Harden the implementation of '--disable-web-security'

third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp

Index: third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp
diff --git a/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp b/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp
index 4d75bab3529a61a2a191458c4ae88b59fa55fdeb..accd36bf653c655bafae461c7293ca9e1f9b2daf 100644
--- a/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp
+++ b/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp
@@ -35,6 +35,7 @@
 #include "platform/weborigin/SchemeRegistry.h"
 #include "platform/weborigin/SecurityOriginCache.h"
 #include "platform/weborigin/SecurityPolicy.h"
+#include "public/platform/Platform.h"
 #include "url/url_canon_ip.h"
 #include "wtf/HexNumber.h"
 #include "wtf/MainThread.h"
@@ -125,6 +126,7 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
     , m_effectivePort(url.port() ? url.port() : defaultPortForProtocol(m_protocol))
     , m_isUnique(false)
     , m_universalAccess(false)
+    , m_universalAccessForFileOrigins(false)
     , m_domainWasSetInDOM(false)
     , m_blockLocalAccessFromLocalOrigin(false)
 {
@@ -152,6 +154,7 @@ SecurityOrigin::SecurityOrigin()
     , m_effectivePort(InvalidPort)
     , m_isUnique(true)
     , m_universalAccess(false)
+    , m_universalAccessForFileOrigins(false)
     , m_domainWasSetInDOM(false)
     , m_canLoadLocalResources(false)
     , m_blockLocalAccessFromLocalOrigin(false)
@@ -167,6 +170,7 @@ SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
     , m_effectivePort(other->m_effectivePort)
     , m_isUnique(other->m_isUnique)
     , m_universalAccess(other->m_universalAccess)
+    , m_universalAccessForFileOrigins(other->m_universalAccessForFileOrigins)
     , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
     , m_canLoadLocalResources(other->m_canLoadLocalResources)
     , m_blockLocalAccessFromLocalOrigin(other->m_blockLocalAccessFromLocalOrigin)
@@ -234,7 +238,14 @@ bool SecurityOrigin::isSecure(const KURL& url)
 
 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
 {
-    if (m_universalAccess)
+    if (m_universalAccess) {
+        // TODO(mkwst): I would love to make this a RELEASE_ASSERT_WITH_SECURITY_IMPLICATIONS, but that
+        // would be seriously expensive as it would inject an IPC to the embedder on this very hot path.
+        ASSERT(!Platform::current() || Platform::current()->canGrantUniversalAccess());
+        return true;
+    }
+
+    if (m_universalAccessForFileOrigins && isLocal())
         return true;
 
     if (this == other)
@@ -288,7 +299,14 @@ bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const
 
 bool SecurityOrigin::canRequest(const KURL& url) const
 {
-    if (m_universalAccess)
+    if (m_universalAccess) {
+        // TODO(mkwst): I would love to make this a RELEASE_ASSERT_WITH_SECURITY_IMPLICATIONS, but that
+        // would be seriously expensive as it would inject an IPC to the embedder on this very hot path.
+        ASSERT(!Platform::current() || Platform::current()->canGrantUniversalAccess());
+        return true;
+    }
+
+    if (m_universalAccessForFileOrigins && isLocal())
         return true;
 
     if (cachedOrigin(url) == this)
@@ -337,7 +355,14 @@ bool SecurityOrigin::taintsCanvas(const KURL& url) const
 
 bool SecurityOrigin::canDisplay(const KURL& url) const
 {
-    if (m_universalAccess)
+    if (m_universalAccess) {
+        // TODO(mkwst): I would love to make this a RELEASE_ASSERT_WITH_SECURITY_IMPLICATIONS, but that
+        // would be seriously expensive as it would inject an IPC to the embedder on this very hot path.
+        ASSERT(!Platform::current() || Platform::current()->canGrantUniversalAccess());
+        return true;
+    }
+
+    if (m_universalAccessForFileOrigins && isLocal())
         return true;
 
     String protocol = url.protocol().lower();
@@ -378,9 +403,18 @@ void SecurityOrigin::grantLoadLocalResources()
 
 void SecurityOrigin::grantUniversalAccess()
 {
+    // This must not be granted unless the embedder says we can grant this kind of permission.
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!Platform::current() || Platform::current()->canGrantUniversalAccess());
     m_universalAccess = true;
 }
 
+void SecurityOrigin::grantUniversalAccessForFileOrigins()
+{
+    // This must not be granted to non-local origins, hence the release assert.
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isLocal());
+    m_universalAccessForFileOrigins = true;
+}
+
 void SecurityOrigin::blockLocalAccessFromLocalOrigin()
 {
     ASSERT(isLocal());
@@ -535,6 +569,7 @@ PassOwnPtr<SecurityOrigin::PrivilegeData> SecurityOrigin::createPrivilegeData()
 {
     OwnPtr<PrivilegeData> privilegeData = adoptPtr(new PrivilegeData);
     privilegeData->m_universalAccess = m_universalAccess;
+    privilegeData->m_universalAccessForFileOrigins = m_universalAccessForFileOrigins;
     privilegeData->m_canLoadLocalResources = m_canLoadLocalResources;
     privilegeData->m_blockLocalAccessFromLocalOrigin = m_blockLocalAccessFromLocalOrigin;
     return privilegeData.release();
@@ -543,6 +578,7 @@ PassOwnPtr<SecurityOrigin::PrivilegeData> SecurityOrigin::createPrivilegeData()
 void SecurityOrigin::transferPrivilegesFrom(PassOwnPtr<PrivilegeData> privilegeData)
 {
     m_universalAccess = privilegeData->m_universalAccess;
+    m_universalAccessForFileOrigins = privilegeData->m_universalAccessForFileOrigins;
     m_canLoadLocalResources = privilegeData->m_canLoadLocalResources;
     m_blockLocalAccessFromLocalOrigin = privilegeData->m_blockLocalAccessFromLocalOrigin;
 }