Harden the implementation of '--disable-web-security'

third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h

 /*
  * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 132 matching lines @@
     // Explicitly grant the ability to load local resources to this
     // SecurityOrigin.
     //
     // Note: This method exists only to support backwards compatibility
     //       with older versions of WebKit.
     void grantLoadLocalResources();
 
     // Explicitly grant the ability to access every other SecurityOrigin.
     //
     // WARNING: This is an extremely powerful ability. Use with caution!
+    //
+    // TODO(mkwst): Remove this API as soon as is fesiable. That will likely
+    // require creating a more limited replacement.
     void grantUniversalAccess();
     bool isGrantedUniversalAccess() const { return m_universalAccess; }
 
+    // Grant `file:` origins universal access.
+    //
+    // TODO(mkwst): As soon as we can reasonably get WebView to stop offering
+    // the API which requires this method, we should remove it.
+    void grantUniversalAccessForFileOrigins();
+
     bool canAccessDatabase() const { return !isUnique(); }
     bool canAccessLocalStorage() const { return !isUnique(); }
     bool canAccessSharedWorkers() const { return !isUnique(); }
     bool canAccessServiceWorkers() const { return !isUnique(); }
     bool canAccessCookies() const { return !isUnique(); }
     bool canAccessPasswordManager() const { return !isUnique(); }
     bool canAccessFileSystem() const { return !isUnique(); }
     bool canAccessCacheStorage() const { return !isUnique(); }
 
     // Technically, we should always allow access to sessionStorage, but we
@@ skipping 56 matching lines @@
     static const KURL& urlWithUniqueSecurityOrigin();
 
     // Transfer origin privileges from another security origin.
     // The following privileges are currently copied over:
     //
     //   - Grant universal access.
     //   - Grant loading of local resources.
     //   - Use path-based file:// origins.
     struct PrivilegeData {
         bool m_universalAccess;
+        bool m_universalAccessForFileOrigins;
         bool m_canLoadLocalResources;
         bool m_blockLocalAccessFromLocalOrigin;
     };
     PassOwnPtr<PrivilegeData> createPrivilegeData() const;
     void transferPrivilegesFrom(PassOwnPtr<PrivilegeData>);
 
 private:
     friend class SecurityOriginTest;
     FRIEND_TEST_ALL_PREFIXES(SecurityOriginTest, Suborigins);
     FRIEND_TEST_ALL_PREFIXES(SecurityOriginTest, SuboriginsParsing);
@@ skipping 10 matching lines @@
     static bool deserializeSuboriginAndHost(const String&, String&, String&);
 
     String m_protocol;
     String m_host;
     String m_domain;
     String m_suboriginName;
     unsigned short m_port;
     unsigned short m_effectivePort;
     bool m_isUnique;
     bool m_universalAccess;
+    bool m_universalAccessForFileOrigins;
     bool m_domainWasSetInDOM;
     bool m_canLoadLocalResources;
     bool m_blockLocalAccessFromLocalOrigin;
 };
 
 } // namespace blink
 
 #endif // SecurityOrigin_h