1 /*
2 * Copyright (C) 2009 Google Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are
6 * met:
7 *
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above
11 * copyright notice, this list of conditions and the following disclaimer
12 * in the documentation and/or other materials provided with the
13 * distribution.
14 * * Neither the name of Google Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived from
16 * this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "config.h"
32 #include "BindingSecurityBase.h"
33
34 #include "DOMWindow.h"
35 #include "Frame.h"
36 #include "SecurityOrigin.h"
37
38 namespace WebCore {
39
getDOMWindow(Frame * frame)40 DOMWindow* BindingSecurityBase::getDOMWindow(Frame* frame)
41 {
42 return frame->domWindow();
43 }
44
getFrame(Node * node)45 Frame* BindingSecurityBase::getFrame(Node* node)
46 {
47 return node->document()->frame();
48 }
49
50 // Same origin policy implementation:
51 //
52 // Same origin policy prevents JS code from domain A from accessing JS & DOM
53 // objects in a different domain B. There are exceptions and several objects
54 // are accessible by cross-domain code. For example, the window.frames object
55 // is accessible by code from a different domain, but window.document is not.
56 //
57 // The JS binding code sets security check callbacks on a function template,
58 // and accessing instances of the template calls the callback function.
59 // The callback function enforces the same origin policy.
60 //
61 // Callback functions are expensive. Binding code should use a security token
62 // string to do fast access checks for the common case where source and target
63 // are in the same domain. A security token is a string object that represents
64 // the protocol/url/port of a domain.
65 //
66 // There are special cases where security token matching is not enough.
67 // For example, JS can set its domain to a super domain by calling
68 // document.setDomain(...). In these cases, the binding code can reset
69 // a context's security token to its global object so that the fast access
70 // check will always fail.
71
72 // Helper to check if the current execution context can access a target frame.
73 // First it checks same domain policy using the lexical context.
74 //
75 // This is equivalent to KJS::Window::allowsAccessFrom(ExecState*).
canAccess(DOMWindow * activeWindow,DOMWindow * targetWindow)76 bool BindingSecurityBase::canAccess(DOMWindow* activeWindow,
77 DOMWindow* targetWindow)
78 {
79 ASSERT(targetWindow);
80
81 String message;
82
83 if (activeWindow == targetWindow)
84 return true;
85
86 if (!activeWindow)
87 return false;
88
89 const SecurityOrigin* activeSecurityOrigin = activeWindow->securityOrigin();
90 const SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin();
91
92 // We have seen crashes were the security origin of the target has not been
93 // initialized. Defend against that.
94 if (!targetSecurityOrigin)
95 return false;
96
97 if (activeSecurityOrigin->canAccess(targetSecurityOrigin))
98 return true;
99
100 // Allow access to a "about:blank" page if the dynamic context is a
101 // detached context of the same frame as the blank page.
102 if (targetSecurityOrigin->isEmpty() && activeWindow->frame() == targetWindow->frame())
103 return true;
104
105 return false;
106 }
107
108 } // namespace WebCore
109