1 /*
2 * Copyright (C) 2007 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include "config.h"
30 #include "SecurityOrigin.h"
31
32 #include "CString.h"
33 #include "Document.h"
34 #include "KURL.h"
35 #include "OriginAccessEntry.h"
36 #include <wtf/StdLibExtras.h>
37
38 namespace WebCore {
39
40 static SecurityOrigin::LocalLoadPolicy localLoadPolicy = SecurityOrigin::AllowLocalLoadsForLocalOnly;
41
42 typedef Vector<OriginAccessEntry> OriginAccessWhiteList;
43 typedef HashMap<String, OriginAccessWhiteList*> OriginAccessMap;
44
originAccessMap()45 static OriginAccessMap& originAccessMap()
46 {
47 DEFINE_STATIC_LOCAL(OriginAccessMap, originAccessMap, ());
48 return originAccessMap;
49 }
50
localSchemes()51 static URLSchemesMap& localSchemes()
52 {
53 DEFINE_STATIC_LOCAL(URLSchemesMap, localSchemes, ());
54
55 if (localSchemes.isEmpty()) {
56 localSchemes.add("file");
57 #if PLATFORM(MAC)
58 localSchemes.add("applewebdata");
59 #endif
60 #if PLATFORM(QT)
61 localSchemes.add("qrc");
62 #endif
63 }
64
65 return localSchemes;
66 }
67
schemesWithUniqueOrigins()68 static URLSchemesMap& schemesWithUniqueOrigins()
69 {
70 DEFINE_STATIC_LOCAL(URLSchemesMap, schemesWithUniqueOrigins, ());
71
72 // This is a willful violation of HTML5.
73 // See https://bugs.webkit.org/show_bug.cgi?id=11885
74 if (schemesWithUniqueOrigins.isEmpty())
75 schemesWithUniqueOrigins.add("data");
76
77 return schemesWithUniqueOrigins;
78 }
79
SecurityOrigin(const KURL & url,SandboxFlags sandboxFlags)80 SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
81 : m_sandboxFlags(sandboxFlags)
82 , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
83 , m_host(url.host().isNull() ? "" : url.host().lower())
84 , m_port(url.port())
85 , m_isUnique(isSandboxed(SandboxOrigin) || shouldTreatURLSchemeAsNoAccess(m_protocol))
86 , m_universalAccess(false)
87 , m_domainWasSetInDOM(false)
88 {
89 // These protocols do not create security origins; the owner frame provides the origin
90 if (m_protocol == "about" || m_protocol == "javascript")
91 m_protocol = "";
92
93 // document.domain starts as m_host, but can be set by the DOM.
94 m_domain = m_host;
95
96 // By default, only local SecurityOrigins can load local resources.
97 m_canLoadLocalResources = isLocal();
98 if (m_canLoadLocalResources) {
99 // Directories should never be readable.
100 if (!url.hasPath() || url.path().endsWith("/"))
101 m_isUnique = true;
102 }
103
104 if (isDefaultPortForProtocol(m_port, m_protocol))
105 m_port = 0;
106 }
107
SecurityOrigin(const SecurityOrigin * other)108 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
109 : m_sandboxFlags(other->m_sandboxFlags)
110 , m_protocol(other->m_protocol.threadsafeCopy())
111 , m_host(other->m_host.threadsafeCopy())
112 , m_domain(other->m_domain.threadsafeCopy())
113 , m_port(other->m_port)
114 , m_isUnique(other->m_isUnique)
115 , m_universalAccess(other->m_universalAccess)
116 , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
117 , m_canLoadLocalResources(other->m_canLoadLocalResources)
118 {
119 }
120
isEmpty() const121 bool SecurityOrigin::isEmpty() const
122 {
123 return m_protocol.isEmpty();
124 }
125
create(const KURL & url,SandboxFlags sandboxFlags)126 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url, SandboxFlags sandboxFlags)
127 {
128 if (!url.isValid())
129 return adoptRef(new SecurityOrigin(KURL(), sandboxFlags));
130 return adoptRef(new SecurityOrigin(url, sandboxFlags));
131 }
132
createEmpty()133 PassRefPtr<SecurityOrigin> SecurityOrigin::createEmpty()
134 {
135 return create(KURL());
136 }
137
threadsafeCopy()138 PassRefPtr<SecurityOrigin> SecurityOrigin::threadsafeCopy()
139 {
140 return adoptRef(new SecurityOrigin(this));
141 }
142
setDomainFromDOM(const String & newDomain)143 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
144 {
145 m_domainWasSetInDOM = true;
146 m_domain = newDomain.lower();
147 }
148
schemesForbiddenFromDomainRelaxation()149 static HashSet<String>& schemesForbiddenFromDomainRelaxation()
150 {
151 DEFINE_STATIC_LOCAL(HashSet<String>, schemes, ());
152 return schemes;
153 }
154
setDomainRelaxationForbiddenForURLScheme(bool forbidden,const String & scheme)155 void SecurityOrigin::setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String& scheme)
156 {
157 if (scheme.isEmpty())
158 return;
159
160 if (forbidden)
161 schemesForbiddenFromDomainRelaxation().add(scheme);
162 else
163 schemesForbiddenFromDomainRelaxation().remove(scheme);
164 }
165
isDomainRelaxationForbiddenForURLScheme(const String & scheme)166 bool SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(const String& scheme)
167 {
168 if (scheme.isEmpty())
169 return false;
170
171 return schemesForbiddenFromDomainRelaxation().contains(scheme);
172 }
173
canAccess(const SecurityOrigin * other) const174 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
175 {
176 if (m_universalAccess)
177 return true;
178
179 if (isUnique() || other->isUnique())
180 return false;
181
182 // Here are two cases where we should permit access:
183 //
184 // 1) Neither document has set document.domain. In this case, we insist
185 // that the scheme, host, and port of the URLs match.
