OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
6 * met: | 6 * met: |
7 * | 7 * |
8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
(...skipping 14 matching lines...) Expand all Loading... | |
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | 25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
29 */ | 29 */ |
30 | 30 |
31 #include "bindings/core/v8/BindingSecurity.h" | 31 #include "bindings/core/v8/BindingSecurity.h" |
32 | 32 |
33 #include "bindings/core/v8/ExceptionState.h" | 33 #include "bindings/core/v8/ExceptionState.h" |
34 #include "bindings/core/v8/V8Binding.h" | 34 #include "bindings/core/v8/V8Binding.h" |
35 #include "bindings/core/v8/V8Location.h" | |
36 #include "bindings/core/v8/V8Window.h" | |
35 #include "core/dom/Document.h" | 37 #include "core/dom/Document.h" |
38 #include "core/frame/DOMWindow.h" | |
36 #include "core/frame/LocalDOMWindow.h" | 39 #include "core/frame/LocalDOMWindow.h" |
37 #include "core/frame/LocalFrame.h" | 40 #include "core/frame/LocalFrame.h" |
38 #include "core/frame/Location.h" | 41 #include "core/frame/Location.h" |
39 #include "core/frame/Settings.h" | 42 #include "core/frame/Settings.h" |
40 #include "core/html/HTMLFrameElementBase.h" | 43 #include "core/html/HTMLFrameElementBase.h" |
41 #include "core/workers/MainThreadWorkletGlobalScope.h" | 44 #include "core/workers/MainThreadWorkletGlobalScope.h" |
42 #include "platform/weborigin/SecurityOrigin.h" | 45 #include "platform/weborigin/SecurityOrigin.h" |
43 | 46 |
44 namespace blink { | 47 namespace blink { |
45 | 48 |
46 namespace { | 49 namespace { |
47 | 50 |
48 bool canAccessFrameInternal(const LocalDOMWindow* accessingWindow, | 51 bool canAccessFrameInternal(const LocalDOMWindow* accessingWindow, |
Yuki
2017/03/06 08:42:43
Should we rename these helper functions canAccessW
dcheng
2017/03/07 05:48:09
Done.
| |
49 const SecurityOrigin* targetFrameOrigin, | |
dcheng
2017/03/06 06:59:47
We delay extraction of the security origin to canA
| |
50 const DOMWindow* targetWindow) { | 52 const DOMWindow* targetWindow) { |
53 #if 0 | |
51 SECURITY_CHECK(!(targetWindow && targetWindow->frame()) || | 54 SECURITY_CHECK(!(targetWindow && targetWindow->frame()) || |
52 targetWindow == targetWindow->frame()->domWindow()); | 55 targetWindow == targetWindow->frame()->domWindow()); |
56 #endif | |
dcheng
2017/03/06 06:59:47
I guess we can just delete this assert, since it's
Yuki
2017/03/06 08:42:43
This test is still effective as is, I think. The
dcheng
2017/03/07 05:48:09
Done.
| |
53 | 57 |
54 // It's important to check that targetWindow is a LocalDOMWindow: it's | 58 // It's important to check that targetWindow is a LocalDOMWindow: it's |
55 // possible for a remote frame and local frame to have the same security | 59 // possible for a remote frame and local frame to have the same security |
56 // origin, depending on the model being used to allocate Frames between | 60 // origin, depending on the model being used to allocate Frames between |
57 // processes. See https://crbug.com/601629. | 61 // processes. See https://crbug.com/601629. |
58 if (!(accessingWindow && targetWindow && targetWindow->isLocalDOMWindow())) | 62 if (!(accessingWindow && targetWindow && targetWindow->isLocalDOMWindow())) |
59 return false; | 63 return false; |
60 | 64 |
61 const SecurityOrigin* accessingOrigin = | 65 const SecurityOrigin* accessingOrigin = |
62 accessingWindow->document()->getSecurityOrigin(); | 66 accessingWindow->document()->getSecurityOrigin(); |
63 if (!accessingOrigin->canAccessCheckSuborigins(targetFrameOrigin)) | 67 const LocalDOMWindow* localTargetWindow = toLocalDOMWindow(targetWindow); |
68 if (!accessingOrigin->canAccessCheckSuborigins( | |
69 localTargetWindow->document()->getSecurityOrigin())) { | |
64 return false; | 70 return false; |
71 } | |
