/* | |
* Copyright (C) 2007,2008 Apple Inc. All rights reserved. | |
* | |
* Redistribution and use in source and binary forms, with or without | |
* modification, are permitted provided that the following conditions | |
* are met: | |
* | |
* 1. Redistributions of source code must retain the above copyright | |
* notice, this list of conditions and the following disclaimer. | |
* 2. Redistributions in binary form must reproduce the above copyright | |
* notice, this list of conditions and the following disclaimer in the | |
* documentation and/or other materials provided with the distribution. | |
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of | |
* its contributors may be used to endorse or promote products derived | |
* from this software without specific prior written permission. | |
* | |
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY | |
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY | |
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | |
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
*/ | |
#ifndef SecurityOrigin_h | |
#define SecurityOrigin_h | |
#include <wtf/HashSet.h> | |
#include <wtf/RefCounted.h> | |
#include <wtf/PassRefPtr.h> | |
#include <wtf/Threading.h> | |
#include "FrameLoaderTypes.h" | |
#include "PlatformString.h" | |
#include "StringHash.h" | |
namespace WebCore { | |
typedef HashSet<String, CaseFoldingHash> URLSchemesMap; | |
class Document; | |
class KURL; | |
class SecurityOrigin : public ThreadSafeShared<SecurityOrigin> { | |
public: | |
static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&); | |
static PassRefPtr<SecurityOrigin> createFromString(const String&); | |
static PassRefPtr<SecurityOrigin> create(const KURL&, SandboxFlags = SandboxNone); | |
static PassRefPtr<SecurityOrigin> createEmpty(); | |
// Create a deep copy of this SecurityOrigin. This method is useful | |
// when marshalling a SecurityOrigin to another thread. | |
PassRefPtr<SecurityOrigin> threadsafeCopy(); | |
// Set the domain property of this security origin to newDomain. This | |
// function does not check whether newDomain is a suffix of the current | |
// domain. The caller is responsible for validating newDomain. | |
void setDomainFromDOM(const String& newDomain); | |
bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } | |
static void setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String&); | |
static bool isDomainRelaxationForbiddenForURLScheme(const String&); | |
String protocol() const { return m_protocol; } | |
String host() const { return m_host; } | |
String domain() const { return m_domain; } | |
unsigned short port() const { return m_port; } | |
// Returns true if this SecurityOrigin can script objects in the given | |
// SecurityOrigin. For example, call this function before allowing | |
// script from one security origin to read or write objects from | |
// another SecurityOrigin. | |
bool canAccess(const SecurityOrigin*) const; | |
// Returns true if this SecurityOrigin can read content retrieved from | |
// the given URL. For example, call this function before issuing | |
// XMLHttpRequests. | |
bool canRequest(const KURL&) const; | |
// Returns true if drawing an image from this URL taints a canvas from | |
// this security origin. For example, call this function before | |
// drawing an image onto an HTML canvas element with the drawImage API. | |
bool taintsCanvas(const KURL&) const; | |
// Returns true for any non-local URL. If document parameter is supplied, | |
// its local load policy dictates, otherwise if referrer is non-empty and | |
// represents a local file, then the local load is allowed. | |
static bool canLoad(const KURL&, const String& referrer, Document* document); | |
// Returns true if this SecurityOrigin can load local resources, such | |
// as images, iframes, and style sheets, and can link to local URLs. | |
// For example, call this function before creating an iframe to a | |
// file:// URL. | |
// | |
// Note: A SecurityOrigin might be allowed to load local resources | |
// without being able to issue an XMLHttpRequest for a local URL. | |
// To determine whether the SecurityOrigin can issue an | |
// XMLHttpRequest for a URL, call canRequest(url). | |
bool canLoadLocalResources() const { return m_canLoadLocalResources; } | |
// Explicitly grant the ability to load local resources to this | |
// SecurityOrigin. | |
// | |
// Note: This method exists only to support backwards compatibility | |
