CSP Suborigins

Source/platform/weborigin/SecurityOrigin.cpp

 /*
  * Copyright (C) 2007 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 44 matching lines @@
     return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
 }
 
 static SecurityOrigin* cachedOrigin(const KURL& url)
 {
     if (s_originCache)
         return s_originCache->cachedOrigin(url);
     return 0;
 }
 
+static bool sameSuborigin(const SecurityOrigin* origin1, const SecurityOrigin* origin2)
+{
+    // If either origin has a suborigin set, both must have the same suborigin.
+    return (!origin1->hasSuborigin() && !origin2->hasSuborigin()) || (origin1->suboriginName() == origin2->suboriginName());

[Mike West, 2014/10/23 12:59:20]

Is this any different from `origin1->suboriginName() ==
origin2->suboriginName()`? If neither has a suborigin, null-string ==
null-string.

[jww, 2015/03/20 22:50:03]

Yup. I think I was considering something tricky with empty strings being equal
to NULL strings, but that's irrelevant now that empty strings are disallowed.

+}
+
 bool SecurityOrigin::shouldUseInnerURL(const KURL& url)
 {
     // FIXME: Blob URLs don't have inner URLs. Their form is "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL is incorrect.
     if (url.protocolIs("blob"))
         return true;
     if (url.protocolIs("filesystem"))
         return true;
     return false;
 }
 
@@ skipping 76 matching lines @@
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
 {
 }
 
 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
     : m_protocol(other->m_protocol.isolatedCopy())
     , m_host(other->m_host.isolatedCopy())
     , m_domain(other->m_domain.isolatedCopy())
     , m_filePath(other->m_filePath.isolatedCopy())
+    , m_suboriginName(other->m_suboriginName)
     , m_port(other->m_port)
     , m_isUnique(other->m_isUnique)
     , m_universalAccess(other->m_universalAccess)
     , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
     , m_canLoadLocalResources(other->m_canLoadLocalResources)
     , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
     , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles)
 {
 }
 
@@ skipping 22 matching lines @@
     return adoptRef(new SecurityOrigin(url));
 }
 
 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique()
 {
     RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin());
     ASSERT(origin->isUnique());
     return origin.release();
 }
 
+void SecurityOrigin::addSuborigin(const String& suborigin)
+{
+    // Changing suborigins midstream is bad. Very bad. It should not happen.
+    // This is, in fact, one of the very basic invariants that makes suborigins
+    // an effective security tool.
+    RELEASE_ASSERT(m_suboriginName.isNull());
+    m_suboriginName = suborigin;
+}
+
 PassRefPtr<SecurityOrigin> SecurityOrigin::isolatedCopy() const
 {
     return adoptRef(new SecurityOrigin(this));
 }
 
 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
 {
     m_domainWasSetInDOM = true;
     m_domain = newDomain.lower();
 }
@@ skipping 15 matching lines @@
 {
     if (m_universalAccess)
         return true;
 
     if (this == other)
         return true;
 
     if (isUnique() || other->isUnique())
         return false;
 
+    if (!sameSuborigin(this, other))
+        return false;

[Mike West, 2014/10/23 12:59:20]

I assume that bypassing the `document.domain` checks is intentional?

[jww, 2015/03/20 22:50:03]

Definitely.

+
     // Here are two cases where we should permit access:
     //
     // 1) Neither document has set document.domain. In this case, we insist
     //    that the scheme, host, and port of the URLs match.
     //
     // 2) Both documents have set document.domain. In this case, we insist
     //    that the documents have set document.domain to the same value and
     //    that the scheme of the URLs match.
     //
     // This matches the behavior of Firefox 2 and Internet Explorer 6.
@@ skipping 43 matching lines @@
         return true;
 
     if (isUnique())
         return false;
 
     RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
 
     if (targetOrigin->isUnique())
         return false;
 
+    if (!sameSuborigin(this, targetOrigin.get()))
+        return false;
+
     // We call isSameSchemeHostPort here instead of canAccess because we want
     // to ignore document.domain effects.
     if (isSameSchemeHostPort(targetOrigin.get()))
         return true;
 
     if (SecurityPolicy::isAccessWhiteListed(this, targetOrigin.get()))
         return true;
 
     return false;
 }
@@ skipping 74 matching lines @@
     errorMessage = "Only secure origins are allowed. http://goo.gl/lq4gCo";
     return false;
 }
 
 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const
 {
     if (m_universalAccess)
         return AlwaysAllow;
     if (isUnique())
         return AlwaysDeny;
+    if (hasSuborigin())
+        return AlwaysDeny;

[Mike West, 2014/10/23 12:59:20]

Why?

[jww, 2015/03/20 22:50:03]

Same rationale as above. Start with the limitations of Sandbox and add more
functionality in as needed/once we understand how to turn it on and off.

     return Ask;
 }
 
 void SecurityOrigin::grantLoadLocalResources()
 {
     // Granting privileges to some, but not all, documents in a SecurityOrigin
     // is a security hazard because the documents without the privilege can
     // obtain the privilege by injecting script into the documents that have
     // been granted the privilege.
     m_canLoadLocalResources = true;
@@ skipping 71 matching lines @@
     if (m_protocol == "file")
         return AtomicString("file://", AtomicString::ConstructFromLiteral);
 
     StringBuilder result;
     buildRawString(result);
     return result.toAtomicString();
 }
 
 inline void SecurityOrigin::buildRawString(StringBuilder& builder) const
 {
-    builder.reserveCapacity(m_protocol.length() + m_host.length() + 10);
+    if (hasSuborigin()) {
+        builder.reserveCapacity(11 + m_suboriginName.length() + m_protocol.length() + m_host.length() + 10);
+        builder.appendLiteral("suborigin:");
+        builder.append(m_suboriginName);
+        builder.append('+');

[Mike West, 2014/10/23 12:59:20]

Is this the scheme we ended up with on the list?

[jww, 2015/03/20 22:50:03]

There was no consensus, but it was the compromise I suggested and no one loudly
objected to. I think no one was happy with any of the suggestions, and I
certainly imagine this is something we'll revist.

+    } else {
+        builder.reserveCapacity(m_protocol.length() + m_host.length() + 10);
+    }
     builder.append(m_protocol);
     builder.appendLiteral("://");
     builder.append(m_host);
 
     if (m_port) {
         builder.append(':');
         builder.appendNumber(m_port);
     }
 }
 
 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)

[Mike West, 2014/10/23 12:59:20]

You're not handling creation of origins with suborigins?

[jww, 2015/03/20 22:50:03]

You're right, I need to add to the SecurityOrigin constructor a parsing of
Suborigins. Done.

 {
     return SecurityOrigin::create(KURL(KURL(), originString));
 }
 
 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port)
 {
     if (port < 0 || port > MaxAllowedPort)
         return createUnique();
     String decodedHost = decodeURLEscapeSequences(host);
     return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port) + "/"));
 }
 
 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
 {
+    if (!sameSuborigin(this, other))
+        return false;
+
     if (m_host != other->m_host)
         return false;
 
     if (m_protocol != other->m_protocol)
         return false;
 
     if (m_port != other->m_port)
         return false;
 
     if (isLocal() && !passesFileCheck(other))
@@ skipping 10 matching lines @@
 }
 
 void SecurityOrigin::transferPrivilegesFrom(const SecurityOrigin& origin)
 {
     m_universalAccess = origin.m_universalAccess;
     m_canLoadLocalResources = origin.m_canLoadLocalResources;
     m_enforceFilePathSeparation = origin.m_enforceFilePathSeparation;
 }
 
 } // namespace blink