SecurityOrigin.h 10.7 KB
Newer Older
weinig's avatar
weinig committed
1
/*
darin@apple.com's avatar
darin@apple.com committed
2
 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
weinig's avatar
weinig committed
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1.  Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 * 2.  Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 *     its contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef SecurityOrigin_h
#define SecurityOrigin_h

32
#include <wtf/ThreadSafeRefCounted.h>
33
#include <wtf/text/WTFString.h>
weinig's avatar
weinig committed
34 35 36

namespace WebCore {

darin@apple.com's avatar
darin@apple.com committed
37
class URL;
38

39
class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
40
public:
41 42 43 44 45 46
    enum Policy {
        AlwaysDeny = 0,
        AlwaysAllow,
        Ask
    };

47 48 49 50 51 52
    enum StorageBlockingPolicy {
        AllowAllStorage = 0,
        BlockThirdPartyStorage,
        BlockAllStorage
    };

darin@apple.com's avatar
darin@apple.com committed
53
    static PassRefPtr<SecurityOrigin> create(const URL&);
54 55
    static PassRefPtr<SecurityOrigin> createUnique();

56 57
    static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&);
    static PassRefPtr<SecurityOrigin> createFromString(const String&);
58
    static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
59

60 61 62 63 64 65 66 67 68 69
    // Some URL schemes use nested URLs for their security context. For example,
    // filesystem URLs look like the following:
    //
    //   filesystem:http://example.com/temporary/path/to/file.png
    //
    // We're supposed to use "http://example.com" as the origin.
    //
    // Generally, we add URL schemes to this list when WebKit support them. For
    // example, we don't include the "jar" scheme, even though Firefox
    // understands that "jar" uses an inner URL for it's security origin.
darin@apple.com's avatar
darin@apple.com committed
70 71
    static bool shouldUseInnerURL(const URL&);
    static URL extractInnerURL(const URL&);
72

73
    // Create a deep copy of this SecurityOrigin. This method is useful
74
    // when marshalling a SecurityOrigin to another thread.
75
    PassRefPtr<SecurityOrigin> isolatedCopy() const;
76

77
    // Set the domain property of this security origin to newDomain. This
78
    // function does not check whether newDomain is a suffix of the current
79
    // domain. The caller is responsible for validating newDomain.
80
    void setDomainFromDOM(const String& newDomain);
81 82 83 84 85 86 87
    bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }

    String protocol() const { return m_protocol; }
    String host() const { return m_host; }
    String domain() const { return m_domain; }
    unsigned short port() const { return m_port; }

88 89 90
    // Returns true if a given URL is secure, based either directly on its
    // own protocol, or, when relevant, on the protocol of its "inner URL"
    // Protocols like blob: and filesystem: fall into this latter category.
darin@apple.com's avatar
darin@apple.com committed
91
    static bool isSecure(const URL&);
92

93
    // Returns true if this SecurityOrigin can script objects in the given
94
    // SecurityOrigin. For example, call this function before allowing
95 96 97 98 99
    // script from one security origin to read or write objects from
    // another SecurityOrigin.
    bool canAccess(const SecurityOrigin*) const;

    // Returns true if this SecurityOrigin can read content retrieved from
100
    // the given URL. For example, call this function before issuing
101
    // XMLHttpRequests.
darin@apple.com's avatar
darin@apple.com committed
102
    bool canRequest(const URL&) const;
103 104

    // Returns true if drawing an image from this URL taints a canvas from
105
    // this security origin. For example, call this function before
106
    // drawing an image onto an HTML canvas element with the drawImage API.
darin@apple.com's avatar
darin@apple.com committed
107
    bool taintsCanvas(const URL&) const;
108

109 110 111 112 113
    // Returns true if this SecurityOrigin can receive drag content from the
    // initiator. For example, call this function before allowing content to be
    // dropped onto a target.
    bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;    

114 115
    // Returns true if |document| can display content from the given URL (e.g.,
    // in an iframe or as an image). For example, web sites generally cannot
116
    // display content from the user's files system.
darin@apple.com's avatar
darin@apple.com committed
117
    bool canDisplay(const URL&) const;
118

119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
    // Returns true if this SecurityOrigin can load local resources, such
    // as images, iframes, and style sheets, and can link to local URLs.
    // For example, call this function before creating an iframe to a
    // file:// URL.
    //
    // Note: A SecurityOrigin might be allowed to load local resources
    //       without being able to issue an XMLHttpRequest for a local URL.
    //       To determine whether the SecurityOrigin can issue an
    //       XMLHttpRequest for a URL, call canRequest(url).
    bool canLoadLocalResources() const { return m_canLoadLocalResources; }

    // Explicitly grant the ability to load local resources to this
    // SecurityOrigin.
    //
    // Note: This method exists only to support backwards compatibility
    //       with older versions of WebKit.
    void grantLoadLocalResources();

