Basic experimental suborigin CSP directive and SecurityOrigin mods

Source/platform/weborigin/SecurityOrigin.cpp

 /*
  * Copyright (C) 2007 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 11 matching lines @@
  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "config.h"
 #include "platform/weborigin/SecurityOrigin.h"
 
+#include "platform/RuntimeEnabledFeatures.h"
 #include "platform/weborigin/KURL.h"
 #include "platform/weborigin/KnownPorts.h"
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOriginCache.h"
 #include "platform/weborigin/SecurityPolicy.h"
 #include "url/url_canon_ip.h"
 #include "wtf/HexNumber.h"
 #include "wtf/MainThread.h"
+#include "wtf/NotFound.h"
 #include "wtf/StdLibExtras.h"
 #include "wtf/text/StringBuilder.h"
 
 namespace blink {
 
 const int InvalidPort = 0;
 const int MaxAllowedPort = 65535;
 
 static SecurityOriginCache* s_originCache = 0;
 
 static bool schemeRequiresAuthority(const KURL& url)
 {
     // We expect URLs with these schemes to have authority components. If the
     // URL lacks an authority component, we get concerned and mark the origin
     // as unique.
     return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
 }
 
 static SecurityOrigin* cachedOrigin(const KURL& url)
 {
     if (s_originCache)
         return s_originCache->cachedOrigin(url);
     return 0;
 }
 
+static bool sameSuborigin(const SecurityOrigin* origin1, const SecurityOrigin* origin2)
+{
+    // If either origin has a suborigin set, both must have the same suborigin.
+    return origin1->suboriginName() == origin2->suboriginName();
+}
+
 bool SecurityOrigin::shouldUseInnerURL(const KURL& url)
 {
     // FIXME: Blob URLs don't have inner URLs. Their form is "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL is incorrect.
     if (url.protocolIs("blob"))
         return true;
     if (url.protocolIs("filesystem"))
         return true;
     return false;
 }
 
@@ skipping 44 matching lines @@
 SecurityOrigin::SecurityOrigin(const KURL& url)
     : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
     , m_host(url.host().isNull() ? "" : url.host().lower())
     , m_port(url.port())
     , m_isUnique(false)
     , m_universalAccess(false)
     , m_domainWasSetInDOM(false)
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
 {
+    // Suborigins are serialized into the host, so extract it if necessary.
+    String suboriginName;
+    if (deserializeSuboriginAndHost(m_host, suboriginName, m_host))
+        addSuborigin(suboriginName);
+
     // document.domain starts as m_host, but can be set by the DOM.
     m_domain = m_host;
 
     if (isDefaultPortForProtocol(m_port, m_protocol))
         m_port = InvalidPort;
 
     // By default, only local SecurityOrigins can load local resources.
     m_canLoadLocalResources = isLocal();
 
     if (m_canLoadLocalResources)
         m_filePath = url.path(); // In case enforceFilePathSeparation() is called.
 }
 
 SecurityOrigin::SecurityOrigin()
     : m_protocol("")
     , m_host("")
     , m_domain("")
+    , m_suboriginName(WTF::String())
     , m_port(InvalidPort)
     , m_isUnique(true)
     , m_universalAccess(false)
     , m_domainWasSetInDOM(false)
     , m_canLoadLocalResources(false)
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
 {
 }
 
 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
     : m_protocol(other->m_protocol.isolatedCopy())
     , m_host(other->m_host.isolatedCopy())
     , m_domain(other->m_domain.isolatedCopy())
     , m_filePath(other->m_filePath.isolatedCopy())
+    , m_suboriginName(other->m_suboriginName)
     , m_port(other->m_port)
     , m_isUnique(other->m_isUnique)
     , m_universalAccess(other->m_universalAccess)
     , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
     , m_canLoadLocalResources(other->m_canLoadLocalResources)
     , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
     , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles)
 {
 }
 
@@ skipping 22 matching lines @@
     return adoptRef(new SecurityOrigin(url));
 }
 
