diff options
Diffstat (limited to 'src/3rdparty/webkit/WebCore/page/SecurityOrigin.h')
-rw-r--r-- | src/3rdparty/webkit/WebCore/page/SecurityOrigin.h | 312 |
1 files changed, 172 insertions, 140 deletions
diff --git a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.h b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.h index 6d4ce1f..11c213e 100644 --- a/src/3rdparty/webkit/WebCore/page/SecurityOrigin.h +++ b/src/3rdparty/webkit/WebCore/page/SecurityOrigin.h @@ -34,152 +34,184 @@ #include <wtf/PassRefPtr.h> #include <wtf/Threading.h> +#include "FrameLoaderTypes.h" #include "PlatformString.h" #include "StringHash.h" namespace WebCore { - typedef HashSet<String, CaseFoldingHash> URLSchemesMap; - - class Document; - class KURL; - - class SecurityOrigin : public ThreadSafeShared<SecurityOrigin> { - public: - static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&); - static PassRefPtr<SecurityOrigin> createFromString(const String&); - static PassRefPtr<SecurityOrigin> create(const KURL&); - static PassRefPtr<SecurityOrigin> createEmpty(); - - // Create a deep copy of this SecurityOrigin. This method is useful - // when marshalling a SecurityOrigin to another thread. - PassRefPtr<SecurityOrigin> threadsafeCopy(); - - // Set the domain property of this security origin to newDomain. This - // function does not check whether newDomain is a suffix of the current - // domain. The caller is responsible for validating newDomain. - void setDomainFromDOM(const String& newDomain); - bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } - - String protocol() const { return m_protocol; } - String host() const { return m_host; } - String domain() const { return m_domain; } - unsigned short port() const { return m_port; } - - // Returns true if this SecurityOrigin can script objects in the given - // SecurityOrigin. For example, call this function before allowing - // script from one security origin to read or write objects from - // another SecurityOrigin. - bool canAccess(const SecurityOrigin*) const; - - // Returns true if this SecurityOrigin can read content retrieved from - // the given URL. For example, call this function before issuing - // XMLHttpRequests. - bool canRequest(const KURL&) const; - - // Returns true if drawing an image from this URL taints a canvas from - // this security origin. For example, call this function before - // drawing an image onto an HTML canvas element with the drawImage API. - bool taintsCanvas(const KURL&) const; - - // Returns true for any non-local URL. If document parameter is supplied, - // its local load policy dictates, otherwise if referrer is non-empty and - // represents a local file, then the local load is allowed. - static bool canLoad(const KURL&, const String& referrer, Document* document); - - // Returns true if this SecurityOrigin can load local resources, such - // as images, iframes, and style sheets, and can link to local URLs. - // For example, call this function before creating an iframe to a - // file:// URL. - // - // Note: A SecurityOrigin might be allowed to load local resources - // without being able to issue an XMLHttpRequest for a local URL. - // To determine whether the SecurityOrigin can issue an - // XMLHttpRequest for a URL, call canRequest(url). - bool canLoadLocalResources() const { return m_canLoadLocalResources; } - - // Explicitly grant the ability to load local resources to this - // SecurityOrigin. - // - // Note: This method exists only to support backwards compatibility - // with older versions of WebKit. - void grantLoadLocalResources(); - - // Explicitly grant the ability to access very other SecurityOrigin. - // - // WARNING: This is an extremely powerful ability. Use with caution! - void grantUniversalAccess(); - - bool isSecureTransitionTo(const KURL&) const; - - // The local SecurityOrigin is the most privileged SecurityOrigin. - // The local SecurityOrigin can script any document, navigate to local - // resources, and can set arbitrary headers on XMLHttpRequests. - bool isLocal() const; - - // The empty SecurityOrigin is the least privileged SecurityOrigin. - bool isEmpty() const; - - // Convert this SecurityOrigin into a string. The string - // representation of a SecurityOrigin is similar to a URL, except it - // lacks a path component. The string representation does not encode - // the value of the SecurityOrigin's domain property. The empty - // SecurityOrigin is represented with the string "null". - String toString() const; - - // Serialize the security origin to a string that could be used as part of - // file names. This format should be used in storage APIs