Chromium Code Reviews Chromium Code Reviews
Issue 299253003:
[webcrypto] Only allow crypto.subtle.* to be used from "secure origins". (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2007 Apple Inc. All rights reserved. | 2 * Copyright (C) 2007 Apple Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * | 7 * |
| 8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
| (...skipping 357 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 368 | 368 |
| 369 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) | 369 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) |
| 370 return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListe d(this, url); | 370 return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListe d(this, url); |
| 371 | 371 |
| 372 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) | 372 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) |
| 373 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteList ed(this, url); | 373 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteList ed(this, url); |
| 374 | 374 |
| 375 return true; | 375 return true; |
| 376 } | 376 } |
| 377 | 377 |
| 378 bool SecurityOrigin::canAccessFeatureRequiringSecureOrigin() const | |
| 379 { | |
| 380 if (isLocal()) | |
| 381 return true; | |
| 382 | |
| 383 if (SchemeRegistry::shouldTreatURLSchemeAsSecure(m_protocol)) | |
| 384 return true; | |
| 385 | |
| 386 // FIXME: According to http://www.chromium.org/Home/chromium-security/securi ty-faq#TOC-Which-origins-are-secure- should match all of 127/8 and ::1/8 | |
|
palmer
2014/05/24 01:44:30
Should be ::1/128. Also provide a reference to htt
| |
| 387 if (m_protocol != "" && !m_domainWasSetInDOM && (m_domain == "localhost" || m_domain == "127.0.0.1" || m_domain == "[::1]")) | |
| 388 return true; | |
| 389 | |
| 390 return false; | |
| 391 } | |
| 392 | |
| 378 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const | 393 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const |
| 379 { | 394 { |
| 380 if (m_universalAccess) | 395 if (m_universalAccess) |
| 381 return AlwaysAllow; | 396 return AlwaysAllow; |
| 382 if (isUnique()) | 397 if (isUnique()) |
| 383 return AlwaysDeny; | 398 return AlwaysDeny; |
| 384 return Ask; | 399 return Ask; |
| 385 } | 400 } |
| 386 | 401 |
| 387 void SecurityOrigin::grantLoadLocalResources() | 402 void SecurityOrigin::grantLoadLocalResources() |
| (...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 491 } | 506 } |
| 492 | 507 |
| 493 const String& SecurityOrigin::urlWithUniqueSecurityOrigin() | 508 const String& SecurityOrigin::urlWithUniqueSecurityOrigin() |
| 494 { | 509 { |
| 495 ASSERT(isMainThread()); | 510 ASSERT(isMainThread()); |
| 496 DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, ("data:,")); | 511 DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, ("data:,")); |
| 497 return uniqueSecurityOriginURL; | 512 return uniqueSecurityOriginURL; |
| 498 } | 513 } |
| 499 | 514 |
| 500 } // namespace WebCore | 515 } // namespace WebCore |
| OLD | NEW |
