| /* |
| * Copyright (C) 2007 Apple Inc. All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of |
| * its contributors may be used to endorse or promote products derived |
| * from this software without specific prior written permission. |
| * |
| * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY |
| * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY |
| * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
| * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
| * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| */ |
| |
| #include "config.h" |
| #include "SecurityOrigin.h" |
| |
| #include "BlobURL.h" |
| #include "Document.h" |
| #include "FileSystem.h" |
| #include "KURL.h" |
| #include "SchemeRegistry.h" |
| #include "SecurityPolicy.h" |
| #include "ThreadableBlobRegistry.h" |
| #include <wtf/MainThread.h> |
| #include <wtf/StdLibExtras.h> |
| #include <wtf/text/StringBuilder.h> |
| |
| namespace WebCore { |
| |
| const int InvalidPort = 0; |
| const int MaxAllowedPort = 65535; |
| |
| static bool schemeRequiresAuthority(const KURL& url) |
| { |
| // We expect URLs with these schemes to have authority components. If the |
| // URL lacks an authority component, we get concerned and mark the origin |
| // as unique. |
| return url.protocolIsInHTTPFamily() || url.protocolIs("ftp"); |
| } |
| |
| // Some URL schemes use nested URLs for their security context. For example, |
| // filesystem URLs look like the following: |
| // |
| // filesystem:http://example.com/temporary/path/to/file.png |
| // |
| // We're supposed to use "http://example.com" as the origin. |
| // |
| // Generally, we add URL schemes to this list when WebKit support them. For |
| // example, we don't include the "jar" scheme, even though Firefox understands |
| // that jar uses an inner URL for it's security origin. |
| // |
| static bool shouldUseInnerURL(const KURL& url) |
| { |
| #if ENABLE(BLOB) |
| if (url.protocolIs("blob")) |
| return true; |
| #endif |
| #if ENABLE(FILE_SYSTEM) |
| if (url.protocolIs("filesystem")) |
| return true; |
| #endif |
| UNUSED_PARAM(url); |
| return false; |
| } |
| |
| // In general, extracting the inner URL varies by scheme. It just so happens |
| // that all the URL schemes we currently support that use inner URLs for their |
| // security origin can be parsed using this algorithm. |
| static KURL extractInnerURL(const KURL& url) |
| { |
| if (url.innerURL()) |
| return *url.innerURL(); |
| // FIXME: Update this callsite to use the innerURL member function when |
| // we finish implementing it. |
| return KURL(ParsedURLString, decodeURLEscapeSequences(url.path())); |
| } |
| |
| static PassRefPtr<SecurityOrigin> getCachedOrigin(const KURL& url) |
| { |
| #if ENABLE(BLOB) |
| if (url.protocolIs("blob")) |
| return ThreadableBlobRegistry::getCachedOrigin(url); |
| #endif |
| return 0; |
| } |
| |
| static bool shouldTreatAsUniqueOrigin(const KURL& url) |
| { |
| if (!url.isValid()) |
| return true; |
| |
| // FIXME: Do we need to unwrap the URL further? |
| KURL innerURL = shouldUseInnerURL(url) ? extractInnerURL(url) : url; |
| |
| // FIXME: Check whether innerURL is valid. |
| |
| // For edge case URLs that were probably misparsed, make sure that the origin is unique. |
| // FIXME: Do we really need to do this? This looks to be a hack around a |
| // security bug in CFNetwork that might have been fixed. |
| if (schemeRequiresAuthority(innerURL) && innerURL.host().isEmpty()) |
| return true; |
| |
| // SchemeRegistry needs a lower case protocol because it uses HashMaps |
| // that assume the scheme has already been canonicalized. |
| String protocol = innerURL.protocol().lower(); |
| |
| if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(protocol)) |
| return true; |
| |
| // This is the common case. |
| return false; |
| } |
| |
| SecurityOrigin::SecurityOrigin(const KURL& url) |
| : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) |
| , m_host(url.host().isNull() ? "" : url.host().lower()) |
| , m_port(url.port()) |
| , m_isUnique(false) |
| , m_universalAccess(false) |
| , m_domainWasSetInDOM(false) |
| , m_blockThirdPartyStorage(false) |
| , m_enforceFilePathSeparation(false) |
| , m_needsDatabaseIdentifierQuirkForFiles(false) |
| { |
| // document.domain starts as m_host, but can be set by the DOM. |
| m_domain = m_host; |
| |
| if (isDefaultPortForProtocol(m_port, m_protocol)) |
| m_port = InvalidPort; |
| |
| // By default, only local SecurityOrigins can load local resources. |
| m_canLoadLocalResources = isLocal(); |
| |
| if (m_canLoadLocalResources) |
