1/*
2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1.  Redistributions of source code must retain the above copyright
9 *     notice, this list of conditions and the following disclaimer.
10 * 2.  Redistributions in binary form must reproduce the above copyright
11 *     notice, this list of conditions and the following disclaimer in the
12 *     documentation and/or other materials provided with the distribution.
13 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 *     its contributors may be used to endorse or promote products derived
15 *     from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#ifndef SecurityOrigin_h
30#define SecurityOrigin_h
31
32#include <wtf/ThreadSafeRefCounted.h>
33#include <wtf/text/WTFString.h>
34
35namespace WebCore {
36
37class KURL;
38
39class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
40public:
41    enum Policy {
42        AlwaysDeny = 0,
43        AlwaysAllow,
44        Ask
45    };
46
47    enum StorageBlockingPolicy {
48        AllowAllStorage = 0,
49        BlockThirdPartyStorage,
50        BlockAllStorage
51    };
52
53    static PassRefPtr<SecurityOrigin> create(const KURL&);
54    static PassRefPtr<SecurityOrigin> createUnique();
55
56    static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&);
57    static PassRefPtr<SecurityOrigin> createFromString(const String&);
58    static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
59
60    // Some URL schemes use nested URLs for their security context. For example,
61    // filesystem URLs look like the following:
62    //
63    //   filesystem:http://example.com/temporary/path/to/file.png
64    //
65    // We're supposed to use "http://example.com" as the origin.
66    //
67    // Generally, we add URL schemes to this list when WebKit support them. For
68    // example, we don't include the "jar" scheme, even though Firefox
69    // understands that "jar" uses an inner URL for it's security origin.
70    static bool shouldUseInnerURL(const KURL&);
71    static KURL extractInnerURL(const KURL&);
72
73    // Create a deep copy of this SecurityOrigin. This method is useful
74    // when marshalling a SecurityOrigin to another thread.
75    PassRefPtr<SecurityOrigin> isolatedCopy() const;
76
77    // Set the domain property of this security origin to newDomain. This
78    // function does not check whether newDomain is a suffix of the current
79    // domain. The caller is responsible for validating newDomain.
80    void setDomainFromDOM(const String& newDomain);
81    bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
82
83    String protocol() const { return m_protocol; }
84    String host() const { return m_host; }
85    String domain() const { return m_domain; }
86    unsigned short port() const { return m_port; }
87
88    // Returns true if a given URL is secure, based either directly on its
89    // own protocol, or, when relevant, on the protocol of its "inner URL"
90    // Protocols like blob: and filesystem: fall into this latter category.
91    static bool isSecure(const KURL&);
92
93    // Returns true if this SecurityOrigin can script objects in the given
94    // SecurityOrigin. For example, call this function before allowing
95    // script from one security origin to read or write objects from
96    // another SecurityOrigin.
97    bool canAccess(const SecurityOrigin*) const;
98
99    // Returns true if this SecurityOrigin can read content retrieved from
100    // the given URL. For example, call this function before issuing
101    // XMLHttpRequests.
102    bool canRequest(const KURL&) const;
103
104    // Returns true if drawing an image from this URL taints a canvas from
105    // this security origin. For example, call this function before
106    // drawing an image onto an HTML canvas element with the drawImage API.
107    bool taintsCanvas(const KURL&) const;
108
109    // Returns true if this SecurityOrigin can receive drag content from the
110    // initiator. For example, call this function before allowing content to be
111    // dropped onto a target.
112    bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
113
114    // Returns true if |document| can display content from the given URL (e.g.,
115    // in an iframe or as an image). For example, web sites generally cannot
116    // display content from the user's files system.
117    bool canDisplay(const KURL&) const;
118
119    // Returns true if this SecurityOrigin can load local resources, such
120    // as images, iframes, and style sheets, and can link to local URLs.
121    // For example, call this function before creating an iframe to a
122    // file:// URL.
123    //
124    // Note: A SecurityOrigin might be allowed to load local resources
125    //       without being able to issue an XMLHttpRequest for a local URL.
126    //       To determine whether the SecurityOrigin can issue an
127    //       XMLHttpRequest for a URL, call canRequest(url).
128    bool canLoadLocalResources() const { return m_canLoadLocalResources; }
129
130    // Explicitly grant the ability to load local resources to this
131    // SecurityOrigin.
132    //
133    // Note: This method exists only to support backwards compatibility
134    //       with older versions of WebKit.