65 | 72 |
66 // Notify the loader's client if the initial document has been accessed. | 73 // Notify the loader's client if the initial document has been accessed. |
67 LocalFrame* targetFrame = toLocalDOMWindow(targetWindow)->frame(); | 74 LocalFrame* targetFrame = localTargetWindow->frame(); |
68 if (targetFrame && | 75 if (targetFrame && |
69 targetFrame->loader().stateMachine()->isDisplayingInitialEmptyDocument()) | 76 targetFrame->loader().stateMachine()->isDisplayingInitialEmptyDocument()) |
70 targetFrame->loader().didAccessInitialDocument(); | 77 targetFrame->loader().didAccessInitialDocument(); |
71 | 78 |
72 return true; | 79 return true; |
73 } | 80 } |
74 | 81 |
75 bool canAccessFrame(const LocalDOMWindow* accessingWindow, | 82 bool canAccessFrame(const LocalDOMWindow* accessingWindow, |
76 const SecurityOrigin* targetFrameOrigin, | |
77 const DOMWindow* targetWindow, | 83 const DOMWindow* targetWindow, |
78 ExceptionState& exceptionState) { | 84 ExceptionState& exceptionState) { |
79 if (canAccessFrameInternal(accessingWindow, targetFrameOrigin, targetWindow)) | 85 if (canAccessFrameInternal(accessingWindow, targetWindow)) |
80 return true; | 86 return true; |
81 | 87 |
82 if (targetWindow) | 88 if (targetWindow) |
83 exceptionState.throwSecurityError( | 89 exceptionState.throwSecurityError( |
84 targetWindow->sanitizedCrossDomainAccessErrorMessage(accessingWindow), | 90 targetWindow->sanitizedCrossDomainAccessErrorMessage(accessingWindow), |
85 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); | 91 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); |
86 return false; | 92 return false; |
87 } | 93 } |
88 | 94 |
89 bool canAccessFrame(const LocalDOMWindow* accessingWindow, | 95 bool canAccessFrame(const LocalDOMWindow* accessingWindow, |
90 SecurityOrigin* targetFrameOrigin, | |
91 const DOMWindow* targetWindow, | 96 const DOMWindow* targetWindow, |
92 BindingSecurity::ErrorReportOption reportingOption) { | 97 BindingSecurity::ErrorReportOption reportingOption) { |
93 if (canAccessFrameInternal(accessingWindow, targetFrameOrigin, targetWindow)) | 98 if (canAccessFrameInternal(accessingWindow, targetWindow)) |
94 return true; | 99 return true; |
95 | 100 |
96 if (accessingWindow && targetWindow && | 101 if (accessingWindow && targetWindow && |
97 reportingOption == BindingSecurity::ErrorReportOption::Report) | 102 reportingOption == BindingSecurity::ErrorReportOption::Report) |
98 accessingWindow->printErrorMessage( | 103 accessingWindow->printErrorMessage( |
99 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); | 104 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); |
100 return false; | 105 return false; |
101 } | 106 } |
102 | 107 |
108 DOMWindow* findWindow(v8::Isolate* isolate, | |
109 const WrapperTypeInfo* type, | |
110 v8::Local<v8::Object> host) { | |
111 if (V8Window::wrapperTypeInfo.equals(type)) { | |
112 v8::Local<v8::Object> windowWrapper = | |
Yuki
2017/03/06 08:42:43
I think we should use |host| directly (as same as
dcheng
2017/03/07 05:48:10
Ah good point, this is leftover from when we didn'
| |
113 V8Window::findInstanceInPrototypeChain(host, isolate); | |
114 if (windowWrapper.IsEmpty()) | |
115 return 0; | |
Yuki
2017/03/06 08:42:42
The call site seems not expecting findWindow to re
Yuki
2017/03/06 08:42:43
nit: s/0/nullptr/
dcheng
2017/03/07 05:48:09
Done.
dcheng
2017/03/07 05:48:09
Oops, good point. I added a CHECK() in failedAcces
| |
116 return V8Window::toImpl(windowWrapper); | |
117 } | |
118 | |
119 if (V8Location::wrapperTypeInfo.equals(type)) | |
120 return V8Location::toImpl(host)->domWindow(); | |
121 | |
122 // This function can handle only those types listed above. | |
123 CHECK(false); | |
Yuki
2017/03/06 08:42:43
NOTREACHED?
dcheng
2017/03/07 05:48:09
Hmm, I guess that's fine here. Done.
