OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2009 Google Inc. All rights reserved. | 2 * Copyright (C) 2009 Google Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
6 * met: | 6 * met: |
7 * | 7 * |
8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
(...skipping 14 matching lines...) Expand all Loading... | |
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | 25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
29 */ | 29 */ |
30 | 30 |
31 #include "bindings/core/v8/BindingSecurity.h" | 31 #include "bindings/core/v8/BindingSecurity.h" |
32 | 32 |
33 #include "bindings/core/v8/ExceptionState.h" | 33 #include "bindings/core/v8/ExceptionState.h" |
34 #include "bindings/core/v8/V8Binding.h" | 34 #include "bindings/core/v8/V8Binding.h" |
35 #include "bindings/core/v8/V8Location.h" | |
36 #include "bindings/core/v8/V8Window.h" | |
35 #include "core/dom/Document.h" | 37 #include "core/dom/Document.h" |
38 #include "core/frame/DOMWindow.h" | |
36 #include "core/frame/LocalDOMWindow.h" | 39 #include "core/frame/LocalDOMWindow.h" |
37 #include "core/frame/LocalFrame.h" | 40 #include "core/frame/LocalFrame.h" |
38 #include "core/frame/Location.h" | 41 #include "core/frame/Location.h" |
39 #include "core/frame/Settings.h" | 42 #include "core/frame/Settings.h" |
40 #include "core/html/HTMLFrameElementBase.h" | 43 #include "core/html/HTMLFrameElementBase.h" |
41 #include "core/workers/MainThreadWorkletGlobalScope.h" | 44 #include "core/workers/MainThreadWorkletGlobalScope.h" |
42 #include "platform/weborigin/SecurityOrigin.h" | 45 #include "platform/weborigin/SecurityOrigin.h" |
43 | 46 |
44 namespace blink { | 47 namespace blink { |
45 | 48 |
46 namespace { | 49 namespace { |
47 | 50 |
48 bool canAccessFrameInternal(const LocalDOMWindow* accessingWindow, | 51 bool canAccessWindowInternal(const LocalDOMWindow* accessingWindow, |
49 const SecurityOrigin* targetFrameOrigin, | 52 const DOMWindow* targetWindow) { |
50 const DOMWindow* targetWindow) { | |
51 SECURITY_CHECK(!(targetWindow && targetWindow->frame()) || | 53 SECURITY_CHECK(!(targetWindow && targetWindow->frame()) || |
52 targetWindow == targetWindow->frame()->domWindow()); | 54 targetWindow == targetWindow->frame()->domWindow()); |
53 | 55 |
54 // It's important to check that targetWindow is a LocalDOMWindow: it's | 56 // It's important to check that targetWindow is a LocalDOMWindow: it's |
55 // possible for a remote frame and local frame to have the same security | 57 // possible for a remote frame and local frame to have the same security |
56 // origin, depending on the model being used to allocate Frames between | 58 // origin, depending on the model being used to allocate Frames between |
57 // processes. See https://crbug.com/601629. | 59 // processes. See https://crbug.com/601629. |
58 if (!(accessingWindow && targetWindow && targetWindow->isLocalDOMWindow())) | 60 if (!(accessingWindow && targetWindow && targetWindow->isLocalDOMWindow())) |
59 return false; | 61 return false; |
60 | 62 |
61 const SecurityOrigin* accessingOrigin = | 63 const SecurityOrigin* accessingOrigin = |
62 accessingWindow->document()->getSecurityOrigin(); | 64 accessingWindow->document()->getSecurityOrigin(); |
63 if (!accessingOrigin->canAccessCheckSuborigins(targetFrameOrigin)) | 65 const LocalDOMWindow* localTargetWindow = toLocalDOMWindow(targetWindow); |
66 if (!accessingOrigin->canAccessCheckSuborigins( | |
67 localTargetWindow->document()->getSecurityOrigin())) { | |
64 return false; | 68 return false; |
69 } | |
65 | 70 |
66 // Notify the loader's client if the initial document has been accessed. | 71 // Notify the loader's client if the initial document has been accessed. |
67 LocalFrame* targetFrame = toLocalDOMWindow(targetWindow)->frame(); | 72 LocalFrame* targetFrame = localTargetWindow->frame(); |
68 if (targetFrame && | 73 if (targetFrame && |
69 targetFrame->loader().stateMachine()->isDisplayingInitialEmptyDocument()) | 74 targetFrame->loader().stateMachine()->isDisplayingInitialEmptyDocument()) |
70 targetFrame->loader().didAccessInitialDocument(); | 75 targetFrame->loader().didAccessInitialDocument(); |
71 | 76 |
72 return true; | 77 return true; |
73 } | 78 } |
74 | 79 |