 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique()
 {
     RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin());
     ASSERT(origin->isUnique());
     return origin.release();
 }
 
+void SecurityOrigin::addSuborigin(const String& suborigin)
+{
+    ASSERT(RuntimeEnabledFeatures::suboriginsEnabled());
+    // Changing suborigins midstream is bad. Very bad. It should not happen.
+    // This is, in fact, one of the very basic invariants that makes suborigins
+    // an effective security tool.
+    RELEASE_ASSERT(m_suboriginName.isNull() || m_suboriginName == suborigin);
+    m_suboriginName = suborigin;
+}
+
 PassRefPtr<SecurityOrigin> SecurityOrigin::isolatedCopy() const
 {
     return adoptRef(new SecurityOrigin(this));
 }
 
 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
 {
     m_domainWasSetInDOM = true;
     m_domain = newDomain.lower();
 }
@@ skipping 253 matching lines @@
 String SecurityOrigin::toRawString() const
 {
     if (m_protocol == "file")
         return "file://";
 
     StringBuilder result;
     buildRawString(result);
     return result.toString();
 }
 
+// Returns true if and only if a suborigin component was found. If false, no
+// guarantees about the return value |suboriginName| are made.
+bool SecurityOrigin::deserializeSuboriginAndHost(const String& oldHost, String& suboriginName, String& newHost)
+{
+    if (!RuntimeEnabledFeatures::suboriginsEnabled())
+        return false;
+
+    size_t suboriginEnd = oldHost.find('_');

[jochen (gone - plz use gerrit), 2015/04/27 19:35:10]

underscore looks odd but is ok i guess

[jww, 2015/05/30 01:11:07]

Yeah, I'm happy to discuss what we should use as a token, but I was struggling
to find a token that was allowed by the spec, but unused, while also something
that KURL doesn't fail on.

+    // Suborigins cannot be empty
+    if (suboriginEnd == 0 || suboriginEnd == WTF::kNotFound)
+        return false;
+
+    suboriginName = oldHost.substring(0, suboriginEnd);
+    newHost = oldHost.substring(suboriginEnd + 1);
+
+    return true;
+}
+
+
 AtomicString SecurityOrigin::toRawAtomicString() const
 {
     if (m_protocol == "file")
         return AtomicString("file://", AtomicString::ConstructFromLiteral);
 
     StringBuilder result;
     buildRawString(result);
     return result.toAtomicString();
 }
 
-inline void SecurityOrigin::buildRawString(StringBuilder& builder) const
+void SecurityOrigin::buildRawString(StringBuilder& builder) const
 {
-    builder.reserveCapacity(m_protocol.length() + m_host.length() + 10);
     builder.append(m_protocol);
     builder.appendLiteral("://");
+    if (hasSuborigin()) {
+        builder.append(m_suboriginName);
+        builder.appendLiteral("_");
+    }
     builder.append(m_host);
 
     if (m_port) {
         builder.append(':');
         builder.appendNumber(m_port);
     }
 }
 
 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
 {
     return SecurityOrigin::create(KURL(KURL(), originString));
 }
 
 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port)
 {
     if (port < 0 || port > MaxAllowedPort)
         return createUnique();
     String decodedHost = decodeURLEscapeSequences(host);
     return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port) + "/"));
 }
 
 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
 {
+    if (!sameSuborigin(this, other))
+        return false;
+
     if (m_host != other->m_host)
         return false;
 
     if (m_protocol != other->m_protocol)
         return false;
 
     if (m_port != other->m_port)
         return false;
 
     if (isLocal() && !passesFileCheck(other))
@@ skipping 10 matching lines @@
 }
 
 void SecurityOrigin::transferPrivilegesFrom(const SecurityOrigin& origin)
 {
     m_universalAccess = origin.m_universalAccess;
     m_canLoadLocalResources = origin.m_canLoadLocalResources;
     m_enforceFilePathSeparation = origin.m_enforceFilePathSeparation;
 }
 
 } // namespace blink