186 //
187 // 2) Both documents have set document.domain. In this case, we insist
188 // that the documents have set document.domain to the same value and
189 // that the scheme of the URLs match.
190 //
191 // This matches the behavior of Firefox 2 and Internet Explorer 6.
192 //
193 // Internet Explorer 7 and Opera 9 are more strict in that they require
194 // the port numbers to match when both pages have document.domain set.
195 //
196 // FIXME: Evaluate whether we can tighten this policy to require matched
197 // port numbers.
198 //
199 // Opera 9 allows access when only one page has set document.domain, but
200 // this is a security vulnerability.
201
202 if (m_protocol == other->m_protocol) {
203 if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) {
204 if (m_host == other->m_host && m_port == other->m_port)
205 return true;
206 } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) {
207 if (m_domain == other->m_domain)
208 return true;
209 }
210 }
211
212 return false;
213 }
214
canRequest(const KURL & url) const215 bool SecurityOrigin::canRequest(const KURL& url) const
216 {
217 if (m_universalAccess)
218 return true;
219
220 if (isUnique())
221 return false;
222
223 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
224 if (targetOrigin->isUnique())
225 return false;
226
227 // We call isSameSchemeHostPort here instead of canAccess because we want
228 // to ignore document.domain effects.
229 if (isSameSchemeHostPort(targetOrigin.get()))
230 return true;
231
232 if (OriginAccessWhiteList* list = originAccessMap().get(toString())) {
233 for (size_t i = 0; i < list->size(); ++i) {
234 if (list->at(i).matchesOrigin(*targetOrigin))
235 return true;
236 }
237 }
238
239 return false;
240 }
241
taintsCanvas(const KURL & url) const242 bool SecurityOrigin::taintsCanvas(const KURL& url) const
243 {
244 if (canRequest(url))
245 return false;
246
247 // This function exists because we treat data URLs as having a unique origin,
248 // contrary to the current (9/19/2009) draft of the HTML5 specification.
249 // We still want to let folks paint data URLs onto untainted canvases, so
250 // we special case data URLs below. If we change to match HTML5 w.r.t.
251 // data URL security, then we can remove this function in favor of
252 // !canRequest.
253 if (url.protocolIs("data"))
254 return false;
255
256 return true;
257 }
258
canLoad(const KURL & url,const String & referrer,Document * document)259 bool SecurityOrigin::canLoad(const KURL& url, const String& referrer, Document* document)
260 {
261 if (!shouldTreatURLAsLocal(url.string()))
262 return true;
263
264 // If we were provided a document, we let its local file policy dictate the result,
265 // otherwise we allow local loads only if the supplied referrer is also local.
266 if (document)
267 return document->securityOrigin()->canLoadLocalResources();
268 if (!referrer.isEmpty())
269 return shouldTreatURLAsLocal(referrer);
270 return false;
271 }
272
grantLoadLocalResources()273 void SecurityOrigin::grantLoadLocalResources()
274 {
275 // This function exists only to support backwards compatibility with older
276 // versions of WebKit. Granting privileges to some, but not all, documents
277 // in a SecurityOrigin is a security hazard because the documents without
278 // the privilege can obtain the privilege by injecting script into the
279 // documents that have been granted the privilege.