// with older versions of WebKit. | |
void grantLoadLocalResources(); | |
// Explicitly grant the ability to access very other SecurityOrigin. | |
// | |
// WARNING: This is an extremely powerful ability. Use with caution! | |
void grantUniversalAccess(); | |
bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; } | |
bool canAccessDatabase() const { return !isUnique(); } | |
bool canAccessLocalStorage() const { return !isUnique(); } | |
bool canAccessCookies() const { return !isUnique(); } | |
bool isSecureTransitionTo(const KURL&) const; | |
// The local SecurityOrigin is the most privileged SecurityOrigin. | |
// The local SecurityOrigin can script any document, navigate to local | |
// resources, and can set arbitrary headers on XMLHttpRequests. | |
bool isLocal() const; | |
// The empty SecurityOrigin is the least privileged SecurityOrigin. | |
bool isEmpty() const; | |
// The origin is a globally unique identifier assigned when the Document is | |
// created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin | |
// | |
// There's a subtle difference between a unique origin and an origin that | |
// has the SandboxOrigin flag set. The latter implies the former, and, in | |
// addition, the SandboxOrigin flag is inherited by iframes. | |
bool isUnique() const { return m_isUnique; } | |
// Marks an origin as being unique. | |
void makeUnique(); | |
// Convert this SecurityOrigin into a string. The string | |
// representation of a SecurityOrigin is similar to a URL, except it | |
// lacks a path component. The string representation does not encode | |
// the value of the SecurityOrigin's domain property. | |
// | |
// When using the string value, it's important to remember that it might be | |
// "null". This happens when this SecurityOrigin is unique. For example, | |
// this SecurityOrigin might have come from a sandboxed iframe, the | |
// SecurityOrigin might be empty, or we might have explicitly decided that | |
// we shouldTreatURLSchemeAsNoAccess. | |
String toString() const; | |
// Serialize the security origin to a string that could be used as part of | |
// file names. This format should be used in storage APIs only. | |
String databaseIdentifier() const; | |
// This method checks for equality between SecurityOrigins, not whether | |
// one origin can access another. It is used for hash table keys. | |
// For access checks, use canAccess(). | |
// FIXME: If this method is really only useful for hash table keys, it | |
// should be refactored into SecurityOriginHash. | |
bool equal(const SecurityOrigin*) const; | |
// This method checks for equality, ignoring the value of document.domain | |
// (and whether it was set) but considering the host. It is used for postMessage. | |
bool isSameSchemeHostPort(const SecurityOrigin*) const; | |
static void registerURLSchemeAsLocal(const String&); | |
static void removeURLSchemeRegisteredAsLocal(const String&); | |
static const URLSchemesMap& localURLSchemes(); | |
static bool shouldTreatURLAsLocal(const String&); | |
static bool shouldTreatURLSchemeAsLocal(const String&); | |
// Secure schemes do not trigger mixed content warnings. For example, | |
// https and data are secure schemes because they cannot be corrupted by | |
// active network attackers. | |
static void registerURLSchemeAsSecure(const String&); | |
static bool shouldTreatURLSchemeAsSecure(const String&); | |
static bool shouldHideReferrer(const KURL&, const String& referrer); | |
enum LocalLoadPolicy { | |
AllowLocalLoadsForAll, // No restriction on local loads. | |
AllowLocalLoadsForLocalAndSubstituteData, | |
AllowLocalLoadsForLocalOnly, | |
}; | |
static void setLocalLoadPolicy(LocalLoadPolicy); | |
static bool restrictAccessToLocal(); | |
static bool allowSubstituteDataAccessToLocal(); | |
static void registerURLSchemeAsNoAccess(const String&); | |
static bool shouldTreatURLSchemeAsNoAccess(const String&); | |
static void whiteListAccessFromOrigin(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains); | |
static void resetOriginAccessWhiteLists(); | |
private: | |
SecurityOrigin(const KURL&, SandboxFlags); | |
explicit SecurityOrigin(const SecurityOrigin*); | |
SandboxFlags m_sandboxFlags; | |
String m_protocol; | |
String m_host; | |
mutable String m_encodedHost; | |
String m_domain; | |
unsigned short m_port; | |
bool m_isUnique; | |
bool m_universalAccess; | |
bool m_domainWasSetInDOM; | |
bool m_canLoadLocalResources; | |
}; | |
} // namespace WebCore | |
#endif // SecurityOrigin_h |