75 bool canAccessFrame(const LocalDOMWindow* accessingWindow, | 80 bool canAccessWindow(const LocalDOMWindow* accessingWindow, |
76 const SecurityOrigin* targetFrameOrigin, | 81 const DOMWindow* targetWindow, |
77 const DOMWindow* targetWindow, | 82 ExceptionState& exceptionState) { |
78 ExceptionState& exceptionState) { | 83 if (canAccessWindowInternal(accessingWindow, targetWindow)) |
79 if (canAccessFrameInternal(accessingWindow, targetFrameOrigin, targetWindow)) | |
80 return true; | 84 return true; |
81 | 85 |
82 if (targetWindow) | 86 if (targetWindow) |
83 exceptionState.throwSecurityError( | 87 exceptionState.throwSecurityError( |
84 targetWindow->sanitizedCrossDomainAccessErrorMessage(accessingWindow), | 88 targetWindow->sanitizedCrossDomainAccessErrorMessage(accessingWindow), |
85 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); | 89 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); |
86 return false; | 90 return false; |
87 } | 91 } |
88 | 92 |
89 bool canAccessFrame(const LocalDOMWindow* accessingWindow, | 93 bool canAccessWindow(const LocalDOMWindow* accessingWindow, |
90 SecurityOrigin* targetFrameOrigin, | 94 const DOMWindow* targetWindow, |
91 const DOMWindow* targetWindow, | 95 BindingSecurity::ErrorReportOption reportingOption) { |
92 BindingSecurity::ErrorReportOption reportingOption) { | 96 if (canAccessWindowInternal(accessingWindow, targetWindow)) |
93 if (canAccessFrameInternal(accessingWindow, targetFrameOrigin, targetWindow)) | |
94 return true; | 97 return true; |
95 | 98 |
96 if (accessingWindow && targetWindow && | 99 if (accessingWindow && targetWindow && |
97 reportingOption == BindingSecurity::ErrorReportOption::Report) | 100 reportingOption == BindingSecurity::ErrorReportOption::Report) |
98 accessingWindow->printErrorMessage( | 101 accessingWindow->printErrorMessage( |
99 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); | 102 targetWindow->crossDomainAccessErrorMessage(accessingWindow)); |
100 return false; | 103 return false; |
101 } | 104 } |
102 | 105 |
106 DOMWindow* findWindow(v8::Isolate* isolate, | |
107 const WrapperTypeInfo* type, | |
108 v8::Local<v8::Object> host) { | |
109 if (V8Window::wrapperTypeInfo.equals(type)) | |
haraken
2017/03/07 08:53:57
Previously we were using findInstanceInPrototypeCh
dcheng
2017/03/07 09:06:46
Originally, we didn't set the internal fields of t
| |
110 return V8Window::toImpl(host); | |
111 | |
112 if (V8Location::wrapperTypeInfo.equals(type)) | |
113 return V8Location::toImpl(host)->domWindow(); | |
114 | |
115 // This function can handle only those types listed above. | |
116 NOTREACHED(); | |
117 return nullptr; | |
118 } | |
119 | |
103 } // namespace | 120 } // namespace |
104 | 121 |
105 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 122 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
106 const DOMWindow* target, | 123 const DOMWindow* target, |
107 ExceptionState& exceptionState) { | 124 ExceptionState& exceptionState) { |
108 DCHECK(target); | 125 DCHECK(target); |
109 const Frame* frame = target->frame(); | 126 return canAccessWindow(accessingWindow, target, exceptionState); |
110 if (!frame || !frame->securityContext()) | |
111 return false; | |
112 return canAccessFrame(accessingWindow, | |
113 frame->securityContext()->getSecurityOrigin(), target, | |
114 exceptionState); | |
115 } | 127 } |
116 | 128 |
117 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 129 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
118 const DOMWindow* target, | 130 const DOMWindow* target, |
119 ErrorReportOption reportingOption) { | 131 ErrorReportOption reportingOption) { |
120 DCHECK(target); | 132 DCHECK(target); |
121 const Frame* frame = target->frame(); | 133 return canAccessWindow(accessingWindow, target, reportingOption); |
122 if (!frame || !frame->securityContext()) | |
123 return false; | |
124 return canAccessFrame(accessingWindow, | |
125 frame->securityContext()->getSecurityOrigin(), target, | |
126 reportingOption); | |
127 } | |
128 | |
129 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | |
130 const EventTarget* target, | |
131 ExceptionState& exceptionState) { | |
132 DCHECK(target); | |
