Chromium Code Reviews Chromium Code Reviews
Issue 1723753002:
Make Document::isSecureContext() work for OOPIFs (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2007 Apple Inc. All rights reserved. | 2 * Copyright (C) 2007 Apple Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 119 | 119 |
| 120 SecurityOrigin::SecurityOrigin(const KURL& url) | 120 SecurityOrigin::SecurityOrigin(const KURL& url) |
| 121 : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) | 121 : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) |
| 122 , m_host(url.host().isNull() ? "" : url.host().lower()) | 122 , m_host(url.host().isNull() ? "" : url.host().lower()) |
| 123 , m_port(url.port()) | 123 , m_port(url.port()) |
| 124 , m_effectivePort(url.port() ? url.port() : defaultPortForProtocol(m_protoco l)) | 124 , m_effectivePort(url.port() ? url.port() : defaultPortForProtocol(m_protoco l)) |
| 125 , m_isUnique(false) | 125 , m_isUnique(false) |
| 126 , m_universalAccess(false) | 126 , m_universalAccess(false) |
| 127 , m_domainWasSetInDOM(false) | 127 , m_domainWasSetInDOM(false) |
| 128 , m_blockLocalAccessFromLocalOrigin(false) | 128 , m_blockLocalAccessFromLocalOrigin(false) |
| 129 , m_isUniqueOriginPotentiallyTrustworthy(false) | |
| 130 , m_uniqueOriginShouldBypassSecureContextCheck(false) | |
| 129 { | 131 { |
| 130 // Suborigins are serialized into the host, so extract it if necessary. | 132 // Suborigins are serialized into the host, so extract it if necessary. |
| 131 String suboriginName; | 133 String suboriginName; |
| 132 if (deserializeSuboriginAndHost(m_host, suboriginName, m_host)) | 134 if (deserializeSuboriginAndHost(m_host, suboriginName, m_host)) |
| 133 addSuborigin(suboriginName); | 135 addSuborigin(suboriginName); |
| 134 | 136 |
| 135 // document.domain starts as m_host, but can be set by the DOM. | 137 // document.domain starts as m_host, but can be set by the DOM. |
| 136 m_domain = m_host; | 138 m_domain = m_host; |
| 137 | 139 |
| 138 if (isDefaultPortForProtocol(m_port, m_protocol)) | 140 if (isDefaultPortForProtocol(m_port, m_protocol)) |
| 139 m_port = InvalidPort; | 141 m_port = InvalidPort; |
| 140 | 142 |
| 141 // By default, only local SecurityOrigins can load local resources. | 143 // By default, only local SecurityOrigins can load local resources. |
| 142 m_canLoadLocalResources = isLocal(); | 144 m_canLoadLocalResources = isLocal(); |
| 143 } | 145 } |
| 144 | 146 |
| 145 SecurityOrigin::SecurityOrigin() | 147 SecurityOrigin::SecurityOrigin() |
| 146 : m_protocol("") | 148 : m_protocol("") |
| 147 , m_host("") | 149 , m_host("") |
| 148 , m_domain("") | 150 , m_domain("") |
| 149 , m_suboriginName(WTF::String()) | 151 , m_suboriginName(WTF::String()) |
| 150 , m_port(InvalidPort) | 152 , m_port(InvalidPort) |
| 151 , m_effectivePort(InvalidPort) | 153 , m_effectivePort(InvalidPort) |
| 152 , m_isUnique(true) | 154 , m_isUnique(true) |
| 153 , m_universalAccess(false) | 155 , m_universalAccess(false) |
| 154 , m_domainWasSetInDOM(false) | 156 , m_domainWasSetInDOM(false) |
| 155 , m_canLoadLocalResources(false) | 157 , m_canLoadLocalResources(false) |
| 156 , m_blockLocalAccessFromLocalOrigin(false) | 158 , m_blockLocalAccessFromLocalOrigin(false) |
| 159 , m_isUniqueOriginPotentiallyTrustworthy(false) | |
| 160 , m_uniqueOriginShouldBypassSecureContextCheck(false) | |
| 157 { | 161 { |
| 158 } | 162 } |
| 159 | 163 |
| 160 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) | 164 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) |
| 161 : m_protocol(other->m_protocol.isolatedCopy()) | 165 : m_protocol(other->m_protocol.isolatedCopy()) |
| 162 , m_host(other->m_host.isolatedCopy()) | 166 , m_host(other->m_host.isolatedCopy()) |
| 163 , m_domain(other->m_domain.isolatedCopy()) | 167 , m_domain(other->m_domain.isolatedCopy()) |
| 164 , m_suboriginName(other->m_suboriginName.isolatedCopy()) | 168 , m_suboriginName(other->m_suboriginName.isolatedCopy()) |
