1 /*
2 * Copyright (C) 2007 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include "config.h"
30 #include "SecurityOrigin.h"
31
32 #include "BlobURL.h"
33 #include "Document.h"
34 #include "FileSystem.h"
35 #include "KURL.h"
36 #include "OriginAccessEntry.h"
37 #include "SchemeRegistry.h"
38 #include <wtf/StdLibExtras.h>
39
40 namespace WebCore {
41
42 static SecurityOrigin::LocalLoadPolicy localLoadPolicy = SecurityOrigin::AllowLocalLoadsForLocalOnly;
43 const int MaxAllowedPort = 65535;
44
45 typedef Vector<OriginAccessEntry> OriginAccessWhiteList;
46 typedef HashMap<String, OriginAccessWhiteList*> OriginAccessMap;
47
originAccessMap()48 static OriginAccessMap& originAccessMap()
49 {
50 DEFINE_STATIC_LOCAL(OriginAccessMap, originAccessMap, ());
51 return originAccessMap;
52 }
53
schemeRequiresAuthority(const String & scheme)54 static bool schemeRequiresAuthority(const String& scheme)
55 {
56 DEFINE_STATIC_LOCAL(URLSchemesMap, schemes, ());
57
58 if (schemes.isEmpty()) {
59 schemes.add("http");
60 schemes.add("https");
61 schemes.add("ftp");
62 }
63
64 return schemes.contains(scheme);
65 }
66
67
SecurityOrigin(const KURL & url,SandboxFlags sandboxFlags)68 SecurityOrigin::SecurityOrigin(const KURL& url, SandboxFlags sandboxFlags)
69 : m_sandboxFlags(sandboxFlags)
70 , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
71 , m_host(url.host().isNull() ? "" : url.host().lower())
72 , m_port(url.port())
73 , m_isUnique(isSandboxed(SandboxOrigin) || SchemeRegistry::shouldTreatURLSchemeAsNoAccess(m_protocol))
74 , m_universalAccess(false)
75 , m_domainWasSetInDOM(false)
76 , m_enforceFilePathSeparation(false)
77 {
78 // These protocols do not create security origins; the owner frame provides the origin
79 if (m_protocol == "about" || m_protocol == "javascript")
80 m_protocol = "";
81
82 #if ENABLE(BLOB) || ENABLE(FILE_SYSTEM)
83 bool isBlobOrFileSystemProtocol = false;
84 #if ENABLE(BLOB)
85 if (m_protocol == BlobURL::blobProtocol())
86 isBlobOrFileSystemProtocol = true;
87 #endif
88 #if ENABLE(FILE_SYSTEM)
89 if (m_protocol == "filesystem")
90 isBlobOrFileSystemProtocol = true;
91 #endif
92 if (isBlobOrFileSystemProtocol) {
93 KURL originURL(ParsedURLString, url.path());
94 if (originURL.isValid()) {
95 m_protocol = originURL.protocol().lower();
96 m_host = originURL.host().lower();
97 m_port = originURL.port();
98 } else
99 m_isUnique = true;
100 }
101 #endif
102
103 // For edge case URLs that were probably misparsed, make sure that the origin is unique.
104 if (schemeRequiresAuthority(m_protocol) && m_host.isEmpty())
105 m_isUnique = true;
106 if (m_protocol.isEmpty())
107 m_isUnique = true;
108
109 // document.domain starts as m_host, but can be set by the DOM.
110 m_domain = m_host;
111
112 // By default, only local SecurityOrigins can load local resources.
113 m_canLoadLocalResources = isLocal();
114 if (m_canLoadLocalResources) {
115 // Directories should never be readable.
116 // Note that we do not do this check for blob or filesystem url because its origin is file:/// when it is created from local file urls.
117 #if ENABLE(BLOB) || ENABLE(FILE_SYSTEM)
118 bool doDirectoryCheck = !isBlobOrFileSystemProtocol;
119 #else
120 bool doDirectoryCheck = true;
121 #endif
122 if (doDirectoryCheck && (!url.hasPath() || url.path().endsWith("/")))
123 m_isUnique = true;
124 // Store the path in case we are doing per-file origin checking.