280 ASSERT(allowSubstituteDataAccessToLocal());
281 m_canLoadLocalResources = true;
282 }
283
grantUniversalAccess()284 void SecurityOrigin::grantUniversalAccess()
285 {
286 m_universalAccess = true;
287 }
288
isLocal() const289 bool SecurityOrigin::isLocal() const
290 {
291 return shouldTreatURLSchemeAsLocal(m_protocol);
292 }
293
isSecureTransitionTo(const KURL & url) const294 bool SecurityOrigin::isSecureTransitionTo(const KURL& url) const
295 {
296 // New window created by the application
297 if (isEmpty())
298 return true;
299
300 RefPtr<SecurityOrigin> other = SecurityOrigin::create(url);
301 return canAccess(other.get());
302 }
303
toString() const304 String SecurityOrigin::toString() const
305 {
306 if (isEmpty())
307 return "null";
308
309 if (isUnique())
310 return "null";
311
312 if (m_protocol == "file")
313 return String("file://");
314
315 Vector<UChar> result;
316 result.reserveInitialCapacity(m_protocol.length() + m_host.length() + 10);
317 append(result, m_protocol);
318 append(result, "://");
319 append(result, m_host);
320
321 if (m_port) {
322 append(result, ":");
323 append(result, String::number(m_port));
324 }
325
326 return String::adopt(result);
327 }
328
createFromString(const String & originString)329 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
330 {
331 return SecurityOrigin::create(KURL(KURL(), originString));
332 }
333
334 static const char SeparatorCharacter = '_';
335
createFromDatabaseIdentifier(const String & databaseIdentifier)336 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromDatabaseIdentifier(const String& databaseIdentifier)
337 {
338 // Make sure there's a first separator
339 int separator1 = databaseIdentifier.find(SeparatorCharacter);
340 if (separator1 == -1)
341 return create(KURL());
342
343 // Make sure there's a second separator
344 int separator2 = databaseIdentifier.reverseFind(SeparatorCharacter);
345 if (separator2 == -1)
346 return create(KURL());
347
348 // Ensure there were at least 2 separator characters. Some hostnames on intranets have
349 // underscores in them, so we'll assume that any additional underscores are part of the host.
350 if (separator1 == separator2)
351 return create(KURL());
352
353 // Make sure the port section is a valid port number or doesn't exist
354 bool portOkay;
355 int port = databaseIdentifier.right(databaseIdentifier.length() - separator2 - 1).toInt(&portOkay);
356 bool portAbsent = (separator2 == static_cast<int>(databaseIdentifier.length()) - 1);
357 if (!(portOkay || portAbsent))
358 return create(KURL());
359
360 if (port < 0 || port > 65535)
361 return create(KURL());
362
363 // Split out the 3 sections of data
364 String protocol = databaseIdentifier.substring(0, separator1);
365 String host = databaseIdentifier.substring(separator1 + 1, separator2 - separator1 - 1);
366 return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port)));
367 }
368
databaseIdentifier() const369 String SecurityOrigin::databaseIdentifier() const
370 {
371 DEFINE_STATIC_LOCAL(String, separatorString, (&SeparatorCharacter, 1));
372 return m_protocol + separatorString + m_host + separatorString + String::number(m_port);
373 }
374
equal(const SecurityOrigin * other) const375 bool SecurityOrigin::equal(const SecurityOrigin* other) const
376 {
377 if (other == this)
378 return true;
379
380 if (!isSameSchemeHostPort(other))
381 return false;
382
383 if (m_domainWasSetInDOM != other->m_domainWasSetInDOM)
384 return false;
385
386 if (m_domainWasSetInDOM && m_domain != other->m_domain)
387 return false;
388
389 return true;
390 }
391
isSameSchemeHostPort(const SecurityOrigin * other) const392 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
393 {
394 if (m_host != other->m_host)
395 return false;
396
397 if (m_protocol != other->m_protocol)
398 return false;
399
400 if (m_port != other->m_port)
401 return false;
402
403 return true;
404 }
405
registerURLSchemeAsLocal(const String & scheme)406 void SecurityOrigin::registerURLSchemeAsLocal(const String& scheme)
407 {
408 localSchemes().add(scheme);
409 }
410
removeURLSchemeRegisteredAsLocal(const String & scheme)411 void SecurityOrigin::removeURLSchemeRegisteredAsLocal(const String& scheme)
412 {
413 if (scheme == "file")
414 return;
415 #if PLATFORM(MAC)
416 if (scheme == "applewebdata")
417 return;
418 #endif
419 localSchemes().remove(scheme);
420 }
421
localURLSchemes()422 const URLSchemesMap& SecurityOrigin::localURLSchemes()
423 {
424 return localSchemes();
425 }
426
shouldTreatURLAsLocal(const String & url)427 bool SecurityOrigin::shouldTreatURLAsLocal(const String& url)
428 {
429 // This avoids an allocation of another String and the HashSet contains()
430 // call for the file: and http: schemes.