| 165 , m_port(other->m_port) | 169 , m_port(other->m_port) |
| 166 , m_effectivePort(other->m_effectivePort) | 170 , m_effectivePort(other->m_effectivePort) |
| 167 , m_isUnique(other->m_isUnique) | 171 , m_isUnique(other->m_isUnique) |
| 168 , m_universalAccess(other->m_universalAccess) | 172 , m_universalAccess(other->m_universalAccess) |
| 169 , m_domainWasSetInDOM(other->m_domainWasSetInDOM) | 173 , m_domainWasSetInDOM(other->m_domainWasSetInDOM) |
| 170 , m_canLoadLocalResources(other->m_canLoadLocalResources) | 174 , m_canLoadLocalResources(other->m_canLoadLocalResources) |
| 171 , m_blockLocalAccessFromLocalOrigin(other->m_blockLocalAccessFromLocalOrigin ) | 175 , m_blockLocalAccessFromLocalOrigin(other->m_blockLocalAccessFromLocalOrigin ) |
| 176 , m_isUniqueOriginPotentiallyTrustworthy(other->m_isUniqueOriginPotentiallyT rustworthy) | |
| 177 , m_uniqueOriginShouldBypassSecureContextCheck(other->m_uniqueOriginShouldBy passSecureContextCheck) | |
| 172 { | 178 { |
| 173 } | 179 } |
| 174 | 180 |
| 175 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url) | 181 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url) |
| 176 { | 182 { |
| 177 if (RefPtr<SecurityOrigin> origin = cachedOrigin(url)) | 183 if (RefPtr<SecurityOrigin> origin = cachedOrigin(url)) |
| 178 return origin.release(); | 184 return origin.release(); |
| 179 | 185 |
| 180 if (shouldTreatAsUniqueOrigin(url)) { | 186 if (shouldTreatAsUniqueOrigin(url)) { |
| 181 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); | 187 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); |
| 182 return origin.release(); | 188 return origin.release(); |
| 183 } | 189 } |
| 184 | 190 |
| 185 if (shouldUseInnerURL(url)) | 191 if (shouldUseInnerURL(url)) |
| 186 return adoptRef(new SecurityOrigin(extractInnerURL(url))); | 192 return adoptRef(new SecurityOrigin(extractInnerURL(url))); |
| 187 | 193 |
| 188 return adoptRef(new SecurityOrigin(url)); | 194 return adoptRef(new SecurityOrigin(url)); |
| 189 } | 195 } |
| 190 | 196 |
| 197 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique(bool isPotentiallyTrustw orthy, bool bypassSecureContextCheck) | |
| 198 { | |
| 199 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); | |
| 200 ASSERT(origin->isUnique()); | |
| 201 origin->m_isUniqueOriginPotentiallyTrustworthy = isPotentiallyTrustworthy; | |
| 202 origin->m_uniqueOriginShouldBypassSecureContextCheck = bypassSecureContextCh eck; | |
| 203 return origin.release(); | |
| 204 } | |
| 205 | |
| 191 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique() | 206 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique() |
| 192 { | 207 { |
| 193 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); | 208 return createUnique(false, false); |
| 194 ASSERT(origin->isUnique()); | |
| 195 return origin.release(); | |
| 196 } | 209 } |
| 197 | 210 |
| 198 void SecurityOrigin::addSuborigin(const String& suborigin) | 211 void SecurityOrigin::addSuborigin(const String& suborigin) |
| 199 { | 212 { |
| 200 ASSERT(RuntimeEnabledFeatures::suboriginsEnabled()); | 213 ASSERT(RuntimeEnabledFeatures::suboriginsEnabled()); |
| 201 // Changing suborigins midstream is bad. Very bad. It should not happen. | 214 // Changing suborigins midstream is bad. Very bad. It should not happen. |
| 202 // This is, in fact, one of the very basic invariants that makes suborigins | 215 // This is, in fact, one of the very basic invariants that makes suborigins |
| 203 // an effective security tool. | 216 // an effective security tool. |
| 204 RELEASE_ASSERT(m_suboriginName.isNull() || m_suboriginName == suborigin); | 217 RELEASE_ASSERT(m_suboriginName.isNull() || m_suboriginName == suborigin); |
| 205 m_suboriginName = suborigin; | 218 m_suboriginName = suborigin; |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 349 | 362 |
