1/*
2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#ifndef SecurityOrigin_h
30#define SecurityOrigin_h
31
32#include <wtf/ThreadSafeRefCounted.h>
33#include <wtf/text/WTFString.h>
34
35namespace WebCore {
36
37class URL;
38
39class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
40public:
41 enum Policy {
42 AlwaysDeny = 0,
43 AlwaysAllow,
44 Ask
45 };
46
47 enum StorageBlockingPolicy {
48 AllowAllStorage = 0,
49 BlockThirdPartyStorage,
50 BlockAllStorage
51 };
52
53 WEBCORE_EXPORT static Ref<SecurityOrigin> create(const URL&);
54 static Ref<SecurityOrigin> createUnique();
55
56 WEBCORE_EXPORT static Ref<SecurityOrigin> createFromDatabaseIdentifier(const String&);
57 // Alternate form of createFromDatabaseIdentifier that returns a nullptr on failure, instead of an empty origin.
58 // FIXME: Many users of createFromDatabaseIdentifier seem to expect maybeCreateFromDatabaseIdentifier behavior,
59 // but they aren't getting it so they might be buggy.
60 WEBCORE_EXPORT static RefPtr<SecurityOrigin> maybeCreateFromDatabaseIdentifier(const String&);
61
62 WEBCORE_EXPORT static Ref<SecurityOrigin> createFromString(const String&);
63 WEBCORE_EXPORT static Ref<SecurityOrigin> create(const String& protocol, const String& host, int port);
64
65 // Some URL schemes use nested URLs for their security context. For example,
66 // filesystem URLs look like the following:
67 //
68 // filesystem:http://example.com/temporary/path/to/file.png
69 //
70 // We're supposed to use "http://example.com" as the origin.
71 //
72 // Generally, we add URL schemes to this list when WebKit support them. For
73 // example, we don't include the "jar" scheme, even though Firefox
74 // understands that "jar" uses an inner URL for it's security origin.
75 static bool shouldUseInnerURL(const URL&);
76 static URL extractInnerURL(const URL&);
77
78 // Create a deep copy of this SecurityOrigin. This method is useful
79 // when marshalling a SecurityOrigin to another thread.
80 WEBCORE_EXPORT Ref<SecurityOrigin> isolatedCopy() const;
81
82 // Set the domain property of this security origin to newDomain. This
83 // function does not check whether newDomain is a suffix of the current
84 // domain. The caller is responsible for validating newDomain.
85 void setDomainFromDOM(const String& newDomain);
86 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
87
88 String protocol() const { return m_protocol; }
89 String host() const { return m_host; }
90 String domain() const { return m_domain; }
91 unsigned short port() const { return m_port; }
92
93 // Returns true if a given URL is secure, based either directly on its
94 // own protocol, or, when relevant, on the protocol of its "inner URL"
95 // Protocols like blob: and filesystem: fall into this latter category.
96 static bool isSecure(const URL&);
97
98 // Returns true if this SecurityOrigin can script objects in the given
99 // SecurityOrigin. For example, call this function before allowing
100 // script from one security origin to read or write objects from
101 // another SecurityOrigin.
102 WEBCORE_EXPORT bool canAccess(const SecurityOrigin*) const;
103
104 // Returns true if this SecurityOrigin can read content retrieved from
105 // the given URL. For example, call this function before issuing
106 // XMLHttpRequests.
107 bool canRequest(const URL&) const;
108
109 // Returns true if drawing an image from this URL taints a canvas from
110 // this security origin. For example, call this function before
111 // drawing an image onto an HTML canvas element with the drawImage API.
112 bool taintsCanvas(const URL&) const;
113
114 // Returns true if this SecurityOrigin can receive drag content from the
115 // initiator. For example, call this function before allowing content to be
116 // dropped onto a target.
117 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
118
119 // Returns true if |document| can display content from the given URL (e.g.,
120 // in an iframe or as an image). For example, web sites generally cannot
121 // display content from the user's files system.
122 WEBCORE_EXPORT bool canDisplay(const URL&) const;
123
124 // Returns true if this SecurityOrigin can load local resources, such
125 // as images, iframes, and style sheets, and can link to local URLs.
126 // For example, call this function before creating an iframe to a
127 // file:// URL.
128 //
129 // Note: A SecurityOrigin might be allowed to load local resources
130 // without being able to issue an XMLHttpRequest for a local URL.
131 // To determine whether the SecurityOrigin can issue an
132 // XMLHttpRequest for a URL, call canRequest(url).
133 bool canLoadLocalResources() const { return m_canLoadLocalResources; }
134
135 // Explicitly grant the ability to load local resources to this
136 // SecurityOrigin.
137 //
138 // Note: This method exists only to support backwards compatibility
139 // with older versions of WebKit.
