OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2007 Apple Inc. All rights reserved. | 2 * Copyright (C) 2007 Apple Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * | 7 * |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 357 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
368 | 368 |
369 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) | 369 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) |
370 return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListe d(this, url); | 370 return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListe d(this, url); |
371 | 371 |
372 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) | 372 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) |
373 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteList ed(this, url); | 373 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteList ed(this, url); |
374 | 374 |
375 return true; | 375 return true; |
376 } | 376 } |
377 | 377 |
378 // This implementation follows: | |
379 // http://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins -are-secure- | |
380 // | |
381 // See the unit-tests in SecurityOriginTests for specific examples. | |
382 // | |
383 // There are some subtleties in what the SecurityOrigin ends up being for | |
384 // various circumstances, especially scripts involving data:URLs: | |
385 // | |
386 // FIXME: http://crbug.com/362214: Codify these as tests, rather than documentat ion! | |
387 // | |
388 // Source a <script src="data:..."> from within a https://secure document | |
389 // * The script should be granted access | |
390 // * The script's SecurityOrigin inherits from the parent document, and will | |
391 // be https://secure. | |
392 // | |
393 // Source a <script src="data:..."> from within a http://evil document | |
394 // * The script should NOT be granted access. | |
395 // * The script's SecurityOrigin inherits from the parent document, and will | |
396 // be http://evil. | |
397 // | |
398 // Source a <script src="http://evil/foo.js"> but the server redirects to a data :URL | |
399 // * The script should NOT be granted access. | |
400 // * The script's SecurityOrigin will be "unique" and hence not considered a | |
401 // secure protocol. (This is important because SchemeRegistry treats "data" | |
402 // as a secure protocol). | |
403 // | |
404 // Source a <script src="https://secure/foo.js"> but the server redirects to a | |
405 // data:URL | |
406 // * The script will not be granted access. | |
407 // * Although in practice it was delivered over a secure transport, blink | |
408 // considers the script to have a "unique" SecurityOrigin. | |
409 // | |
410 // Create a "new Worker('data:..')" from within a http://evil document | |
411 // * WebWorker should NOT be granted access | |
412 // * In practice this is an invalid test -- specifying a data:URL for a | |
413 // WebWorker script is not supported. If it were however, then it should | |
414 // NOT be granted access. | |
415 // | |
416 // Create a "new Worker('http://evil/foo.js')" from within an https://secure | |
417 // document. | |
418 // * WebWorker should be granted access | |
419 // * This will trigger a mixed content warning however. | |
420 // | |
421 // Create an <iframe src="data:..."> from within a https://secure document | |
422 // * In practice this is going to deny access, because Blink gives the | |
423 // iframe a SecurityOrigin of "unique". In theory though, the script source | |
424 // was delivered over a secure transport so this could be granted access. | |
425 // | |
426 // Create an <iframe sandbox="allow-scripts allow-same-origin" src="data:..."> | |
427 // within a https://foo/ document. | |
428 // * The iframe will be granted access. | |
429 // | |
430 // Create an <iframe sandbox="allow-scripts"> from a https://foo document | |
431 // * The resulting page should NOT be granted access | |
432 // * The iframe document's SecurityOrigin will be "unique" | |
433 // | |
434 // Click on a link to a data:URL linked within an http://evil document | |
435 // * The resulting page should NOT be granted access | |
436 // * The new document's SecurityOrigin will be "unique". | |
437 // | |
438 // Enter a data:URL directly into the omnibox, for a mimetype of text/html | |
439 // * In theory access could be granted since the content came locally. | |
440 // However in practice this is treated the same as clicking a link to a | |
441 // data:URL. | |
abarth-chromium
2014/06/06 20:36:34
Please remove this comment. If you want to have t
eroman
2014/06/10 01:00:11
Done.
| |
442 bool SecurityOrigin::canAccessFeatureRequiringSecureOrigin() const | |
443 { | |
444 if (isLocal()) | |
445 return true; | |
446 | |
447 // It is not possible for m_protocol to be "data" here. But if it | |
448 // is, then SchemeRegistry will incorrectly treat it as secure, so | |
449 // defensively reject it. | |
450 if (m_protocol == "data") | |
451 return false; | |
abarth-chromium
2014/06/06 20:36:34
Generally, we don't include dead code in the produ
eroman
2014/06/10 01:00:11
Done.
| |
452 | |
453 if (SchemeRegistry::shouldTreatURLSchemeAsSecure(m_protocol)) | |
454 return true; | |
455 | |
456 // FIXME: http://crbug.com/362214 | |
457 // The localhost check should be more relaxed and allow all of 127/8 and | |
458 // ::1/128. | |
459 if (!m_protocol.isEmpty() && !m_domainWasSetInDOM && (m_domain == "localhost " || m_domain == "127.0.0.1" || m_domain == "[::1]")) | |
460 return true; | |
abarth-chromium
2014/06/06 20:36:34
Using m_domain here is incorrect. You want to use
eroman
2014/06/10 01:00:11
Done.
| |
461 | |
462 return false; | |
463 } | |
464 | |
378 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const | 465 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const |
379 { | 466 { |
380 if (m_universalAccess) | 467 if (m_universalAccess) |
381 return AlwaysAllow; | 468 return AlwaysAllow; |
382 if (isUnique()) | 469 if (isUnique()) |
383 return AlwaysDeny; | 470 return AlwaysDeny; |
384 return Ask; | 471 return Ask; |
385 } | 472 } |
386 | 473 |
387 void SecurityOrigin::grantLoadLocalResources() | 474 void SecurityOrigin::grantLoadLocalResources() |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
491 } | 578 } |
492 | 579 |
493 const String& SecurityOrigin::urlWithUniqueSecurityOrigin() | 580 const String& SecurityOrigin::urlWithUniqueSecurityOrigin() |
494 { | 581 { |
495 ASSERT(isMainThread()); | 582 ASSERT(isMainThread()); |
496 DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, ("data:,")); | 583 DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, ("data:,")); |
497 return uniqueSecurityOriginURL; | 584 return uniqueSecurityOriginURL; |
498 } | 585 } |
499 | 586 |
500 } // namespace WebCore | 587 } // namespace WebCore |
OLD | NEW |