431 if (url.length() >= 5) {
432 const UChar* s = url.characters();
433 if (s[0] == 'h' && s[1] == 't' && s[2] == 't' && s[3] == 'p' && s[4] == ':')
434 return false;
435 if (s[0] == 'f' && s[1] == 'i' && s[2] == 'l' && s[3] == 'e' && s[4] == ':')
436 return true;
437 }
438
439 int loc = url.find(':');
440 if (loc == -1)
441 return false;
442
443 String scheme = url.left(loc);
444 return localSchemes().contains(scheme);
445 }
446
shouldTreatURLSchemeAsLocal(const String & scheme)447 bool SecurityOrigin::shouldTreatURLSchemeAsLocal(const String& scheme)
448 {
449 // This avoids an allocation of another String and the HashSet contains()
450 // call for the file: and http: schemes.
451 if (scheme.length() == 4) {
452 const UChar* s = scheme.characters();
453 if (s[0] == 'h' && s[1] == 't' && s[2] == 't' && s[3] == 'p')
454 return false;
455 if (s[0] == 'f' && s[1] == 'i' && s[2] == 'l' && s[3] == 'e')
456 return true;
457 }
458
459 if (scheme.isEmpty())
460 return false;
461
462 return localSchemes().contains(scheme);
463 }
464
registerURLSchemeAsNoAccess(const String & scheme)465 void SecurityOrigin::registerURLSchemeAsNoAccess(const String& scheme)
466 {
467 schemesWithUniqueOrigins().add(scheme);
468 }
469
shouldTreatURLSchemeAsNoAccess(const String & scheme)470 bool SecurityOrigin::shouldTreatURLSchemeAsNoAccess(const String& scheme)
471 {
472 return schemesWithUniqueOrigins().contains(scheme);
473 }
474
shouldHideReferrer(const KURL & url,const String & referrer)475 bool SecurityOrigin::shouldHideReferrer(const KURL& url, const String& referrer)
476 {
477 bool referrerIsSecureURL = protocolIs(referrer, "https");
478 bool referrerIsWebURL = referrerIsSecureURL || protocolIs(referrer, "http");
479
480 if (!referrerIsWebURL)
481 return true;
482
483 if (!referrerIsSecureURL)
484 return false;
485
486 bool URLIsSecureURL = url.protocolIs("https");
487
488 return !URLIsSecureURL;
489 }
490
setLocalLoadPolicy(LocalLoadPolicy policy)491 void SecurityOrigin::setLocalLoadPolicy(LocalLoadPolicy policy)
492 {
493 localLoadPolicy = policy;
494 }
495
restrictAccessToLocal()496 bool SecurityOrigin::restrictAccessToLocal()
497 {
498 return localLoadPolicy != SecurityOrigin::AllowLocalLoadsForAll;
499 }
500
allowSubstituteDataAccessToLocal()501 bool SecurityOrigin::allowSubstituteDataAccessToLocal()
502 {
503 return localLoadPolicy != SecurityOrigin::AllowLocalLoadsForLocalOnly;
504 }
505
whiteListAccessFromOrigin(const SecurityOrigin & sourceOrigin,const String & destinationProtocol,const String & destinationDomains,bool allowDestinationSubdomains)506 void SecurityOrigin::whiteListAccessFromOrigin(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains)
507 {
508 ASSERT(isMainThread());
509 ASSERT(!sourceOrigin.isEmpty());
510 if (sourceOrigin.isEmpty())
511 return;
512
513 String sourceString = sourceOrigin.toString();
514 OriginAccessWhiteList* list = originAccessMap().get(sourceString);
515 if (!list) {
516 list = new OriginAccessWhiteList;
517 originAccessMap().set(sourceString, list);
518 }
519 list->append(OriginAccessEntry(destinationProtocol, destinationDomains, allowDestinationSubdomains ? OriginAccessEntry::AllowSubdomains : OriginAccessEntry::DisallowSubdomains));
520 }
521
resetOriginAccessWhiteLists()522 void SecurityOrigin::resetOriginAccessWhiteLists()
523 {
524 ASSERT(isMainThread());
525 OriginAccessMap& map = originAccessMap();
526 deleteAllValues(map);
527 map.clear();
528 }
529
530 } // namespace WebCore
531