140 void grantLoadLocalResources();
141
142 // Explicitly grant the ability to access very other SecurityOrigin.
143 //
144 // WARNING: This is an extremely powerful ability. Use with caution!
145 void grantUniversalAccess();
146
147 void setStorageBlockingPolicy(StorageBlockingPolicy policy) { m_storageBlockingPolicy = policy; }
148
149#if ENABLE(CACHE_PARTITIONING)
150 WEBCORE_EXPORT String domainForCachePartition() const;
151#endif
152
153 bool canAccessDatabase(const SecurityOrigin* topOrigin = nullptr) const { return canAccessStorage(topOrigin); };
154 bool canAccessSessionStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin, AlwaysAllowFromThirdParty); }
155 bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); };
156 bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
157 bool canAccessApplicationCache(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
158 bool canAccessCookies() const { return !isUnique(); }
159 bool canRequestGeolocation() const { return !isUnique(); }
160 Policy canShowNotifications() const;
161
162 // The local SecurityOrigin is the most privileged SecurityOrigin.
163 // The local SecurityOrigin can script any document, navigate to local
164 // resources, and can set arbitrary headers on XMLHttpRequests.
165 WEBCORE_EXPORT bool isLocal() const;
166
167 // The origin is a globally unique identifier assigned when the Document is
168 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
169 //
170 // There's a subtle difference between a unique origin and an origin that
171 // has the SandboxOrigin flag set. The latter implies the former, and, in
172 // addition, the SandboxOrigin flag is inherited by iframes.
173 bool isUnique() const { return m_isUnique; }
174
175 // Marks a file:// origin as being in a domain defined by its path.
176 // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
177 // still can have other privileges that can be remembered, thereby not making them unique.
178 void enforceFilePathSeparation();
179
180 // Convert this SecurityOrigin into a string. The string
181 // representation of a SecurityOrigin is similar to a URL, except it
182 // lacks a path component. The string representation does not encode
183 // the value of the SecurityOrigin's domain property.
184 //
185 // When using the string value, it's important to remember that it might be
186 // "null". This happens when this SecurityOrigin is unique. For example,
187 // this SecurityOrigin might have come from a sandboxed iframe, the
188 // SecurityOrigin might be empty, or we might have explicitly decided that
189 // we shouldTreatURLSchemeAsNoAccess.
190 WEBCORE_EXPORT String toString() const;
191
192 // Similar to toString(), but does not take into account any factors that
193 // could make the string return "null".
194 WEBCORE_EXPORT String toRawString() const;
195
196 // Serialize the security origin to a string that could be used as part of
197 // file names. This format should be used in storage APIs only.
198 WEBCORE_EXPORT String databaseIdentifier() const;
199
200 // This method checks for equality between SecurityOrigins, not whether
201 // one origin can access another. It is used for hash table keys.
202 // For access checks, use canAccess().
203 // FIXME: If this method is really only useful for hash table keys, it
204 // should be refactored into SecurityOriginHash.
205 WEBCORE_EXPORT bool equal(const SecurityOrigin*) const;
206
207 // This method checks for equality, ignoring the value of document.domain
208 // (and whether it was set) but considering the host. It is used for postMessage.
209 WEBCORE_EXPORT bool isSameSchemeHostPort(const SecurityOrigin*) const;
210
211 static URL urlWithUniqueSecurityOrigin();
212
213private:
214 SecurityOrigin();
215 explicit SecurityOrigin(const URL&);
216 explicit SecurityOrigin(const SecurityOrigin*);
217
218 // FIXME: Rename this function to something more semantic.
219 bool passesFileCheck(const SecurityOrigin*) const;
220 bool isThirdParty(const SecurityOrigin*) const;
221
222 // This method checks that the scheme for this origin is an HTTP-family
223 // scheme, e.g. HTTP and HTTPS.
224 bool isHTTPFamily() const { return m_protocol == "http" || m_protocol == "https"; }
225
226 enum ShouldAllowFromThirdParty { AlwaysAllowFromThirdParty, MaybeAllowFromThirdParty };
227 WEBCORE_EXPORT bool canAccessStorage(const SecurityOrigin*, ShouldAllowFromThirdParty = MaybeAllowFromThirdParty) const;
228
229 String m_protocol;
230 String m_host;
231 String m_domain;
232 String m_filePath;
233 unsigned short m_port;
234 bool m_isUnique;
235 bool m_universalAccess;
236 bool m_domainWasSetInDOM;
237 bool m_canLoadLocalResources;
238 StorageBlockingPolicy m_storageBlockingPolicy;
239 bool m_enforceFilePathSeparation;
240 bool m_needsDatabaseIdentifierQuirkForFiles;
241};
242
243} // namespace WebCore
244
245#endif // SecurityOrigin_h
246