only. - String databaseIdentifier() const; - - // This method checks for equality between SecurityOrigins, not whether - // one origin can access another. It is used for hash table keys. - // For access checks, use canAccess(). - // FIXME: If this method is really only useful for hash table keys, it - // should be refactored into SecurityOriginHash. - bool equal(const SecurityOrigin*) const; - - // This method checks for equality, ignoring the value of document.domain - // (and whether it was set) but considering the host. It is used for postMessage. - bool isSameSchemeHostPort(const SecurityOrigin*) const; - - static void registerURLSchemeAsLocal(const String&); - static void removeURLSchemeRegisteredAsLocal(const String&); - static const URLSchemesMap& localURLSchemes(); - static bool shouldTreatURLAsLocal(const String&); - static bool shouldTreatURLSchemeAsLocal(const String&); - - static bool shouldHideReferrer(const KURL&, const String& referrer); - - enum LocalLoadPolicy { - AllowLocalLoadsForAll, // No restriction on local loads. - AllowLocalLoadsForLocalAndSubstituteData, - AllowLocalLoadsForLocalOnly, - }; - static void setLocalLoadPolicy(LocalLoadPolicy); - static bool restrictAccessToLocal(); - static bool allowSubstituteDataAccessToLocal(); - - static void registerURLSchemeAsNoAccess(const String&); - static bool shouldTreatURLSchemeAsNoAccess(const String&); - - static void whiteListAccessFromOrigin(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains); - static void resetOriginAccessWhiteLists(); - - static bool isDefaultPortForProtocol(unsigned short port, const String& protocol); - - private: - explicit SecurityOrigin(const KURL&); - explicit SecurityOrigin(const SecurityOrigin*); - - String m_protocol; - String m_host; - String m_domain; - unsigned short m_port; - bool m_noAccess; - bool m_universalAccess; - bool m_domainWasSetInDOM; - bool m_canLoadLocalResources; +typedef HashSet<String, CaseFoldingHash> URLSchemesMap; + +class Document; +class KURL; + +class SecurityOrigin : public ThreadSafeShared<SecurityOrigin> { +public: + static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&); + static PassRefPtr<SecurityOrigin> createFromString(const String&); + static PassRefPtr<SecurityOrigin> create(const KURL&, SandboxFlags = SandboxNone); + static PassRefPtr<SecurityOrigin> createEmpty(); + + // Create a deep copy of this SecurityOrigin. This method is useful + // when marshalling a SecurityOrigin to another thread. + PassRefPtr<SecurityOrigin> threadsafeCopy(); + + // Set the domain property of this security origin to newDomain. This + // function does not check whether newDomain is a suffix of the current + // domain. The caller is responsible for validating newDomain. + void setDomainFromDOM(const String& newDomain); + bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } + + static void setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String&); + static bool isDomainRelaxationForbiddenForURLScheme(const String&); + + String protocol() const { return m_protocol; } + String host() const { return m_host; } + String domain() const { return m_domain; } + unsigned short port() const { return m_port; } + + // Returns true if this SecurityOrigin can script objects in the given + // SecurityOrigin. For example, call this function before allowing + // script from one security origin to read or write objects from + // another SecurityOrigin. + bool canAccess(const SecurityOrigin*) const; + + // Returns true if this SecurityOrigin can read content retrieved from + // the given URL. For example, call this function before issuing + // XMLHttpRequests. + bool canRequest(const KURL&) const; + + // Returns true if drawing an image from this URL taints a canvas from + // this security origin. For example, call this function before + // drawing an image onto an HTML canvas element with the drawImage API. + bool taintsCanvas(const KURL&) const; + + // Returns true for any non-local URL. If document parameter is supplied, + // its local load policy dictates, otherwise if referrer is non-empty and + // represents a local file, then the local load is allowed. + static bool canLoad(const KURL&, const String& referrer, Document* document); + + // Returns true if this SecurityOrigin can load local resources, such + // as images, iframes, and style sheets, and can link to local URLs. + // For example, call this function before creating an iframe to a + // file:// URL. + // + // Note: A SecurityOrigin might be allowed to load local resources + // without being able to issue an XMLHttpRequest for a local URL. + // To determine whether the