigin can script any document, navigate to local 161 // resources, and can set arbitrary headers on XMLHttpRequests. 162 bool isLocal() const; 163 164 // The origin is a globally unique identifier assigned when the Document is 165 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin 166 // 167 // There's a subtle difference between a unique origin and an origin that 168 // has the SandboxOrigin flag set. The latter implies the former, and, in 169 // addition, the SandboxOrigin flag is inherited by iframes. 170 bool isUnique() const { return m_isUnique; } 171 172 // Marks a file:// origin as being in a domain defined by its path. 173 // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files 174 // still can have other privileges that can be remembered, thereby not making them unique. 175 void enforceFilePathSeparation(); 176 177 // Convert this SecurityOrigin into a string. The string 178 // representation of a SecurityOrigin is similar to a URL, except it 179 // lacks a path component. The string representation does not encode 180 // the value of the SecurityOrigin's domain property. 181 // 182 // When using the string value, it's important to remember that it might be 183 // "null". This happens when this SecurityOrigin is unique. For example, 184 // this SecurityOrigin might have come from a sandboxed iframe, the 185 // SecurityOrigin might be empty, or we might have explicitly decided that 186 // we shouldTreatURLSchemeAsNoAccess. 187 String toString() const; 188 189 // Similar to toString(), but does not take into account any factors that 190 // could make the string return "null". 191 String toRawString() const; 192 193 // Serialize the security origin to a string that could be used as part of 194 // file names. This format should be used in storage APIs only. 195 String databaseIdentifier() const; 196 197 // This method checks for equality between SecurityOrigins, not whether 198 // one origin can access another. It is used for hash table keys. 199 // For access checks, use canAccess(). 200 // FIXME: If this method is really only useful for hash table keys, it 201 // should be refactored into SecurityOriginHash. 202 bool equal(const SecurityOrigin*) const; 203 204 // This method checks for equality, ignoring the value of document.domain 205 // (and whether it was set) but considering the host. It is used for postMessage. 206 bool isSameSchemeHostPort(const SecurityOrigin*) const; 207 208 static String urlWithUniqueSecurityOrigin(); 209 210private: 211 SecurityOrigin(); 212 explicit SecurityOrigin(const KURL&); 213 explicit SecurityOrigin(const SecurityOrigin*); 214 215 // FIXME: Rename this function to something more semantic. 216 bool passesFileCheck(const SecurityOrigin*) const; 217 bool isThirdParty(const SecurityOrigin*) const; 218 219 enum ShouldAllowFromThirdParty { AlwaysAllowFromThirdParty, MaybeAllowFromThirdParty }; 220 bool canAccessStorage(const SecurityOrigin*, ShouldAllowFromThirdParty = MaybeAllowFromThirdParty) const; 221 222 String m_protocol; 223 String m_host; 224 String m_domain; 225 String m_filePath; 226 unsigned short m_port; 227 bool m_isUnique; 228 bool m_universalAccess; 229 bool m_domainWasSetInDOM; 230 bool m_canLoadLocalResources; 231 StorageBlockingPolicy m_storageBlockingPolicy; 232 bool m_enforceFilePathSeparation; 233 bool m_needsDatabaseIdentifierQuirkForFiles; 234}; 235 236} // namespace WebCore 237 238#endif // SecurityOrigin_h 239