133 const DOMWindow* window = target->toDOMWindow(); | |
134 if (!window) { | |
135 // We only need to check the access to Window objects which are | |
136 // cross-origin accessible. If it's not a Window, the object's | |
137 // origin must always be the same origin (or it already leaked). | |
138 return true; | |
139 } | |
140 const Frame* frame = window->frame(); | |
141 if (!frame || !frame->securityContext()) | |
142 return false; | |
143 return canAccessFrame(accessingWindow, | |
144 frame->securityContext()->getSecurityOrigin(), window, | |
145 exceptionState); | |
146 } | 134 } |
147 | 135 |
148 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 136 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
149 const Location* target, | 137 const Location* target, |
150 ExceptionState& exceptionState) { | 138 ExceptionState& exceptionState) { |
151 DCHECK(target); | 139 DCHECK(target); |
152 const Frame* frame = target->frame(); | 140 return canAccessWindow(accessingWindow, target->domWindow(), exceptionState); |
153 if (!frame || !frame->securityContext()) | |
154 return false; | |
155 return canAccessFrame(accessingWindow, | |
156 frame->securityContext()->getSecurityOrigin(), | |
157 frame->domWindow(), exceptionState); | |
158 } | 141 } |
159 | 142 |
160 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 143 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
161 const Location* target, | 144 const Location* target, |
162 ErrorReportOption reportingOption) { | 145 ErrorReportOption reportingOption) { |
163 DCHECK(target); | 146 DCHECK(target); |
164 const Frame* frame = target->frame(); | 147 return canAccessWindow(accessingWindow, target->domWindow(), reportingOption); |
165 if (!frame || !frame->securityContext()) | |
166 return false; | |
167 return canAccessFrame(accessingWindow, | |
168 frame->securityContext()->getSecurityOrigin(), | |
169 frame->domWindow(), reportingOption); | |
170 } | 148 } |
171 | 149 |
172 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 150 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
173 const Node* target, | 151 const Node* target, |
174 ExceptionState& exceptionState) { | 152 ExceptionState& exceptionState) { |
175 if (!target) | 153 if (!target) |
176 return false; | 154 return false; |
177 return canAccessFrame(accessingWindow, target->document().getSecurityOrigin(), | 155 return canAccessWindow(accessingWindow, target->document().domWindow(), |
178 target->document().domWindow(), exceptionState); | 156 exceptionState); |
179 } | 157 } |
180 | 158 |
181 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, | 159 bool BindingSecurity::shouldAllowAccessTo(const LocalDOMWindow* accessingWindow, |
182 const Node* target, | 160 const Node* target, |
183 ErrorReportOption reportingOption) { | 161 ErrorReportOption reportingOption) { |
184 if (!target) | 162 if (!target) |
185 return false; | 163 return false; |
186 return canAccessFrame(accessingWindow, target->document().getSecurityOrigin(), | 164 return canAccessWindow(accessingWindow, target->document().domWindow(), |
187 target->document().domWindow(), reportingOption); | 165 reportingOption); |
188 } | 166 } |
189 | 167 |
190 bool BindingSecurity::shouldAllowAccessToFrame( | 168 bool BindingSecurity::shouldAllowAccessToFrame( |
191 const LocalDOMWindow* accessingWindow, | 169 const LocalDOMWindow* accessingWindow, |
192 const Frame* target, | 170 const Frame* target, |
193 ExceptionState& exceptionState) { | 171 ExceptionState& exceptionState) { |
194 if (!target || !target->securityContext()) | 172 if (!target || !target->securityContext()) |
195 return false; | 173 return false; |
196 return canAccessFrame(accessingWindow, | 174 return canAccessWindow(accessingWindow, target->domWindow(), exceptionState); |
197 target->securityContext()->getSecurityOrigin(), | |
198 target->domWindow(), exceptionState); | |
199 } | 175 } |
200 | 176 |
201 bool BindingSecurity::shouldAllowAccessToFrame( | 177 bool BindingSecurity::shouldAllowAccessToFrame( |
202 const LocalDOMWindow* accessingWindow, | 178 const LocalDOMWindow* accessingWindow, |
203 const Frame* target, | 179 const Frame* target, |
204 ErrorReportOption reportingOption) { | 180 ErrorReportOption reportingOption) { |