125 m_filePath = url.path();
126 }
127
128 if (isDefaultPortForProtocol(m_port, m_protocol))
129 m_port = 0;
130 }
131
SecurityOrigin(const SecurityOrigin * other)132 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
133 : m_sandboxFlags(other->m_sandboxFlags)
134 , m_protocol(other->m_protocol.threadsafeCopy())
135 , m_host(other->m_host.threadsafeCopy())
136 , m_encodedHost(other->m_encodedHost.threadsafeCopy())
137 , m_domain(other->m_domain.threadsafeCopy())
138 , m_filePath(other->m_filePath.threadsafeCopy())
139 , m_port(other->m_port)
140 , m_isUnique(other->m_isUnique)
141 , m_universalAccess(other->m_universalAccess)
142 , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
143 , m_canLoadLocalResources(other->m_canLoadLocalResources)
144 , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
145 {
146 }
147
isEmpty() const148 bool SecurityOrigin::isEmpty() const
149 {
150 return m_protocol.isEmpty();
151 }
152
create(const KURL & url,SandboxFlags sandboxFlags)153 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url, SandboxFlags sandboxFlags)
154 {
155 if (!url.isValid())
156 return adoptRef(new SecurityOrigin(KURL(), sandboxFlags));
157 return adoptRef(new SecurityOrigin(url, sandboxFlags));
158 }
159
createEmpty()160 PassRefPtr<SecurityOrigin> SecurityOrigin::createEmpty()
161 {
162 return create(KURL());
163 }
164
threadsafeCopy()165 PassRefPtr<SecurityOrigin> SecurityOrigin::threadsafeCopy()
166 {
167 return adoptRef(new SecurityOrigin(this));
168 }
169
setDomainFromDOM(const String & newDomain)170 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
171 {
172 m_domainWasSetInDOM = true;
173 m_domain = newDomain.lower();
174 }
175
schemesForbiddenFromDomainRelaxation()176 static HashSet<String>& schemesForbiddenFromDomainRelaxation()
177 {
178 DEFINE_STATIC_LOCAL(HashSet<String>, schemes, ());
179 return schemes;
180 }
181
setDomainRelaxationForbiddenForURLScheme(bool forbidden,const String & scheme)182 void SecurityOrigin::setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String& scheme)
183 {
184 if (scheme.isEmpty())
185 return;
186
187 if (forbidden)
188 schemesForbiddenFromDomainRelaxation().add(scheme);
189 else
190 schemesForbiddenFromDomainRelaxation().remove(scheme);
191 }
192
isDomainRelaxationForbiddenForURLScheme(const String & scheme)193 bool SecurityOrigin::isDomainRelaxationForbiddenForURLScheme(const String& scheme)
194 {
195 if (scheme.isEmpty())
196 return false;
197
198 return schemesForbiddenFromDomainRelaxation().contains(scheme);
199 }
200
canAccess(const SecurityOrigin * other) const201 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
202 {
203 if (m_universalAccess)
204 return true;
205
206 if (this == other)
207 return true;
208
209 if (isUnique() || other->isUnique())
210 return false;
211
212 // Here are two cases where we should permit access:
213 //
214 // 1) Neither document has set document.domain. In this case, we insist
215 // that the scheme, host, and port of the URLs match.
216 //
217 // 2) Both documents have set document.domain. In this case, we insist
218 // that the documents have set document.domain to the same value and
219 // that the scheme of the URLs match.
220 //
221 // This matches the behavior of Firefox 2 and Internet Explorer 6.
222 //
223 // Internet Explorer 7 and Opera 9 are more strict in that they require
224 // the port numbers to match when both pages have document.domain set.
225 //
226 // FIXME: Evaluate whether we can tighten this policy to require matched
227 // port numbers.
228 //
229 // Opera 9 allows access when only one page has set document.domain, but
230 // this is a security vulnerability.
231
232 bool canAccess = false;
233 if (m_protocol == other->m_protocol) {
234 if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) {
235 if (m_host == other->m_host && m_port == other->m_port)
236 canAccess = true;
237 } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) {
238 if (m_domain == other->m_domain)
239 canAccess = true;
240 }
241 }
242
243 if (canAccess && isLocal())
244 canAccess = passesFileCheck(other);
245
246 return canAccess;
247 }
248
passesFileCheck(const SecurityOrigin * other) const249 bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const
250 {
251 ASSERT(isLocal() && other->isLocal());
252
253 if (!m_enforceFilePathSeparation && !other->m_enforceFilePathSeparation)
254 return true;
255
256 return (m_filePath == other->m_filePath);
257 }
258
canRequest(const KURL & url) const259 bool SecurityOrigin::canRequest(const KURL& url) const
260 {
261 if (m_universalAccess)
262 return true;
263
264 if (isUnique())
265 return false;
266
267 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
268
269 if (targetOrigin->isUnique())
270 return false;
271
272 // We call isSameSchemeHostPort here instead of canAccess because we want
273 // to ignore document.domain effects.