    // Explicitly grant the ability to access very other SecurityOrigin.
    //
139
    // WARNING: This is an extremely powerful ability. Use with caution!
140
    void grantUniversalAccess();
141

142
    void setStorageBlockingPolicy(StorageBlockingPolicy policy) { m_storageBlockingPolicy = policy; }
143

144 145 146 147
#if ENABLE(CACHE_PARTITIONING)
    String cachePartition() const;
#endif

148
    bool canAccessDatabase(const SecurityOrigin* topOrigin = 0) const { return canAccessStorage(topOrigin); };
149
    bool canAccessSessionStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin, AlwaysAllowFromThirdParty); }
150
    bool canAccessLocalStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); };
151
    bool canAccessSharedWorkers(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
152
    bool canAccessPluginStorage(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
153
    bool canAccessApplicationCache(const SecurityOrigin* topOrigin) const { return canAccessStorage(topOrigin); }
154
    bool canAccessCookies() const { return !isUnique(); }
155
    bool canAccessPasswordManager() const { return !isUnique(); }
156
    bool canAccessFileSystem() const { return !isUnique(); }
157
    Policy canShowNotifications() const;
158 159 160 161 162 163

    // The local SecurityOrigin is the most privileged SecurityOrigin.
    // The local SecurityOrigin can script any document, navigate to local
    // resources, and can set arbitrary headers on XMLHttpRequests.
    bool isLocal() const;

164 165 166 167 168 169 170 171
    // The origin is a globally unique identifier assigned when the Document is
    // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
    //
    // There's a subtle difference between a unique origin and an origin that
    // has the SandboxOrigin flag set. The latter implies the former, and, in
    // addition, the SandboxOrigin flag is inherited by iframes.
    bool isUnique() const { return m_isUnique; }

172
    // Marks a file:// origin as being in a domain defined by its path.
173 174
    // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
    // still can have other privileges that can be remembered, thereby not making them unique.
175
    void enforceFilePathSeparation();
176

177
    // Convert this SecurityOrigin into a string. The string
178
    // representation of a SecurityOrigin is similar to a URL, except it
179
    // lacks a path component. The string representation does not encode
180 181
    // the value of the SecurityOrigin's domain property.
    //
182 183 184 185 186
    // When using the string value, it's important to remember that it might be
    // "null". This happens when this SecurityOrigin is unique. For example,
    // this SecurityOrigin might have come from a sandboxed iframe, the
    // SecurityOrigin might be empty, or we might have explicitly decided that
    // we shouldTreatURLSchemeAsNoAccess.
187 188
    String toString() const;

189 190 191 192
    // Similar to toString(), but does not take into account any factors that
    // could make the string return "null".
    String toRawString() const;

193 194 195 196 197
    // Serialize the security origin to a string that could be used as part of
    // file names. This format should be used in storage APIs only.
    String databaseIdentifier() const;

    // This method checks for equality between SecurityOrigins, not whether
198
    // one origin can access another. It is used for hash table keys.
199 200 201 202 203 204 205 206 207
    // For access checks, use canAccess().
    // FIXME: If this method is really only useful for hash table keys, it
    // should be refactored into SecurityOriginHash.
    bool equal(const SecurityOrigin*) const;

    // This method checks for equality, ignoring the value of document.domain
    // (and whether it was set) but considering the host. It is used for postMessage.
    bool isSameSchemeHostPort(const SecurityOrigin*) const;

208 209
    static String urlWithUniqueSecurityOrigin();

210
private:
211
    SecurityOrigin();
darin@apple.com's avatar
darin@apple.com committed
212
    explicit SecurityOrigin(const URL&);
213 214
    explicit SecurityOrigin(const SecurityOrigin*);

215 216
    // FIXME: Rename this function to something more semantic.
    bool passesFileCheck(const SecurityOrigin*) const;
217
    bool isThirdParty(const SecurityOrigin*) const;
218 219 220
    
    enum ShouldAllowFromThirdParty { AlwaysAllowFromThirdParty, MaybeAllowFromThirdParty };
    bool canAccessStorage(const SecurityOrigin*, ShouldAllowFromThirdParty = MaybeAllowFromThirdParty) const;
221

222 223 224
    String m_protocol;
    String m_host;
    String m_domain;
225
    String m_filePath;
226
    unsigned short m_port;
227
    bool m_isUnique;
228 229 230
    bool m_universalAccess;
    bool m_domainWasSetInDOM;
    bool m_canLoadLocalResources;
231
    StorageBlockingPolicy m_storageBlockingPolicy;
232
    bool m_enforceFilePathSeparation;
233
    bool m_needsDatabaseIdentifierQuirkForFiles;
234
};
weinig's avatar
weinig committed
235 236 237 238

} // namespace WebCore

#endif // SecurityOrigin_h