2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 #ifndef SecurityOrigin_h
30 #define SecurityOrigin_h
32 #include "platform/PlatformExport.h"
33 #include "wtf/ThreadSafeRefCounted.h"
34 #include "wtf/text/WTFString.h"
39 class SecurityOriginCache;
41 class PLATFORM_EXPORT SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
49 static PassRefPtr<SecurityOrigin> create(const KURL&);
50 static PassRefPtr<SecurityOrigin> createUnique();
52 static PassRefPtr<SecurityOrigin> createFromString(const String&);
53 static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
55 static void setCache(SecurityOriginCache*);
57 // Some URL schemes use nested URLs for their security context. For example,
58 // filesystem URLs look like the following:
60 // filesystem:http://example.com/temporary/path/to/file.png
62 // We're supposed to use "http://example.com" as the origin.
64 // Generally, we add URL schemes to this list when WebKit support them. For
65 // example, we don't include the "jar" scheme, even though Firefox
66 // understands that "jar" uses an inner URL for it's security origin.
67 static bool shouldUseInnerURL(const KURL&);
68 static KURL extractInnerURL(const KURL&);
70 // Create a deep copy of this SecurityOrigin. This method is useful
71 // when marshalling a SecurityOrigin to another thread.
72 PassRefPtr<SecurityOrigin> isolatedCopy() const;
74 // Set the domain property of this security origin to newDomain. This
75 // function does not check whether newDomain is a suffix of the current
76 // domain. The caller is responsible for validating newDomain.
77 void setDomainFromDOM(const String& newDomain);
78 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
80 String protocol() const { return m_protocol; }
81 String host() const { return m_host; }
82 String domain() const { return m_domain; }
83 unsigned short port() const { return m_port; }
85 // Returns true if a given URL is secure, based either directly on its
86 // own protocol, or, when relevant, on the protocol of its "inner URL"
87 // Protocols like blob: and filesystem: fall into this latter category.
88 static bool isSecure(const KURL&);
90 // Returns true if this SecurityOrigin can script objects in the given
91 // SecurityOrigin. For example, call this function before allowing
92 // script from one security origin to read or write objects from
93 // another SecurityOrigin.
94 bool canAccess(const SecurityOrigin*) const;
96 // Returns true if this SecurityOrigin can read content retrieved from
97 // the given URL. For example, call this function before issuing
99 bool canRequest(const KURL&) const;
101 // Returns true if drawing an image from this URL taints a canvas from
102 // this security origin. For example, call this function before
103 // drawing an image onto an HTML canvas element with the drawImage API.
104 bool taintsCanvas(const KURL&) const;
106 // Returns true if this SecurityOrigin can receive drag content from the
107 // initiator. For example, call this function before allowing content to be
108 // dropped onto a target.
109 bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
111 // Returns true if |document| can display content from the given URL (e.g.,
112 // in an iframe or as an image). For example, web sites generally cannot
113 // display content from the user's files system.
114 bool canDisplay(const KURL&) const;
116 // A "secure origin" as defined by [1] are those that load resources either
117 // from the local machine (necessarily trusted) or over the network from a
118 // cryptographically-authenticated server.
120 // [1] http://www.chromium.org/Home/chromium-security/security-faq#TOC-Which-origins-are-secure-
121 bool canAccessFeatureRequiringSecureOrigin(String& errorMessage) const;
123 // Returns true if this SecurityOrigin can load local resources, such
124 // as images, iframes, and style sheets, and can link to local URLs.
125 // For example, call this function before creating an iframe to a
128 // Note: A SecurityOrigin might be allowed to load local resources
129 // without being able to issue an XMLHttpRequest for a local URL.
130 // To determine whether the SecurityOrigin can issue an
131 // XMLHttpRequest for a URL, call canRequest(url).
132 bool canLoadLocalResources() const { return m_canLoadLocalResources; }
134 // Explicitly grant the ability to load local resources to this
137 // Note: This method exists only to support backwards compatibility
138 // with older versions of WebKit.