| |
124 return nullptr; | |
125 } | |
126 | |
103 } // namespace | 127 } // namespace |
104 | 128 |
105 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 129 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
106 const DOMWindow* target, | 130 const DOMWindow* target, |
107 ExceptionState& exceptionState) { | 131 ExceptionState& exceptionState) { |
108 DCHECK(target); | 132 DCHECK(target); |
109 const Frame* frame = target->frame(); | 133 return canAccessFrame(accessingWindow, target, exceptionState); |
110 if (!frame || !frame->securityContext()) | |
111 return false; | |
112 return canAccessFrame(accessingWindow, | |
113 frame->securityContext()->getSecurityOrigin(), target, | |
114 exceptionState); | |
115 } | 134 } |
116 | 135 |
117 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 136 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
118 const DOMWindow* target, | 137 const DOMWindow* target, |
119 ErrorReportOption reportingOption) { | 138 ErrorReportOption reportingOption) { |
120 DCHECK(target); | 139 DCHECK(target); |
121 const Frame* frame = target->frame(); | 140 return canAccessFrame(accessingWindow, target, reportingOption); |
122 if (!frame || !frame->securityContext()) | |
123 return false; | |
124 return canAccessFrame(accessingWindow, | |
125 frame->securityContext()->getSecurityOrigin(), target, | |
126 reportingOption); | |
127 } | 141 } |
128 | 142 |
129 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 143 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
Yuki
2017/03/06 08:42:43
Another CL of yours removed the use of shouldAllow
dcheng
2017/03/07 05:48:09
Done.
| |
130 const EventTarget* target, | 144 const EventTarget* target, |
131 ExceptionState& exceptionState) { | 145 ExceptionState& exceptionState) { |
132 DCHECK(target); | 146 DCHECK(target); |
133 const DOMWindow* window = target->toDOMWindow(); | 147 const DOMWindow* window = target->toDOMWindow(); |
134 if (!window) { | 148 if (!window) { |
135 // We only need to check the access to Window objects which are | 149 // We only need to check the access to Window objects which are |
136 // cross-origin accessible. If it's not a Window, the object's | 150 // cross-origin accessible. If it's not a Window, the object's |
137 // origin must always be the same origin (or it already leaked). | 151 // origin must always be the same origin (or it already leaked). |
138 return true; | 152 return true; |
139 } | 153 } |
140 const Frame* frame = window->frame(); | 154 return canAccessFrame(accessingWindow, window, exceptionState); |
141 if (!frame || !frame->securityContext()) | |
142 return false; | |
143 return canAccessFrame(accessingWindow, | |
144 frame->securityContext()->getSecurityOrigin(), window, | |
145 exceptionState); | |
146 } | 155 } |
147 | 156 |
148 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 157 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
149 const Location* target, | 158 const Location* target, |
150 ExceptionState& exceptionState) { | 159 ExceptionState& exceptionState) { |
151 DCHECK(target); | 160 DCHECK(target); |
152 const Frame* frame = target->frame(); | 161 return canAccessFrame(accessingWindow, target->domWindow(), exceptionState); |
153 if (!frame || !frame->securityContext()) | |
154 return false; | |
155 return canAccessFrame(accessingWindow, | |
156 frame->securityContext()->getSecurityOrigin(), | |
157 frame->domWindow(), exceptionState); | |
158 } | 162 } |
159 | 163 |
160 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 164 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
161 const Location* target, | 165 const Location* target, |
162 ErrorReportOption reportingOption) { | 166 ErrorReportOption reportingOption) { |
163 DCHECK(target); | 167 DCHECK(target); |
164 const Frame* frame = target->frame(); | 168 return canAccessFrame(accessingWindow, target->domWindow(), reportingOption); |
165 if (!frame || !frame->securityContext()) | |
166 return false; | |
167 return canAccessFrame(accessingWindow, | |
168 frame->securityContext()->getSecurityOrigin(), | |
169 frame->domWindow(), reportingOption); | |
170 } | 169 } |
171 | 170 |
172 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 171 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
173 const Node* target, | 172 const Node* target, |
174 ExceptionState& exceptionState) { | 173 ExceptionState& exceptionState) { |
175 if (!target) | 174 if (!target) |
176 return false; | 175 return false; |
177 return canAccessFrame(accessingWindow, target->document().getSecurityOrigin(), | 176 return canAccessFrame(accessingWindow, target->document().domWindow(), |
178 target->document().domWindow(), exceptionState); | 177 exceptionState); |
179 } | 178 } |
180 | 179 |
181 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 180 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
182 const Node* target, | 181 const Node* target, |
183 ErrorReportOption reportingOption) { | 182 ErrorReportOption reportingOption) { |
184 if (!target) | 183 if (!target) |
185 return false; | 184 return false; |
