1 /*
2 * Copyright (C) 2007 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include "config.h"
30 #include "SecurityOrigin.h"
31
32 #include "CString.h"
33 #include "FrameLoader.h"
34 #include "KURL.h"
35 #include "PlatformString.h"
36 #include "StringHash.h"
37 #include <wtf/HashSet.h>
38 #include <wtf/StdLibExtras.h>
39
40 namespace WebCore {
41
42 typedef HashSet<String, CaseFoldingHash> URLSchemesMap;
43
localSchemes()44 static URLSchemesMap& localSchemes()
45 {
46 DEFINE_STATIC_LOCAL(URLSchemesMap, localSchemes, ());
47
48 if (localSchemes.isEmpty()) {
49 localSchemes.add("file");
50 #if PLATFORM(MAC)
51 localSchemes.add("applewebdata");
52 #endif
53 #if PLATFORM(QT)
54 localSchemes.add("qrc");
55 #endif
56 }
57
58 return localSchemes;
59 }
60
noAccessSchemes()61 static URLSchemesMap& noAccessSchemes()
62 {
63 DEFINE_STATIC_LOCAL(URLSchemesMap, noAccessSchemes, ());
64
65 if (noAccessSchemes.isEmpty())
66 noAccessSchemes.add("data");
67
68 return noAccessSchemes;
69 }
70
isDefaultPortForProtocol(unsigned short port,const String & protocol)71 static bool isDefaultPortForProtocol(unsigned short port, const String& protocol)
72 {
73 if (protocol.isEmpty())
74 return false;
75
76 typedef HashMap<String, unsigned> DefaultPortsMap;
77 DEFINE_STATIC_LOCAL(DefaultPortsMap, defaultPorts, ());
78 if (defaultPorts.isEmpty()) {
79 defaultPorts.set("http", 80);
80 defaultPorts.set("https", 443);
81 defaultPorts.set("ftp", 21);
82 defaultPorts.set("ftps", 990);
83 }
84 return defaultPorts.get(protocol) == port;
85 }
86
SecurityOrigin(const KURL & url)87 SecurityOrigin::SecurityOrigin(const KURL& url)
88 : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
89 , m_host(url.host().isNull() ? "" : url.host().lower())
90 , m_port(url.port())
91 , m_noAccess(false)
92 , m_universalAccess(false)
93 , m_domainWasSetInDOM(false)
94 {
95 // These protocols do not create security origins; the owner frame provides the origin
96 if (m_protocol == "about" || m_protocol == "javascript")
97 m_protocol = "";
98
99 // Some URLs are not allowed access to anything other than themselves.
100 if (shouldTreatURLSchemeAsNoAccess(m_protocol))
101 m_noAccess = true;
102
103 // document.domain starts as m_host, but can be set by the DOM.
104 m_domain = m_host;
105
106 // By default, only local SecurityOrigins can load local resources.
107 m_canLoadLocalResources = isLocal();
108
109 if (isDefaultPortForProtocol(m_port, m_protocol))
110 m_port = 0;
111 }
112
SecurityOrigin(const SecurityOrigin * other)113 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
114 : m_protocol(other->m_protocol.copy())
115 , m_host(other->m_host.copy())
116 , m_domain(other->m_domain.copy())
117 , m_port(other->m_port)
118 , m_noAccess(other->m_noAccess)
119 , m_universalAccess(other->m_universalAccess)
120 , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
121 , m_canLoadLocalResources(other->m_canLoadLocalResources)
122 {
123 }
124
isEmpty() const125 bool SecurityOrigin::isEmpty() const
126 {
127 return m_protocol.isEmpty();
128 }
129
create(const KURL & url)130 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url)
131 {
132 if (!url.isValid())
133 return adoptRef(new SecurityOrigin(KURL()));
134 return adoptRef(new SecurityOrigin(url));
135 }
136
createEmpty()137 PassRefPtr<SecurityOrigin> SecurityOrigin::createEmpty()
138 {
139 return create(KURL());
140 }
141
copy()142 PassRefPtr<SecurityOrigin> SecurityOrigin::copy()
143 {
144 return adoptRef(new SecurityOrigin(this));
145 }
146
setDomainFromDOM(const String & newDomain)147 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
148 {
149 m_domainWasSetInDOM = true;
150 m_domain = newDomain.lower();
151 }
152
canAccess(const SecurityOrigin * other) const153 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
154 {
155 if (m_universalAccess)
156 return true;
157
158 if (m_noAccess || other->m_noAccess)
159 return false;
160
161 // Here are two cases where we should permit access:
162 //
163 // 1) Neither document has set document.domain. In this case, we insist
164 // that the scheme, host, and port of the URLs match.