SecurityOrigin can issue an + // XMLHttpRequest for a URL, call canRequest(url). + bool canLoadLocalResources() const { return m_canLoadLocalResources; } + + // Explicitly grant the ability to load local resources to this + // SecurityOrigin. + // + // Note: This method exists only to support backwards compatibility + // with older versions of WebKit. + void grantLoadLocalResources(); + + // Explicitly grant the ability to access very other SecurityOrigin. + // + // WARNING: This is an extremely powerful ability. Use with caution! + void grantUniversalAccess(); + + bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; } + + bool canAccessDatabase() const { return !isUnique(); } + bool canAccessLocalStorage() const { return !isUnique(); } + bool canAccessCookies() const { return !isUnique(); } + + bool isSecureTransitionTo(const KURL&) const; + + // The local SecurityOrigin is the most privileged SecurityOrigin. + // The local SecurityOrigin can script any document, navigate to local + // resources, and can set arbitrary headers on XMLHttpRequests. + bool isLocal() const; + + // The empty SecurityOrigin is the least privileged SecurityOrigin. + bool isEmpty() const; + + // The origin is a globally unique identifier assigned when the Document is + // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin + // + // There's a subtle difference between a unique origin and an origin that + // has the SandboxOrigin flag set. The latter implies the former, and, in + // addition, the SandboxOrigin flag is inherited by iframes. + bool isUnique() const { return m_isUnique; } + + // Marks an origin as being unique. + void makeUnique(); + + // Convert this SecurityOrigin into a string. The string + // representation of a SecurityOrigin is similar to a URL, except it + // lacks a path component. The string representation does not encode + // the value of the SecurityOrigin's domain property. + // + // When using the string value, it's important to remember that it might be + // "null". This happens when this SecurityOrigin is unique. For example, + // this SecurityOrigin might have come from a sandboxed iframe, the + // SecurityOrigin might be empty, or we might have explicitly decided that + // we shouldTreatURLSchemeAsNoAccess. + String toString() const; + + // Serialize the security origin to a string that could be used as part of + // file names. This format should be used in storage APIs only. + String databaseIdentifier() const; + + // This method checks for equality between SecurityOrigins, not whether + // one origin can access another. It is used for hash table keys. + // For access checks, use canAccess(). + // FIXME: If this method is really only useful for hash table keys, it + // should be refactored into SecurityOriginHash. + bool equal(const SecurityOrigin*) const; + + // This method checks for equality, ignoring the value of document.domain + // (and whether it was set) but considering the host. It is used for postMessage. + bool isSameSchemeHostPort(const SecurityOrigin*) const; + + static void registerURLSchemeAsLocal(const String&); + static void removeURLSchemeRegisteredAsLocal(const String&); + static const URLSchemesMap& localURLSchemes(); + static bool shouldTreatURLAsLocal(const String&); + static bool shouldTreatURLSchemeAsLocal(const String&); + + // Secure schemes do not trigger mixed content warnings. For example, + // https and data are secure schemes because they cannot be corrupted by + // active network attackers. + static void registerURLSchemeAsSecure(const String&); + static bool shouldTreatURLSchemeAsSecure(const String&); + + static bool shouldHideReferrer(const KURL&, const String& referrer); + + enum LocalLoadPolicy { + AllowLocalLoadsForAll, // No restriction on local loads. + AllowLocalLoadsForLocalAndSubstituteData, + AllowLocalLoadsForLocalOnly, }; + static void setLocalLoadPolicy(LocalLoadPolicy); + static bool restrictAccessToLocal(); + static bool allowSubstituteDataAccessToLocal(); + + static void registerURLSchemeAsNoAccess(const String&); + static bool shouldTreatURLSchemeAsNoAccess(const String&); + + static void whiteListAccessFromOrigin(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains); + static void resetOriginAccessWhiteLists(); + +private: + SecurityOrigin(const KURL&, SandboxFlags); + explicit SecurityOrigin(const SecurityOrigin*); + + SandboxFlags m_sandboxFlags; + String m_protocol; + String m_host; + mutable String m_encodedHost; + String m_domain; + unsigned short m_port; + bool m_isUnique; + bool m_universalAccess; + bool m_domainWasSetInDOM; + bool m_canLoadLocalResources; +}; } // namespace WebCore |