| m_filePath = url.path(); // In case enforceFilePathSeparation() is called. |
| } |
| |
| SecurityOrigin::SecurityOrigin() |
| : m_protocol("") |
| , m_host("") |
| , m_domain("") |
| , m_port(InvalidPort) |
| , m_isUnique(true) |
| , m_universalAccess(false) |
| , m_domainWasSetInDOM(false) |
| , m_canLoadLocalResources(false) |
| , m_blockThirdPartyStorage(false) |
| , m_enforceFilePathSeparation(false) |
| , m_needsDatabaseIdentifierQuirkForFiles(false) |
| { |
| } |
| |
| SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) |
| : m_protocol(other->m_protocol.isolatedCopy()) |
| , m_host(other->m_host.isolatedCopy()) |
| , m_encodedHost(other->m_encodedHost.isolatedCopy()) |
| , m_domain(other->m_domain.isolatedCopy()) |
| , m_filePath(other->m_filePath.isolatedCopy()) |
| , m_port(other->m_port) |
| , m_isUnique(other->m_isUnique) |
| , m_universalAccess(other->m_universalAccess) |
| , m_domainWasSetInDOM(other->m_domainWasSetInDOM) |
| , m_canLoadLocalResources(other->m_canLoadLocalResources) |
| , m_blockThirdPartyStorage(other->m_blockThirdPartyStorage) |
| , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation) |
| , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles) |
| { |
| } |
| |
| PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url) |
| { |
| RefPtr<SecurityOrigin> cachedOrigin = getCachedOrigin(url); |
| if (cachedOrigin.get()) |
| return cachedOrigin; |
| |
| if (shouldTreatAsUniqueOrigin(url)) { |
| RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); |
| |
| if (url.protocolIs("file")) { |
| // Unfortunately, we can't represent all unique origins exactly |
| // the same way because we need to produce a quirky database |
| // identifier for file URLs due to persistent storage in some |
| // embedders of WebKit. |
| origin->m_needsDatabaseIdentifierQuirkForFiles = true; |
| } |
| |
| return origin.release(); |
| } |
| |
| if (shouldUseInnerURL(url)) |
| return adoptRef(new SecurityOrigin(extractInnerURL(url))); |
| |
| return adoptRef(new SecurityOrigin(url)); |
| } |
| |
| PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique() |
| { |
| RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin()); |
| ASSERT(origin->isUnique()); |
| return origin.release(); |
| } |
| |
| PassRefPtr<SecurityOrigin> SecurityOrigin::isolatedCopy() |
| { |
| return adoptRef(new SecurityOrigin(this)); |
| } |
| |
| void SecurityOrigin::setDomainFromDOM(const String& newDomain) |
| { |
| m_domainWasSetInDOM = true; |
| m_domain = newDomain.lower(); |
| } |
| |
| bool SecurityOrigin::isSecure(const KURL& url) |
| { |
| // Invalid URLs are secure, as are URLs which have a secure protocol. |
| if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol())) |
| return true; |
| |
| // URLs that wrap inner URLs are secure if those inner URLs are secure. |
| if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol())) |
| return true; |
| |
| return false; |
| } |
| |
| bool SecurityOrigin::canAccess(const SecurityOrigin* other) const |
| { |
| if (m_universalAccess) |
| return true; |
| |
| if (this == other) |
| return true; |
| |
| if (isUnique() || other->isUnique()) |
| return false; |
| |
| // Here are two cases where we should permit access: |
| // |
| // 1) Neither document has set document.domain. In this case, we insist |
| // that the scheme, host, and port of the URLs match. |
| // |
| // 2) Both documents have set document.domain. In this case, we insist |
| // that the documents have set document.domain to the same value and |
| // that the scheme of the URLs match. |
| // |
| // This matches the behavior of Firefox 2 and Internet Explorer 6. |
| // |
| // Internet Explorer 7 and Opera 9 are more strict in that they require |
| // the port numbers to match when both pages have document.domain set. |
| // |
| // FIXME: Evaluate whether we can tighten this policy to require matched |
| // port numbers. |
| // |
| // Opera 9 allows access when only one page has set document.domain, but |
| // this is a security vulnerability. |
| |
| bool canAccess = false; |
| if (m_protocol == other->m_protocol) { |
| if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) { |
| if (m_host == other->m_host && m_port == other->m_port) |
| canAccess = true; |
| } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) { |
| if (m_domain == other->m_domain) |
| canAccess = true; |
| } |
| } |
| |
| if (canAccess && isLocal()) |
| canAccess = passesFileCheck(other); |
| |
| return canAccess; |
| } |
| |
| bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const |
| { |
