Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp - WebKit - Git at Google

 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2004-2011, 2013, 2016 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
  *  Copyright (C) 2013 Michael Pruett <michael@68k.org>
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
  *  License as published by the Free Software Foundation; either
  *  version 2 of the License, or (at your option) any later version.
  *
  *  This library is distributed in the hope that it will be useful,
  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  *  Lesser General Public License for more details.
  *
  *  You should have received a copy of the GNU Lesser General Public
  *  License along with this library; if not, write to the Free Software
  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  */

 #include "config.h"
 #include "JSDOMBindingSecurity.h"

 #include "DOMWindow.h"
 #include "Document.h"
 #include "Frame.h"
 #include "HTTPParsers.h"
 #include "JSDOMExceptionHandling.h"
 #include "JSDOMWindowBase.h"
 #include "SecurityOrigin.h"
 #include <wtf/text/WTFString.h>


 namespace WebCore {
 using namespace JSC;

 void printErrorMessageForFrame(Frame* frame, const String& message)
 {
     if (!frame)
         return;
     frame->document()->domWindow()->printErrorMessage(message);
 }

 static inline bool canAccessDocument(JSC::JSGlobalObject* lexicalGlobalObject, Document* targetDocument, SecurityReportingOption reportingOption)
 {
     VM& vm = lexicalGlobalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);

     if (!targetDocument)
         return false;

     if (auto* templateHost = targetDocument->templateDocumentHost())
         targetDocument = templateHost;

     DOMWindow& active = activeDOMWindow(*lexicalGlobalObject);

     if (active.document()->securityOrigin().canAccess(targetDocument->securityOrigin()))
         return true;

     switch (reportingOption) {
     case ThrowSecurityError:
         throwSecurityError(*lexicalGlobalObject, scope, targetDocument->domWindow()->crossDomainAccessErrorMessage(active, IncludeTargetOrigin::No));
         break;
     case LogSecurityError:
         printErrorMessageForFrame(targetDocument->frame(), targetDocument->domWindow()->crossDomainAccessErrorMessage(active, IncludeTargetOrigin::Yes));
         break;
     case DoNotReportSecurityError:
         break;
     }

     return false;
 }

 bool BindingSecurity::shouldAllowAccessToFrame(JSGlobalObject& lexicalGlobalObject, Frame& frame, String& message)
 {
     if (BindingSecurity::shouldAllowAccessToFrame(&lexicalGlobalObject, &frame, DoNotReportSecurityError))
         return true;
     message = frame.document()->domWindow()->crossDomainAccessErrorMessage(activeDOMWindow(lexicalGlobalObject), IncludeTargetOrigin::No);
     return false;
 }

 bool BindingSecurity::shouldAllowAccessToDOMWindow(JSGlobalObject& lexicalGlobalObject, DOMWindow* globalObject, String& message)
 {
     return globalObject && shouldAllowAccessToDOMWindow(lexicalGlobalObject, *globalObject, message);
 }

 bool BindingSecurity::shouldAllowAccessToDOMWindow(JSGlobalObject& lexicalGlobalObject, DOMWindow& globalObject, String& message)
 {
     if (BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, globalObject, DoNotReportSecurityError))
         return true;
     message = globalObject.crossDomainAccessErrorMessage(activeDOMWindow(lexicalGlobalObject), IncludeTargetOrigin::No);
     return false;
 }

 bool BindingSecurity::shouldAllowAccessToDOMWindow(JSC::JSGlobalObject* lexicalGlobalObject, DOMWindow& target, SecurityReportingOption reportingOption)
 {
     return canAccessDocument(lexicalGlobalObject, target.document(), reportingOption);
 }

 bool BindingSecurity::shouldAllowAccessToDOMWindow(JSC::JSGlobalObject* lexicalGlobalObject, DOMWindow* target, SecurityReportingOption reportingOption)
 {
     return target && shouldAllowAccessToDOMWindow(lexicalGlobalObject, *target, reportingOption);
 }

 bool BindingSecurity::shouldAllowAccessToFrame(JSC::JSGlobalObject* lexicalGlobalObject, Frame* target, SecurityReportingOption reportingOption)
 {
     return target && canAccessDocument(lexicalGlobalObject, target->document(), reportingOption);
 }

 bool BindingSecurity::shouldAllowAccessToNode(JSC::JSGlobalObject& lexicalGlobalObject, Node* target)
 {
     return !target || canAccessDocument(&lexicalGlobalObject, &target->document(), LogSecurityError);
 }

