OLD | NEW |
| (Empty) |
1 /* | |
2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved. | |
3 * | |
4 * Redistribution and use in source and binary forms, with or without | |
5 * modification, are permitted provided that the following conditions | |
6 * are met: | |
7 * | |
8 * 1. Redistributions of source code must retain the above copyright | |
9 * notice, this list of conditions and the following disclaimer. | |
10 * 2. Redistributions in binary form must reproduce the above copyright | |
11 * notice, this list of conditions and the following disclaimer in the | |
12 * documentation and/or other materials provided with the distribution. | |
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of | |
14 * its contributors may be used to endorse or promote products derived | |
15 * from this software without specific prior written permission. | |
16 * | |
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY | |
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY | |
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND | |
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
27 */ | |
28 | |
29 #ifndef SecurityOrigin_h | |
30 #define SecurityOrigin_h | |
31 | |
32 #include "weborigin/WebOriginExport.h" | |
33 #include "wtf/ThreadSafeRefCounted.h" | |
34 #include "wtf/text/WTFString.h" | |
35 | |
36 namespace WebCore { | |
37 | |
38 class KURL; | |
39 class SecurityOriginCache; | |
40 | |
41 class WEBORIGIN_EXPORT SecurityOrigin : public ThreadSafeRefCounted<SecurityOrig
in> { | |
42 public: | |
43 enum Policy { | |
44 AlwaysDeny = 0, | |
45 AlwaysAllow, | |
46 Ask | |
47 }; | |
48 | |
49 static PassRefPtr<SecurityOrigin> create(const KURL&); | |
50 static PassRefPtr<SecurityOrigin> createUnique(); | |
51 | |
52 static PassRefPtr<SecurityOrigin> createFromString(const String&); | |
53 static PassRefPtr<SecurityOrigin> create(const String& protocol, const Strin
g& host, int port); | |
54 | |
55 static void setCache(SecurityOriginCache*); | |
56 | |
57 // Some URL schemes use nested URLs for their security context. For example, | |
58 // filesystem URLs look like the following: | |
59 // | |
60 // filesystem:http://example.com/temporary/path/to/file.png | |
61 // | |
62 // We're supposed to use "http://example.com" as the origin. | |
63 // | |
64 // Generally, we add URL schemes to this list when WebKit support them. For | |
65 // example, we don't include the "jar" scheme, even though Firefox | |
66 // understands that "jar" uses an inner URL for it's security origin. | |
67 static bool shouldUseInnerURL(const KURL&); | |
68 static KURL extractInnerURL(const KURL&); | |
69 | |
70 // Create a deep copy of this SecurityOrigin. This method is useful | |
71 // when marshalling a SecurityOrigin to another thread. | |
72 PassRefPtr<SecurityOrigin> isolatedCopy() const; | |
73 | |
74 // Set the domain property of this security origin to newDomain. This | |
75 // function does not check whether newDomain is a suffix of the current | |
76 // domain. The caller is responsible for validating newDomain. | |
77 void setDomainFromDOM(const String& newDomain); | |
78 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } | |
79 | |
80 String protocol() const { return m_protocol; } | |
81 String host() const { return m_host; } | |
82 String domain() const { return m_domain; } | |
83 unsigned short port() const { return m_port; } | |
84 | |
85 // Returns true if a given URL is secure, based either directly on its | |
86 // own protocol, or, when relevant, on the protocol of its "inner URL" | |
87 // Protocols like blob: and filesystem: fall into this latter category. | |
88 static bool isSecure(const KURL&); | |
89 | |
90 // Returns true if this SecurityOrigin can script objects in the given | |
91 // SecurityOrigin. For example, call this function before allowing | |
92 // script from one security origin to read or write objects from | |
93 // another SecurityOrigin. | |
94 bool canAccess(const SecurityOrigin*) const; | |
95 | |
96 // Returns true if this SecurityOrigin can read content retrieved from | |
97 // the given URL. For example, call this function before issuing | |
98 // XMLHttpRequests. | |
99 bool canRequest(const KURL&) const; | |
100 | |
101 // Returns true if drawing an image from this URL taints a canvas from | |
102 // this security origin. For example, call this function before | |
103 // drawing an image onto an HTML canvas element with the drawImage API. | |
104 bool taintsCanvas(const KURL&) const; | |
105 | |
106 // Returns true if this SecurityOrigin can receive drag content from the | |
107 // initiator. For example, call this function before allowing content to be | |
108 // dropped onto a target. | |
109 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const; | |
110 | |
111 // Returns true if |document| can display content from the given URL (e.g., | |
112 // in an iframe or as an image). For example, web sites generally cannot | |
113 // display content from the user's files system. | |
114 bool canDisplay(const KURL&) const; | |
115 | |
116 // Returns true if this SecurityOrigin can load local resources, such | |
117 // as images, iframes, and style sheets, and can link to local URLs. | |