| ASSERT(isLocal() && other->isLocal()); |
| |
| if (!m_enforceFilePathSeparation && !other->m_enforceFilePathSeparation) |
| return true; |
| |
| return (m_filePath == other->m_filePath); |
| } |
| |
| bool SecurityOrigin::canRequest(const KURL& url) const |
| { |
| if (m_universalAccess) |
| return true; |
| |
| if (getCachedOrigin(url) == this) |
| return true; |
| |
| if (isUnique()) |
| return false; |
| |
| RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url); |
| |
| if (targetOrigin->isUnique()) |
| return false; |
| |
| // We call isSameSchemeHostPort here instead of canAccess because we want |
| // to ignore document.domain effects. |
| if (isSameSchemeHostPort(targetOrigin.get())) |
| return true; |
| |
| if (SecurityPolicy::isAccessWhiteListed(this, targetOrigin.get())) |
| return true; |
| |
| return false; |
| } |
| |
| bool SecurityOrigin::taintsCanvas(const KURL& url) const |
| { |
| if (canRequest(url)) |
| return false; |
| |
| // This function exists because we treat data URLs as having a unique origin, |
| // contrary to the current (9/19/2009) draft of the HTML5 specification. |
| // We still want to let folks paint data URLs onto untainted canvases, so |
| // we special case data URLs below. If we change to match HTML5 w.r.t. |
| // data URL security, then we can remove this function in favor of |
| // !canRequest. |
| if (url.protocolIsData()) |
| return false; |
| |
| return true; |
| } |
| |
| bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const |
| { |
| if (this == dragInitiator) |
| return true; |
| |
| return canAccess(dragInitiator); |
| } |
| |
| // This is a hack to allow keep navigation to http/https feeds working. To remove this |
| // we need to introduce new API akin to registerURLSchemeAsLocal, that registers a |
| // protocols navigation policy. |
| // feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be |
| // local or remote depending on what is nested. Currently we just check if we are nesting |
| // http or https, otherwise we ignore the nesting for the purpose of a security check. We need |
| // a facility for registering nesting schemes, and some generalized logic for them. |
| // This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196 |
| static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url) |
| { |
| const String& urlString = url.string(); |
| if (!urlString.startsWith("feed", false)) |
| return false; |
| |
| return urlString.startsWith("feed://", false) |
| || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false) |
| || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false) |
| || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false); |
| } |
| |
| bool SecurityOrigin::canDisplay(const KURL& url) const |
| { |
| if (m_universalAccess) |
| return true; |
| |
| String protocol = url.protocol().lower(); |
| |
| if (isFeedWithNestedProtocolInHTTPFamily(url)) |
| return true; |
| |
| if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol)) |
| return canRequest(url); |
| |
| if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) |
| return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListed(this, url); |
| |
| if (SecurityPolicy::restrictAccessToLocal() && SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) |
| return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteListed(this, url); |
| |
| return true; |
| } |
| |
| bool SecurityOrigin::canAccessLocalStorage(const SecurityOrigin* topOrigin) const |
| { |
| if (isUnique()) |
| return false; |
| |
| if (m_blockThirdPartyStorage && topOrigin->isThirdParty(this)) |
| return false; |
| |
| return true; |
| } |
| |
| SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const |
| { |
| if (m_universalAccess) |
| return AlwaysAllow; |
| if (isUnique()) |
| return AlwaysDeny; |
| return Ask; |
| } |
| |
| bool SecurityOrigin::isThirdParty(const SecurityOrigin* child) const |
| { |
| if (child->m_universalAccess) |
| return false; |
| |
| if (this == child) |
| return false; |
| |
| if (isUnique() || child->isUnique()) |
| return true; |
| |
| return !isSameSchemeHostPort(child); |
| } |
| |
| void SecurityOrigin::grantLoadLocalResources() |
| { |
| // Granting privileges to some, but not all, documents in a SecurityOrigin |
| // is a security hazard because the documents without the privilege can |
| // obtain the privilege by injecting script into the documents that have |
| // been granted the privilege. |
| // |
| // To be backwards compatible with older versions of WebKit, we also use |
| // this function to grant the ability to load local resources to documents |