186 return canAccessFrame(accessingWindow, target->document().getSecurityOrigin(), | 185 return canAccessFrame(accessingWindow, target->document().domWindow(), |
187 target->document().domWindow(), reportingOption); | 186 reportingOption); |
188 } | 187 } |
189 | 188 |
190 bool BindingSecurity::shouldAllowAccessToFrame( | 189 bool BindingSecurity::shouldAllowAccessToFrame( |
191 const LocalDOMWindow* accessingWindow, | 190 const LocalDOMWindow* accessingWindow, |
192 const Frame* target, | 191 const Frame& target, |
193 ExceptionState& exceptionState) { | 192 ExceptionState& exceptionState) { |
194 if (!target || !target->securityContext()) | 193 return canAccessFrame(accessingWindow, target.domWindow(), exceptionState); |
195 return false; | |
196 return canAccessFrame(accessingWindow, | |
197 target->securityContext()->getSecurityOrigin(), | |
198 target->domWindow(), exceptionState); | |
199 } | 194 } |
200 | 195 |
201 bool BindingSecurity::shouldAllowAccessToFrame( | 196 bool BindingSecurity::shouldAllowAccessToFrame( |
202 const LocalDOMWindow* accessingWindow, | 197 const LocalDOMWindow* accessingWindow, |
203 const Frame* target, | 198 const Frame& target, |
204 ErrorReportOption reportingOption) { | 199 ErrorReportOption reportingOption) { |
205 if (!target || !target->securityContext()) | 200 return canAccessFrame(accessingWindow, target.domWindow(), reportingOption); |
206 return false; | |
207 return canAccessFrame(accessingWindow, | |
208 target->securityContext()->getSecurityOrigin(), | |
209 target->domWindow(), reportingOption); | |
210 } | |
211 | |
212 bool BindingSecurity::shouldAllowAccessToDetachedWindow( | |
213 const LocalDOMWindow* accessingWindow, | |
214 const DOMWindow* target, | |
215 ExceptionState& exceptionState) { | |
216 CHECK(target && !target->frame()) | |
217 << "This version of shouldAllowAccessToFrame() must be used only for " | |
218 << "detached windows."; | |
219 if (!target->isLocalDOMWindow()) | |
220 return false; | |
221 Document* document = toLocalDOMWindow(target)->document(); | |
222 if (!document) | |
223 return false; | |
224 return canAccessFrame(accessingWindow, document->getSecurityOrigin(), target, | |
225 exceptionState); | |
226 } | 201 } |
227 | 202 |
228 bool BindingSecurity::shouldAllowNamedAccessTo(const DOMWindow* accessingWindow, | 203 bool BindingSecurity::shouldAllowNamedAccessTo(const DOMWindow* accessingWindow, |
229 const DOMWindow* targetWindow) { | 204 const DOMWindow* targetWindow) { |
230 const Frame* accessingFrame = accessingWindow->frame(); | 205 const Frame* accessingFrame = accessingWindow->frame(); |
231 DCHECK(accessingFrame); | 206 DCHECK(accessingFrame); |
232 DCHECK(accessingFrame->securityContext()); | 207 DCHECK(accessingFrame->securityContext()); |
233 const SecurityOrigin* accessingOrigin = | 208 const SecurityOrigin* accessingOrigin = |
234 accessingFrame->securityContext()->getSecurityOrigin(); | 209 accessingFrame->securityContext()->getSecurityOrigin(); |
235 | 210 |
(...skipping 10 matching lines...) Expand all Loading... | |
246 | 221 |
247 // Note that there is no need to call back | 222 // Note that there is no need to call back |
248 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be | 223 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be |
249 // a child window inside iframe or frame and it doesn't have a URL bar, | 224 // a child window inside iframe or frame and it doesn't have a URL bar, |
250 // so there is no need to worry about URL spoofing. | 225 // so there is no need to worry about URL spoofing. |
251 | 226 |
252 return true; | 227 return true; |
253 } | 228 } |
254 | 229 |
255 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate, | 230 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate, |
256 const Frame* target) { | 231 const WrapperTypeInfo* type, |
257 // TODO(dcheng): See if this null check can be removed or hoisted to a | 232 v8::Local<v8::Object> host) { |
258 // different location. | 233 DOMWindow* target = findWindow(isolate, type, host); |
259 if (!target) | |
260 return; | |
261 | |
262 DOMWindow* targetWindow = target->domWindow(); | |
263 | 234 |
264 // TODO(dcheng): Add ContextType, interface name, and property name as | 235 // TODO(dcheng): Add ContextType, interface name, and property name as |
265 // arguments, so the generated exception can be more descriptive. | 236 // arguments, so the generated exception can be more descriptive. |
266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, | 237 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, |
267 nullptr, nullptr); | 238 nullptr, nullptr); |
268 exceptionState.throwSecurityError( | 239 exceptionState.throwSecurityError( |
269 targetWindow->sanitizedCrossDomainAccessErrorMessage( | 240 target->sanitizedCrossDomainAccessErrorMessage(currentDOMWindow(isolate)), |
270 currentDOMWindow(isolate)), | 241 target->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); |
271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); | |
272 } | 242 } |
273 | 243 |
274 } // namespace blink | 244 } // namespace blink |
OLD | NEW |