135    void grantLoadLocalResources();
136
137    // Explicitly grant the ability to access very other SecurityOrigin.
138    //
139    // WARNING: This is an extremely powerful ability. Use with caution!
140    void grantUniversalAccess();
141
142    void setStorageBlockingPolicy(StorageBlockingPolicy policy) { m_storageBlockingPolicy = policy; }
143
144#if ENABLE(CACHE_PARTITIONING)
145    String cachePartition() const;
146#endif
147
148    bool canAccessDatabase(const SecurityOrigin* topOrigin = 0) const { return canAccessStorage(topOrigin); };
149    bool canAccessSessionStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin, AlwaysAllowFromThirdParty); }
150    bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); };
151    bool canAccessSharedWorkers(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
152    bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
153    bool canAccessApplicationCache(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
154    bool canAccessCookies() const { return !isUnique(); }
155    bool canAccessPasswordManager() const { return !isUnique(); }
156    bool canAccessFileSystem() const { return !isUnique(); }
157    Policy canShowNotifications() const;
158
159    // The local SecurityOrigin is the most privileged SecurityOrigin.
160    // The local SecurityOrigin can script any document, navigate to local
161    // resources, and can set arbitrary headers on XMLHttpRequests.
162    bool isLocal() const;
163
164    // The origin is a globally unique identifier assigned when the Document is
165    // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
166    //
167    // There's a subtle difference between a unique origin and an origin that
168    // has the SandboxOrigin flag set. The latter implies the former, and, in
169    // addition, the SandboxOrigin flag is inherited by iframes.
170    bool isUnique() const { return m_isUnique; }
171
172    // Marks a file:// origin as being in a domain defined by its path.
173    // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
174    // still can have other privileges that can be remembered, thereby not making them unique.
175    void enforceFilePathSeparation();
176
177    // Convert this SecurityOrigin into a string. The string
178    // representation of a SecurityOrigin is similar to a URL, except it
179    // lacks a path component. The string representation does not encode
180    // the value of the SecurityOrigin's domain property.
181    //
182    // When using the string value, it's important to remember that it might be
183    // "null". This happens when this SecurityOrigin is unique. For example,
184    // this SecurityOrigin might have come from a sandboxed iframe, the
185    // SecurityOrigin might be empty, or we might have explicitly decided that
186    // we shouldTreatURLSchemeAsNoAccess.
187    String toString() const;
188
189    // Similar to toString(), but does not take into account any factors that
190    // could make the string return "null".
191    String toRawString() const;
192
193    // Serialize the security origin to a string that could be used as part of
194    // file names. This format should be used in storage APIs only.
195    String databaseIdentifier() const;
196
197    // This method checks for equality between SecurityOrigins, not whether
198    // one origin can access another. It is used for hash table keys.
199    // For access checks, use canAccess().
200    // FIXME: If this method is really only useful for hash table keys, it
201    // should be refactored into SecurityOriginHash.
202    bool equal(const SecurityOrigin*) const;
203
204    // This method checks for equality, ignoring the value of document.domain
205    // (and whether it was set) but considering the host. It is used for postMessage.
206    bool isSameSchemeHostPort(const SecurityOrigin*) const;
207
208    static String urlWithUniqueSecurityOrigin();
209
210private:
211    SecurityOrigin();
212    explicit SecurityOrigin(const KURL&);
213    explicit SecurityOrigin(const SecurityOrigin*);
214
215    // FIXME: Rename this function to something more semantic.
216    bool passesFileCheck(const SecurityOrigin*) const;
217    bool isThirdParty(const SecurityOrigin*) const;
218
219    enum ShouldAllowFromThirdParty { AlwaysAllowFromThirdParty, MaybeAllowFromThirdParty };
220    bool canAccessStorage(const SecurityOrigin*, ShouldAllowFromThirdParty = MaybeAllowFromThirdParty) const;
221
222    String m_protocol;
223    String m_host;
224    String m_domain;
225    String m_filePath;
226    unsigned short m_port;
227    bool m_isUnique;
228    bool m_universalAccess;
229    bool m_domainWasSetInDOM;
230    bool m_canLoadLocalResources;
231    StorageBlockingPolicy m_storageBlockingPolicy;
232    bool m_enforceFilePathSeparation;
233    bool m_needsDatabaseIdentifierQuirkForFiles;
234};
235
236} // namespace WebCore
237
238#endif // SecurityOrigin_h
239