 } // namespace WebCore
	/*
	* Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
	* Copyright (C) 2004-2011, 2013, 2016 Apple Inc. All rights reserved.
	* Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
	* Copyright (C) 2013 Michael Pruett <michael@68k.org>
	*
	* This library is free software; you can redistribute it and/or
	* modify it under the terms of the GNU Lesser General Public
	* License as published by the Free Software Foundation; either
	* version 2 of the License, or (at your option) any later version.
	*
	* This library is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	* Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this library; if not, write to the Free Software
	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	*/

	#include "config.h"
	#include "JSDOMBindingSecurity.h"

	#include "DOMWindow.h"
	#include "Document.h"
	#include "Frame.h"
	#include "HTTPParsers.h"
	#include "JSDOMExceptionHandling.h"
	#include "JSDOMWindowBase.h"
	#include "SecurityOrigin.h"
	#include <wtf/text/WTFString.h>


	namespace WebCore {
	using namespace JSC;

	void printErrorMessageForFrame(Frame* frame, const String& message)
	{
	if (!frame)
	return;
	frame->document()->domWindow()->printErrorMessage(message);
	}

	static inline bool canAccessDocument(JSC::JSGlobalObject* lexicalGlobalObject, Document* targetDocument, SecurityReportingOption reportingOption)
	{
	VM& vm = lexicalGlobalObject->vm();
	auto scope = DECLARE_THROW_SCOPE(vm);

	if (!targetDocument)
	return false;

	if (auto* templateHost = targetDocument->templateDocumentHost())
	targetDocument = templateHost;

	DOMWindow& active = activeDOMWindow(*lexicalGlobalObject);

	if (active.document()->securityOrigin().canAccess(targetDocument->securityOrigin()))
	return true;

	switch (reportingOption) {
	case ThrowSecurityError:
	throwSecurityError(*lexicalGlobalObject, scope, targetDocument->domWindow()->crossDomainAccessErrorMessage(active, IncludeTargetOrigin::No));
	break;
	case LogSecurityError:
	printErrorMessageForFrame(targetDocument->frame(), targetDocument->domWindow()->crossDomainAccessErrorMessage(active, IncludeTargetOrigin::Yes));
	break;
	case DoNotReportSecurityError:
	break;
	}

	return false;
	}

	bool BindingSecurity::shouldAllowAccessToFrame(JSGlobalObject& lexicalGlobalObject, Frame& frame, String& message)
	{
	if (BindingSecurity::shouldAllowAccessToFrame(&lexicalGlobalObject, &frame, DoNotReportSecurityError))
	return true;
	message = frame.document()->domWindow()->crossDomainAccessErrorMessage(activeDOMWindow(lexicalGlobalObject), IncludeTargetOrigin::No);
	return false;
	}

	bool BindingSecurity::shouldAllowAccessToDOMWindow(JSGlobalObject& lexicalGlobalObject, DOMWindow* globalObject, String& message)
	{
	return globalObject && shouldAllowAccessToDOMWindow(lexicalGlobalObject, *globalObject, message);
	}

	bool BindingSecurity::shouldAllowAccessToDOMWindow(JSGlobalObject& lexicalGlobalObject, DOMWindow& globalObject, String& message)
	{
	if (BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, globalObject, DoNotReportSecurityError))
	return true;
	message = globalObject.crossDomainAccessErrorMessage(activeDOMWindow(lexicalGlobalObject), IncludeTargetOrigin::No);
	return false;
	}

	bool BindingSecurity::shouldAllowAccessToDOMWindow(JSC::JSGlobalObject* lexicalGlobalObject, DOMWindow& target, SecurityReportingOption reportingOption)
	{
	return canAccessDocument(lexicalGlobalObject, target.document(), reportingOption);
	}

	bool BindingSecurity::shouldAllowAccessToDOMWindow(JSC::JSGlobalObject* lexicalGlobalObject, DOMWindow* target, SecurityReportingOption reportingOption)
	{
	return target && shouldAllowAccessToDOMWindow(lexicalGlobalObject, *target, reportingOption);
	}

	bool BindingSecurity::shouldAllowAccessToFrame(JSC::JSGlobalObject* lexicalGlobalObject, Frame* target, SecurityReportingOption reportingOption)
	{
	return target && canAccessDocument(lexicalGlobalObject, target->document(), reportingOption);
	}

	bool BindingSecurity::shouldAllowAccessToNode(JSC::JSGlobalObject& lexicalGlobalObject, Node* target)
	{
	return !target \|\| canAccessDocument(&lexicalGlobalObject, &target->document(), LogSecurityError);
	}

	} // namespace WebCore