| 350 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) | 363 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) |
| 351 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteList ed(this, url); | 364 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteList ed(this, url); |
| 352 | 365 |
| 353 return true; | 366 return true; |
| 354 } | 367 } |
| 355 | 368 |
| 356 bool SecurityOrigin::isPotentiallyTrustworthy() const | 369 bool SecurityOrigin::isPotentiallyTrustworthy() const |
| 357 { | 370 { |
| 358 ASSERT(m_protocol != "data"); | 371 ASSERT(m_protocol != "data"); |
| 372 | |
| 373 if (isUnique()) | |
| 374 return m_isUniqueOriginPotentiallyTrustworthy; | |
| 375 | |
| 359 if (SchemeRegistry::shouldTreatURLSchemeAsSecure(m_protocol) || isLocal() || isLocalhost()) | 376 if (SchemeRegistry::shouldTreatURLSchemeAsSecure(m_protocol) || isLocal() || isLocalhost()) |
| 360 return true; | 377 return true; |
| 361 | 378 |
| 362 if (SecurityPolicy::isOriginWhiteListedTrustworthy(*this)) | 379 if (SecurityPolicy::isOriginWhiteListedTrustworthy(*this)) |
| 363 return true; | 380 return true; |
| 364 | 381 |
| 365 return false; | 382 return false; |
| 366 } | 383 } |
| 367 | 384 |
| 368 // static | 385 // static |
| 369 String SecurityOrigin::isPotentiallyTrustworthyErrorMessage() | 386 String SecurityOrigin::isPotentiallyTrustworthyErrorMessage() |
| 370 { | 387 { |
| 371 return "Only secure origins are allowed (see: https://goo.gl/Y0ZkNV)."; | 388 return "Only secure origins are allowed (see: https://goo.gl/Y0ZkNV)."; |
| 372 } | 389 } |
| 373 | 390 |
| 391 void SecurityOrigin::setIsPotentiallyTrustworthySandboxedOrigin() | |
| 392 { | |
| 393 ASSERT(isUnique()); | |
| 394 m_isUniqueOriginPotentiallyTrustworthy = true; | |
| 395 } | |
| 396 | |
| 397 bool SecurityOrigin::bypassSecureContextCheck() const | |
|
alexmos
2016/03/01 23:32:33
nit: bypassesSecureContextCheck or shouldBypassSec
| |
| 398 { | |
| 399 if (isUnique()) | |
| 400 return m_uniqueOriginShouldBypassSecureContextCheck; | |
| 401 return SchemeRegistry::schemeShouldBypassSecureContextCheck(protocol()); | |
| 402 } | |
| 403 | |
| 374 void SecurityOrigin::grantLoadLocalResources() | 404 void SecurityOrigin::grantLoadLocalResources() |
| 375 { | 405 { |
| 376 // Granting privileges to some, but not all, documents in a SecurityOrigin | 406 // Granting privileges to some, but not all, documents in a SecurityOrigin |
| 377 // is a security hazard because the documents without the privilege can | 407 // is a security hazard because the documents without the privilege can |
| 378 // obtain the privilege by injecting script into the documents that have | 408 // obtain the privilege by injecting script into the documents that have |
| 379 // been granted the privilege. | 409 // been granted the privilege. |
| 380 m_canLoadLocalResources = true; | 410 m_canLoadLocalResources = true; |
| 381 } | 411 } |
| 382 | 412 |
| 383 void SecurityOrigin::grantUniversalAccess() | 413 void SecurityOrigin::grantUniversalAccess() |
| (...skipping 161 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 545 } | 575 } |
| 546 | 576 |
| 547 void SecurityOrigin::transferPrivilegesFrom(PassOwnPtr<PrivilegeData> privilegeD ata) | 577 void SecurityOrigin::transferPrivilegesFrom(PassOwnPtr<PrivilegeData> privilegeD ata) |
| 548 { | 578 { |
| 549 m_universalAccess = privilegeData->m_universalAccess; | 579 m_universalAccess = privilegeData->m_universalAccess; |
| 550 m_canLoadLocalResources = privilegeData->m_canLoadLocalResources; | 580 m_canLoadLocalResources = privilegeData->m_canLoadLocalResources; |
| 551 m_blockLocalAccessFromLocalOrigin = privilegeData->m_blockLocalAccessFromLoc alOrigin; | 581 m_blockLocalAccessFromLocalOrigin = privilegeData->m_blockLocalAccessFromLoc alOrigin; |
| 552 } | 582 } |
| 553 | 583 |
| 554 } // namespace blink | 584 } // namespace blink |
| OLD | NEW |