| // loaded with SubstituteData. |
| ASSERT(isUnique() || SecurityPolicy::allowSubstituteDataAccessToLocal()); |
| m_canLoadLocalResources = true; |
| } |
| |
| void SecurityOrigin::grantUniversalAccess() |
| { |
| m_universalAccess = true; |
| } |
| |
| void SecurityOrigin::enforceFilePathSeparation() |
| { |
| ASSERT(isLocal()); |
| m_enforceFilePathSeparation = true; |
| } |
| |
| bool SecurityOrigin::isLocal() const |
| { |
| return SchemeRegistry::shouldTreatURLSchemeAsLocal(m_protocol); |
| } |
| |
| String SecurityOrigin::toString() const |
| { |
| if (isUnique()) |
| return "null"; |
| if (m_protocol == "file" && m_enforceFilePathSeparation) |
| return "null"; |
| return toRawString(); |
| } |
| |
| String SecurityOrigin::toRawString() const |
| { |
| if (m_protocol == "file") |
| return "file://"; |
| |
| StringBuilder result; |
| result.reserveCapacity(m_protocol.length() + m_host.length() + 10); |
| result.append(m_protocol); |
| result.append("://"); |
| result.append(m_host); |
| |
| if (m_port) { |
| result.append(":"); |
| result.append(String::number(m_port)); |
| } |
| |
| return result.toString(); |
| } |
| |
| PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString) |
| { |
| return SecurityOrigin::create(KURL(KURL(), originString)); |
| } |
| |
| static const char SeparatorCharacter = '_'; |
| |
| PassRefPtr<SecurityOrigin> SecurityOrigin::createFromDatabaseIdentifier(const String& databaseIdentifier) |
| { |
| // Make sure there's a first separator |
| size_t separator1 = databaseIdentifier.find(SeparatorCharacter); |
| if (separator1 == notFound) |
| return create(KURL()); |
| |
| // Make sure there's a second separator |
| size_t separator2 = databaseIdentifier.reverseFind(SeparatorCharacter); |
| if (separator2 == notFound) |
| return create(KURL()); |
| |
| // Ensure there were at least 2 separator characters. Some hostnames on intranets have |
| // underscores in them, so we'll assume that any additional underscores are part of the host. |
| if (separator1 == separator2) |
| return create(KURL()); |
| |
| // Make sure the port section is a valid port number or doesn't exist |
| bool portOkay; |
| int port = databaseIdentifier.right(databaseIdentifier.length() - separator2 - 1).toInt(&portOkay); |
| bool portAbsent = (separator2 == databaseIdentifier.length() - 1); |
| if (!(portOkay || portAbsent)) |
| return create(KURL()); |
| |
| if (port < 0 || port > MaxAllowedPort) |
| return create(KURL()); |
| |
| // Split out the 3 sections of data |
| String protocol = databaseIdentifier.substring(0, separator1); |
| String host = databaseIdentifier.substring(separator1 + 1, separator2 - separator1 - 1); |
| |
| host = decodeURLEscapeSequences(host); |
| return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port))); |
| } |
| |
| PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port) |
| { |
| if (port < 0 || port > MaxAllowedPort) |
| createUnique(); |
| String decodedHost = decodeURLEscapeSequences(host); |
| return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port))); |
| } |
| |
| String SecurityOrigin::databaseIdentifier() const |
| { |
| // Historically, we've used the following (somewhat non-sensical) string |
| // for the databaseIdentifier of local files. We used to compute this |
| // string because of a bug in how we handled the scheme for file URLs. |
| // Now that we've fixed that bug, we still need to produce this string |
| // to avoid breaking existing persistent state. |
| if (m_needsDatabaseIdentifierQuirkForFiles) |
| return "file__0"; |
| |
| String separatorString(&SeparatorCharacter, 1); |
| |
| if (m_encodedHost.isEmpty()) |
| m_encodedHost = encodeForFileName(m_host); |
| |
| return m_protocol + separatorString + m_encodedHost + separatorString + String::number(m_port); |
| } |
| |
| bool SecurityOrigin::equal(const SecurityOrigin* other) const |
| { |
| if (other == this) |
| return true; |
| |
| if (!isSameSchemeHostPort(other)) |
| return false; |
| |
| if (m_domainWasSetInDOM != other->m_domainWasSetInDOM) |
| return false; |
| |
| if (m_domainWasSetInDOM && m_domain != other->m_domain) |
| return false; |
| |
| return true; |
| } |
| |
| bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const |
| { |
| if (m_host != other->m_host) |
| return false; |
| |
| if (m_protocol != other->m_protocol) |
| return false; |
| |
| if (m_port != other->m_port) |
| return false; |
| |
| if (isLocal() && !passesFileCheck(other)) |
| return false; |
| |
| return true; |
| } |
| |
| } // namespace WebCore |