205 if (!target || !target->securityContext()) | 181 if (!target || !target->securityContext()) |
206 return false; | 182 return false; |
207 return canAccessFrame(accessingWindow, | 183 return canAccessWindow(accessingWindow, target->domWindow(), reportingOption); |
208 target->securityContext()->getSecurityOrigin(), | |
209 target->domWindow(), reportingOption); | |
210 } | |
211 | |
212 bool BindingSecurity::shouldAllowAccessToDetachedWindow( | |
213 const LocalDOMWindow* accessingWindow, | |
214 const DOMWindow* target, | |
215 ExceptionState& exceptionState) { | |
216 CHECK(target && !target->frame()) | |
217 << "This version of shouldAllowAccessToFrame() must be used only for " | |
218 << "detached windows."; | |
219 if (!target->isLocalDOMWindow()) | |
220 return false; | |
221 Document* document = toLocalDOMWindow(target)->document(); | |
222 if (!document) | |
223 return false; | |
224 return canAccessFrame(accessingWindow, document->getSecurityOrigin(), target, | |
225 exceptionState); | |
226 } | 184 } |
227 | 185 |
228 bool BindingSecurity::shouldAllowNamedAccessTo(const DOMWindow* accessingWindow, | 186 bool BindingSecurity::shouldAllowNamedAccessTo(const DOMWindow* accessingWindow, |
229 const DOMWindow* targetWindow) { | 187 const DOMWindow* targetWindow) { |
230 const Frame* accessingFrame = accessingWindow->frame(); | 188 const Frame* accessingFrame = accessingWindow->frame(); |
231 DCHECK(accessingFrame); | 189 DCHECK(accessingFrame); |
232 DCHECK(accessingFrame->securityContext()); | 190 DCHECK(accessingFrame->securityContext()); |
233 const SecurityOrigin* accessingOrigin = | 191 const SecurityOrigin* accessingOrigin = |
234 accessingFrame->securityContext()->getSecurityOrigin(); | 192 accessingFrame->securityContext()->getSecurityOrigin(); |
235 | 193 |
(...skipping 10 matching lines...) Expand all Loading... | |
246 | 204 |
247 // Note that there is no need to call back | 205 // Note that there is no need to call back |
248 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be | 206 // FrameLoader::didAccessInitialDocument() because |targetWindow| must be |
249 // a child window inside iframe or frame and it doesn't have a URL bar, | 207 // a child window inside iframe or frame and it doesn't have a URL bar, |
250 // so there is no need to worry about URL spoofing. | 208 // so there is no need to worry about URL spoofing. |
251 | 209 |
252 return true; | 210 return true; |
253 } | 211 } |
254 | 212 |
255 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate, | 213 void BindingSecurity::failedAccessCheckFor(v8::Isolate* isolate, |
256 const Frame* target) { | 214 const WrapperTypeInfo* type, |
257 // TODO(dcheng): See if this null check can be removed or hoisted to a | 215 v8::Local<v8::Object> host) { |
haraken
2017/03/07 08:53:57
host => holder
dcheng
2017/03/07 09:06:46
Done.
| |
258 // different location. | 216 DOMWindow* target = findWindow(isolate, type, host); |
259 if (!target) | 217 // Failing to find a target means something is wrong. Failing to throw an |
260 return; | 218 // exception could be a security issue, so just crash. |
261 | 219 CHECK(target); |
262 DOMWindow* targetWindow = target->domWindow(); | |
263 | 220 |
264 // TODO(dcheng): Add ContextType, interface name, and property name as | 221 // TODO(dcheng): Add ContextType, interface name, and property name as |
265 // arguments, so the generated exception can be more descriptive. | 222 // arguments, so the generated exception can be more descriptive. |
266 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, | 223 ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, |
267 nullptr, nullptr); | 224 nullptr, nullptr); |
268 exceptionState.throwSecurityError( | 225 exceptionState.throwSecurityError( |
269 targetWindow->sanitizedCrossDomainAccessErrorMessage( | 226 target->sanitizedCrossDomainAccessErrorMessage(currentDOMWindow(isolate)), |
270 currentDOMWindow(isolate)), | 227 target->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); |
271 targetWindow->crossDomainAccessErrorMessage(currentDOMWindow(isolate))); | |
272 } | 228 } |
273 | 229 |
274 } // namespace blink | 230 } // namespace blink |
OLD | NEW |