118 // For example, call this function before creating an iframe to a | |
119 // file:// URL. | |
120 // | |
121 // Note: A SecurityOrigin might be allowed to load local resources | |
122 // without being able to issue an XMLHttpRequest for a local URL. | |
123 // To determine whether the SecurityOrigin can issue an | |
124 // XMLHttpRequest for a URL, call canRequest(url). | |
125 bool canLoadLocalResources() const { return m_canLoadLocalResources; } | |
126 | |
127 // Explicitly grant the ability to load local resources to this | |
128 // SecurityOrigin. | |
129 // | |
130 // Note: This method exists only to support backwards compatibility | |
131 // with older versions of WebKit. | |
132 void grantLoadLocalResources(); | |
133 | |
134 // Explicitly grant the ability to access very other SecurityOrigin. | |
135 // | |
136 // WARNING: This is an extremely powerful ability. Use with caution! | |
137 void grantUniversalAccess(); | |
138 | |
139 bool canAccessDatabase() const { return !isUnique(); }; | |
140 bool canAccessLocalStorage() const { return !isUnique(); }; | |
141 bool canAccessSharedWorkers() const { return !isUnique(); } | |
142 bool canAccessCookies() const { return !isUnique(); } | |
143 bool canAccessPasswordManager() const { return !isUnique(); } | |
144 bool canAccessFileSystem() const { return !isUnique(); } | |
145 Policy canShowNotifications() const; | |
146 | |
147 // Technically, we should always allow access to sessionStorage, but we | |
148 // currently don't handle creating a sessionStorage area for unique | |
149 // origins. | |
150 bool canAccessSessionStorage() const { return !isUnique(); } | |
151 | |
152 // The local SecurityOrigin is the most privileged SecurityOrigin. | |
153 // The local SecurityOrigin can script any document, navigate to local | |
154 // resources, and can set arbitrary headers on XMLHttpRequests. | |
155 bool isLocal() const; | |
156 | |
157 // The origin is a globally unique identifier assigned when the Document is | |
158 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin | |
159 // | |
160 // There's a subtle difference between a unique origin and an origin that | |
161 // has the SandboxOrigin flag set. The latter implies the former, and, in | |
162 // addition, the SandboxOrigin flag is inherited by iframes. | |
163 bool isUnique() const { return m_isUnique; } | |
164 | |
165 // Marks a file:// origin as being in a domain defined by its path. | |
166 // FIXME 81578: The naming of this is confusing. Files with restricted acces
s to other local files | |
167 // still can have other privileges that can be remembered, thereby not makin
g them unique. | |
168 void enforceFilePathSeparation(); | |
169 | |
170 // Convert this SecurityOrigin into a string. The string | |
171 // representation of a SecurityOrigin is similar to a URL, except it | |
172 // lacks a path component. The string representation does not encode | |
173 // the value of the SecurityOrigin's domain property. | |
174 // | |
175 // When using the string value, it's important to remember that it might be | |
176 // "null". This happens when this SecurityOrigin is unique. For example, | |
177 // this SecurityOrigin might have come from a sandboxed iframe, the | |
178 // SecurityOrigin might be empty, or we might have explicitly decided that | |
179 // we shouldTreatURLSchemeAsNoAccess. | |
180 String toString() const; | |
181 | |
182 // Similar to toString(), but does not take into account any factors that | |
183 // could make the string return "null". | |
184 String toRawString() const; | |
185 | |
186 // This method checks for equality between SecurityOrigins, not whether | |
187 // one origin can access another. It is used for hash table keys. | |
188 // For access checks, use canAccess(). | |
189 // FIXME: If this method is really only useful for hash table keys, it | |
190 // should be refactored into SecurityOriginHash. | |
191 bool equal(const SecurityOrigin*) const; | |
192 | |
193 // This method checks for equality, ignoring the value of document.domain | |
194 // (and whether it was set) but considering the host. It is used for postMes
sage. | |
195 bool isSameSchemeHostPort(const SecurityOrigin*) const; | |
196 | |
197 bool needsDatabaseIdentifierQuirkForFiles() const { return m_needsDatabaseId
entifierQuirkForFiles; } | |
198 | |
199 static const String& urlWithUniqueSecurityOrigin(); | |
200 | |
201 private: | |
202 SecurityOrigin(); | |
203 explicit SecurityOrigin(const KURL&); | |
204 explicit SecurityOrigin(const SecurityOrigin*); | |
205 | |
206 // FIXME: Rename this function to something more semantic. | |
207 bool passesFileCheck(const SecurityOrigin*) const; | |
208 | |
209 String m_protocol; | |
210 String m_host; | |
211 String m_domain; | |
212 String m_filePath; | |
213 unsigned short m_port; | |
214 bool m_isUnique; | |
215 bool m_universalAccess; | |
216 bool m_domainWasSetInDOM; | |
217 bool m_canLoadLocalResources; | |
218 bool m_enforceFilePathSeparation; | |
219 bool m_needsDatabaseIdentifierQuirkForFiles; | |
220 }; | |
221 | |
222 } // namespace WebCore | |
223 | |
224 #endif // SecurityOrigin_h | |
OLD | NEW |