165 //
166 // 2) Both documents have set document.domain. In this case, we insist
167 // that the documents have set document.domain to the same value and
168 // that the scheme of the URLs match.
169 //
170 // This matches the behavior of Firefox 2 and Internet Explorer 6.
171 //
172 // Internet Explorer 7 and Opera 9 are more strict in that they require
173 // the port numbers to match when both pages have document.domain set.
174 //
175 // FIXME: Evaluate whether we can tighten this policy to require matched
176 // port numbers.
177 //
178 // Opera 9 allows access when only one page has set document.domain, but
179 // this is a security vulnerability.
180
181 if (m_protocol == other->m_protocol) {
182 if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) {
183 if (m_host == other->m_host && m_port == other->m_port)
184 return true;
185 } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) {
186 if (m_domain == other->m_domain)
187 return true;
188 }
189 }
190
191 return false;
192 }
193
canRequest(const KURL & url) const194 bool SecurityOrigin::canRequest(const KURL& url) const
195 {
196 if (m_universalAccess)
197 return true;
198
199 if (m_noAccess)
200 return false;
201
202 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
203
204 // We call isSameSchemeHostPort here instead of canAccess because we want
205 // to ignore document.domain effects.
206 return isSameSchemeHostPort(targetOrigin.get());
207 }
208
grantLoadLocalResources()209 void SecurityOrigin::grantLoadLocalResources()
210 {
211 // This method exists only to support backwards compatibility with older
212 // versions of WebKit. Granting privileges to some, but not all, documents
213 // in a SecurityOrigin is a security hazard because the documents without
214 // the privilege can obtain the privilege by injecting script into the
215 // documents that have been granted the privilege.
216 ASSERT(FrameLoader::allowSubstituteDataAccessToLocal());
217 m_canLoadLocalResources = true;
218 }
219
grantUniversalAccess()220 void SecurityOrigin::grantUniversalAccess()
221 {
222 m_universalAccess = true;
223 }
224
isLocal() const225 bool SecurityOrigin::isLocal() const
226 {
227 return shouldTreatURLSchemeAsLocal(m_protocol);
228 }
229
isSecureTransitionTo(const KURL & url) const230 bool SecurityOrigin::isSecureTransitionTo(const KURL& url) const
231 {
232 // New window created by the application
233 if (isEmpty())
234 return true;
235
236 RefPtr<SecurityOrigin> other = SecurityOrigin::create(url);
237 return canAccess(other.get());
238 }
239
toString() const240 String SecurityOrigin::toString() const
241 {
242 if (isEmpty())
243 return "null";
244
245 if (m_noAccess)
246 return "null";
247
248 if (m_protocol == "file")
249 return String("file://");
250
251 Vector<UChar> result;
252 result.reserveInitialCapacity(m_protocol.length() + m_host.length() + 10);
253 append(result, m_protocol);
254 append(result, "://");
255 append(result, m_host);
256
257 if (m_port) {
258 append(result, ":");
259 append(result, String::number(m_port));
260 }
261
262 return String::adopt(result);
263 }
264
createFromString(const String & originString)265 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
266 {
267 return SecurityOrigin::create(KURL(KURL(), originString));
268 }
269
270 static const char SeparatorCharacter = '_';
271
createFromDatabaseIdentifier(const String & databaseIdentifier)272 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromDatabaseIdentifier(const String& databaseIdentifier)
273 {
274 // Make sure there's a first separator
275 int separator1 = databaseIdentifier.find(SeparatorCharacter);
276 if (separator1 == -1)
277 return create(KURL());
278
279 // Make sure there's a second separator
280 int separator2 = databaseIdentifier.reverseFind(SeparatorCharacter);
281 if (separator2 == -1)
282 return create(KURL());
283
284 // Ensure there were at least 2 separator characters. Some hostnames on intranets have
285 // underscores in them, so we'll assume that any additional underscores are part of the host.
