CSP Suborigins

Source/platform/weborigin/SecurityOrigin.h

 /*
  * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
@@ skipping 125 matching lines @@
     //
     // Note: This method exists only to support backwards compatibility
     //       with older versions of WebKit.
     void grantLoadLocalResources();
 
     // Explicitly grant the ability to access every other SecurityOrigin.
     //
     // WARNING: This is an extremely powerful ability. Use with caution!
     void grantUniversalAccess();
 
-    bool canAccessDatabase() const { return !isUnique(); };
-    bool canAccessLocalStorage() const { return !isUnique(); };
-    bool canAccessSharedWorkers() const { return !isUnique(); }
-    bool canAccessCookies() const { return !isUnique(); }
-    bool canAccessPasswordManager() const { return !isUnique(); }
-    bool canAccessFileSystem() const { return !isUnique(); }
+    bool canAccessDatabase() const { return !isUnique() && !hasSuborigin(); };

[Mike West, 2014/10/23 12:59:20]

Why are we blocking access to these for suborigins? Shouldn't we instead be
creating new storage areas for these suborigins?

[jww, 2015/03/20 22:50:03]

The proposal/initial spec calls for these sensitive APIs to be blocked, like
with sandbox. However, I want to work on a way to turn these on. And, in fact,
talking to aaj@google.com, it would actually be more useful to allow same-origin
access, rather than give it a new one.

In any case, my theory is to start in the initial implementation with something
minimal, figure out what is needed by aaj@ et al, and come up with a mechanism
for turning them on.

+    bool canAccessLocalStorage() const { return !isUnique() && !hasSuborigin(); };
+    bool canAccessSharedWorkers() const { return !isUnique() && !hasSuborigin(); }
+    bool canAccessCookies() const { return !isUnique() && !hasSuborigin(); }
+    bool canAccessPasswordManager() const { return !isUnique() && !hasSuborigin(); }
+    bool canAccessFileSystem() const { return !isUnique() && !hasSuborigin(); }
     Policy canShowNotifications() const;
 
     // Technically, we should always allow access to sessionStorage, but we
     // currently don't handle creating a sessionStorage area for unique
     // origins.
     bool canAccessSessionStorage() const { return !isUnique(); }

[Mike West, 2014/10/23 12:59:20]

Here too?

[jww, 2015/03/20 22:50:04]

Yup, good catch. Rebase mistake, I think.

 
     // The local SecurityOrigin is the most privileged SecurityOrigin.
     // The local SecurityOrigin can script any document, navigate to local
     // resources, and can set arbitrary headers on XMLHttpRequests.
     bool isLocal() const;
 
     // Returns true if the host is one of 127.0.0.1/8, ::1/128, or "localhost".
     bool isLocalhost() const;
 
     // The origin is a globally unique identifier assigned when the Document is
     // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
     //
     // There's a subtle difference between a unique origin and an origin that
     // has the SandboxOrigin flag set. The latter implies the former, and, in
     // addition, the SandboxOrigin flag is inherited by iframes.
     bool isUnique() const { return m_isUnique; }
 
+    void addSuborigin(const String&);
+    bool hasSuborigin() const { return !m_suboriginName.isNull(); }
+    const String& suboriginName() const { return m_suboriginName; }
+
     // Marks a file:// origin as being in a domain defined by its path.
     // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
     // still can have other privileges that can be remembered, thereby not making them unique.
     void enforceFilePathSeparation();
 
     // Convert this SecurityOrigin into a string. The string
     // representation of a SecurityOrigin is similar to a URL, except it
     // lacks a path component. The string representation does not encode
     // the value of the SecurityOrigin's domain property.
     //
@@ skipping 35 matching lines @@
     explicit SecurityOrigin(const SecurityOrigin*);
 
     // FIXME: Rename this function to something more semantic.
     bool passesFileCheck(const SecurityOrigin*) const;
     void buildRawString(StringBuilder&) const;
 
     String m_protocol;
     String m_host;
     String m_domain;
     String m_filePath;
+    String m_suboriginName;
     unsigned short m_port;
     bool m_isUnique;
     bool m_universalAccess;
     bool m_domainWasSetInDOM;
     bool m_canLoadLocalResources;
     bool m_enforceFilePathSeparation;
     bool m_needsDatabaseIdentifierQuirkForFiles;
 };
 
 } // namespace blink
 
 #endif // SecurityOrigin_h