274 if (isSameSchemeHostPort(targetOrigin.get()))
275 return true;
276
277 if (isAccessWhiteListed(targetOrigin.get()))
278 return true;
279
280 return false;
281 }
282
taintsCanvas(const KURL & url) const283 bool SecurityOrigin::taintsCanvas(const KURL& url) const
284 {
285 if (canRequest(url))
286 return false;
287
288 // This function exists because we treat data URLs as having a unique origin,
289 // contrary to the current (9/19/2009) draft of the HTML5 specification.
290 // We still want to let folks paint data URLs onto untainted canvases, so
291 // we special case data URLs below. If we change to match HTML5 w.r.t.
292 // data URL security, then we can remove this function in favor of
293 // !canRequest.
294 if (url.protocolIsData())
295 return false;
296
297 return true;
298 }
299
canReceiveDragData(const SecurityOrigin * dragInitiator) const300 bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const
301 {
302 if (this == dragInitiator)
303 return true;
304
305 // FIXME: Currently we treat data URLs as having a unique origin, contrary to the
306 // current (9/19/2009) draft of the HTML5 specification. We still want to allow
307 // drop across data URLs, so we special case data URLs below. If we change to
308 // match HTML5 w.r.t. data URL security, then we can remove this check.
309 if (m_protocol == "data")
310 return true;
311
312 return canAccess(dragInitiator);
313 }
314
isAccessWhiteListed(const SecurityOrigin * targetOrigin) const315 bool SecurityOrigin::isAccessWhiteListed(const SecurityOrigin* targetOrigin) const
316 {
317 if (OriginAccessWhiteList* list = originAccessMap().get(toString())) {
318 for (size_t i = 0; i < list->size(); ++i) {
319 if (list->at(i).matchesOrigin(*targetOrigin))
320 return true;
321 }
322 }
323 return false;
324 }
325
isAccessToURLWhiteListed(const KURL & url) const326 bool SecurityOrigin::isAccessToURLWhiteListed(const KURL& url) const
327 {
328 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
329 return isAccessWhiteListed(targetOrigin.get());
330 }
331
canDisplay(const KURL & url) const332 bool SecurityOrigin::canDisplay(const KURL& url) const
333 {
334 String protocol = url.protocol().lower();
335
336 if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol))
337 return canRequest(url);
338
339 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol))
340 return m_protocol == protocol || isAccessToURLWhiteListed(url);
341
342 if (restrictAccessToLocal() && SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol))
343 return canLoadLocalResources() || isAccessToURLWhiteListed(url);
344
345 return true;
346 }
347
grantLoadLocalResources()348 void SecurityOrigin::grantLoadLocalResources()
349 {
350 // This function exists only to support backwards compatibility with older
351 // versions of WebKit. Granting privileges to some, but not all, documents
352 // in a SecurityOrigin is a security hazard because the documents without
353 // the privilege can obtain the privilege by injecting script into the
354 // documents that have been granted the privilege.