286 if (separator1 == separator2)
287 return create(KURL());
288
289 // Make sure the port section is a valid port number or doesn't exist
290 bool portOkay;
291 int port = databaseIdentifier.right(databaseIdentifier.length() - separator2 - 1).toInt(&portOkay);
292 bool portAbsent = (separator2 == static_cast<int>(databaseIdentifier.length()) - 1);
293 if (!(portOkay || portAbsent))
294 return create(KURL());
295
296 if (port < 0 || port > 65535)
297 return create(KURL());
298
299 // Split out the 3 sections of data
300 String protocol = databaseIdentifier.substring(0, separator1);
301 String host = databaseIdentifier.substring(separator1 + 1, separator2 - separator1 - 1);
302 return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port)));
303 }
304
databaseIdentifier() const305 String SecurityOrigin::databaseIdentifier() const
306 {
307 DEFINE_STATIC_LOCAL(String, separatorString, (&SeparatorCharacter, 1));
308 return m_protocol + separatorString + m_host + separatorString + String::number(m_port);
309 }
310
equal(const SecurityOrigin * other) const311 bool SecurityOrigin::equal(const SecurityOrigin* other) const
312 {
313 if (other == this)
314 return true;
315
316 if (!isSameSchemeHostPort(other))
317 return false;
318
319 if (m_domainWasSetInDOM != other->m_domainWasSetInDOM)
320 return false;
321
322 if (m_domainWasSetInDOM && m_domain != other->m_domain)
323 return false;
324
325 return true;
326 }
327
isSameSchemeHostPort(const SecurityOrigin * other) const328 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
329 {
330 if (m_host != other->m_host)
331 return false;
332
333 if (m_protocol != other->m_protocol)
334 return false;
335
336 if (m_port != other->m_port)
337 return false;
338
339 return true;
340 }
341
342 // static
registerURLSchemeAsLocal(const String & scheme)343 void SecurityOrigin::registerURLSchemeAsLocal(const String& scheme)
344 {
345 localSchemes().add(scheme);
346 }
347
348 // static
shouldTreatURLAsLocal(const String & url)349 bool SecurityOrigin::shouldTreatURLAsLocal(const String& url)
350 {
351 // This avoids an allocation of another String and the HashSet contains()
352 // call for the file: and http: schemes.
353 if (url.length() >= 5) {
354 const UChar* s = url.characters();
355 if (s[0] == 'h' && s[1] == 't' && s[2] == 't' && s[3] == 'p' && s[4] == ':')
356 return false;
357 if (s[0] == 'f' && s[1] == 'i' && s[2] == 'l' && s[3] == 'e' && s[4] == ':')
358 return true;
359 }
360
361 int loc = url.find(':');
362 if (loc == -1)
363 return false;
364
365 String scheme = url.left(loc);
366 return localSchemes().contains(scheme);
367 }
368
369 // static
shouldTreatURLSchemeAsLocal(const String & scheme)370 bool SecurityOrigin::shouldTreatURLSchemeAsLocal(const String& scheme)
371 {
372 // This avoids an allocation of another String and the HashSet contains()
373 // call for the file: and http: schemes.
374 if (scheme.length() == 4) {
375 const UChar* s = scheme.characters();
376 if (s[0] == 'h' && s[1] == 't' && s[2] == 't' && s[3] == 'p')
377 return false;
378 if (s[0] == 'f' && s[1] == 'i' && s[2] == 'l' && s[3] == 'e')
379 return true;
380 }
381
382 if (scheme.isEmpty())
383 return false;
384
385 return localSchemes().contains(scheme);
386 }
387
388 // static
registerURLSchemeAsNoAccess(const String & scheme)389 void SecurityOrigin::registerURLSchemeAsNoAccess(const String& scheme)
390 {
391 noAccessSchemes().add(scheme);
392 }
393
394 // static
shouldTreatURLSchemeAsNoAccess(const String & scheme)395 bool SecurityOrigin::shouldTreatURLSchemeAsNoAccess(const String& scheme)
396 {
397 return noAccessSchemes().contains(scheme);
398 }
399
400 } // namespace WebCore
401