139 void grantLoadLocalResources();
141 // Explicitly grant the ability to access every other SecurityOrigin.
143 // WARNING: This is an extremely powerful ability. Use with caution!
144 void grantUniversalAccess();
146 bool canAccessDatabase() const { return !isUnique(); };
147 bool canAccessLocalStorage() const { return !isUnique(); };
148 bool canAccessSharedWorkers() const { return !isUnique(); }
149 bool canAccessCookies() const { return !isUnique(); }
150 bool canAccessPasswordManager() const { return !isUnique(); }
151 bool canAccessFileSystem() const { return !isUnique(); }
152 Policy canShowNotifications() const;
154 // Technically, we should always allow access to sessionStorage, but we
155 // currently don't handle creating a sessionStorage area for unique
157 bool canAccessSessionStorage() const { return !isUnique(); }
159 // The local SecurityOrigin is the most privileged SecurityOrigin.
160 // The local SecurityOrigin can script any document, navigate to local
161 // resources, and can set arbitrary headers on XMLHttpRequests.
162 bool isLocal() const;
164 // Returns true if the host is one of 127.0.0.1/8, ::1/128, or "localhost".
165 bool isLocalhost() const;
167 // The origin is a globally unique identifier assigned when the Document is
168 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
170 // There's a subtle difference between a unique origin and an origin that
171 // has the SandboxOrigin flag set. The latter implies the former, and, in
172 // addition, the SandboxOrigin flag is inherited by iframes.
173 bool isUnique() const { return m_isUnique; }
175 // Marks a file:// origin as being in a domain defined by its path.
176 // FIXME 81578: The naming of this is confusing. Files with restricted access to other local files
177 // still can have other privileges that can be remembered, thereby not making them unique.
178 void enforceFilePathSeparation();
180 // Convert this SecurityOrigin into a string. The string
181 // representation of a SecurityOrigin is similar to a URL, except it
182 // lacks a path component. The string representation does not encode
183 // the value of the SecurityOrigin's domain property.
185 // When using the string value, it's important to remember that it might be
186 // "null". This happens when this SecurityOrigin is unique. For example,
187 // this SecurityOrigin might have come from a sandboxed iframe, the
188 // SecurityOrigin might be empty, or we might have explicitly decided that
189 // we shouldTreatURLSchemeAsNoAccess.
190 String toString() const;
191 AtomicString toAtomicString() const;
193 // Similar to toString(), but does not take into account any factors that
194 // could make the string return "null".
195 String toRawString() const;
196 AtomicString toRawAtomicString() const;
198 // This method checks for equality, ignoring the value of document.domain
199 // (and whether it was set) but considering the host. It is used for postMessage.
200 bool isSameSchemeHostPort(const SecurityOrigin*) const;
202 bool needsDatabaseIdentifierQuirkForFiles() const { return m_needsDatabaseIdentifierQuirkForFiles; }
204 static const String& urlWithUniqueSecurityOrigin();
206 // Transfer origin privileges from another security origin.
207 // The following privileges are currently copied over:
209 // - Grant universal access.
210 // - Grant loading of local resources.
211 // - Use path-based file:// origins.
213 // Note: It is dangerous to change the privileges of an origin
214 // at any other time than during initialization.
215 void transferPrivilegesFrom(const SecurityOrigin&);
219 explicit SecurityOrigin(const KURL&);
220 explicit SecurityOrigin(const SecurityOrigin*);
222 // FIXME: Rename this function to something more semantic.
223 bool passesFileCheck(const SecurityOrigin*) const;
224 void buildRawString(StringBuilder&) const;
230 unsigned short m_port;
232 bool m_universalAccess;
233 bool m_domainWasSetInDOM;
234 bool m_canLoadLocalResources;
235 bool m_enforceFilePathSeparation;
236 bool m_needsDatabaseIdentifierQuirkForFiles;
241 #endif // SecurityOrigin_h