355 ASSERT(allowSubstituteDataAccessToLocal());
356 m_canLoadLocalResources = true;
357 }
358
grantUniversalAccess()359 void SecurityOrigin::grantUniversalAccess()
360 {
361 m_universalAccess = true;
362 }
363
enforceFilePathSeparation()364 void SecurityOrigin::enforceFilePathSeparation()
365 {
366 ASSERT(isLocal());
367 m_enforceFilePathSeparation = true;
368 }
369
isLocal() const370 bool SecurityOrigin::isLocal() const
371 {
372 return SchemeRegistry::shouldTreatURLSchemeAsLocal(m_protocol);
373 }
374
isSecureTransitionTo(const KURL & url) const375 bool SecurityOrigin::isSecureTransitionTo(const KURL& url) const
376 {
377 // New window created by the application
378 if (isEmpty())
379 return true;
380
381 RefPtr<SecurityOrigin> other = SecurityOrigin::create(url);
382 return canAccess(other.get());
383 }
384
toString() const385 String SecurityOrigin::toString() const
386 {
387 if (isEmpty())
388 return "null";
389
390 if (isUnique())
391 return "null";
392
393 if (m_protocol == "file") {
394 if (m_enforceFilePathSeparation)
395 return "null";
396 return "file://";
397 }
398
399 Vector<UChar> result;
400 result.reserveInitialCapacity(m_protocol.length() + m_host.length() + 10);
401 append(result, m_protocol);
402 append(result, "://");
403 append(result, m_host);
404
405 if (m_port) {
406 append(result, ":");
407 append(result, String::number(m_port));
408 }
409
410 return String::adopt(result);
411 }
412
createFromString(const String & originString)413 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
414 {
415 return SecurityOrigin::create(KURL(KURL(), originString));
416 }
417
418 static const char SeparatorCharacter = '_';
419
createFromDatabaseIdentifier(const String & databaseIdentifier)420 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromDatabaseIdentifier(const String& databaseIdentifier)
421 {
422 // Make sure there's a first separator
423 size_t separator1 = databaseIdentifier.find(SeparatorCharacter);
424 if (separator1 == notFound)
425 return create(KURL());
426
427 // Make sure there's a second separator
428 size_t separator2 = databaseIdentifier.reverseFind(SeparatorCharacter);
429 if (separator2 == notFound)
430 return create(KURL());
431
432 // Ensure there were at least 2 separator characters. Some hostnames on intranets have
433 // underscores in them, so we'll assume that any additional underscores are part of the host.
434 if (separator1 == separator2)
435 return create(KURL());
436
437 // Make sure the port section is a valid port number or doesn't exist
438 bool portOkay;
439 int port = databaseIdentifier.right(databaseIdentifier.length() - separator2 - 1).toInt(&portOkay);
440 bool portAbsent = (separator2 == databaseIdentifier.length() - 1);
441 if (!(portOkay || portAbsent))
442 return create(KURL());
443
444 if (port < 0 || port > MaxAllowedPort)
445 return create(KURL());
446
447 // Split out the 3 sections of data
448 String protocol = databaseIdentifier.substring(0, separator1);
449 String host = databaseIdentifier.substring(separator1 + 1, separator2 - separator1 - 1);
450
451 host = decodeURLEscapeSequences(host);
452 return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port)));
453 }
454
create(const String & protocol,const String & host,int port)455 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port)
456 {
457 if (port < 0 || port > MaxAllowedPort)
458 create(KURL());
459 String decodedHost = decodeURLEscapeSequences(host);
460 return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port)));
461 }
462
databaseIdentifier() const463 String SecurityOrigin::databaseIdentifier() const
464 {
465 String separatorString(&SeparatorCharacter, 1);
466
467 if (m_encodedHost.isEmpty())
468 m_encodedHost = encodeForFileName(m_host);
469
470 return m_protocol + separatorString + m_encodedHost + separatorString + String::number(m_port);
471 }
472
equal(const SecurityOrigin * other) const473 bool SecurityOrigin::equal(const SecurityOrigin* other) const
474 {
475 if (other == this)
476 return true;
477
478 if (!isSameSchemeHostPort(other))
479 return false;
480
481 if (m_domainWasSetInDOM != other->m_domainWasSetInDOM)
482 return false;
483
484 if (m_domainWasSetInDOM && m_domain != other->m_domain)
485 return false;
486
487 return true;
488 }
489
isSameSchemeHostPort(const SecurityOrigin * other) const490 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
491 {
492 if (m_host != other->m_host)
493 return false;
494
495 if (m_protocol != other->m_protocol)
496 return false;
497
498 if (m_port != other->m_port)
499 return false;
500
501 if (isLocal() && !passesFileCheck(other))
502 return false;
503
504 return true;
505 }
506
shouldHideReferrer(const KURL & url,const String & referrer)507 bool SecurityOrigin::shouldHideReferrer(const KURL& url, const String& referrer)
508 {
509 bool referrerIsSecureURL = protocolIs(referrer, "https");
510 bool referrerIsWebURL = referrerIsSecureURL || protocolIs(referrer, "http");
511
512 if (!referrerIsWebURL)
513 return true;
514
515 if (!referrerIsSecureURL)
516 return false;
517
518 bool URLIsSecureURL = url.protocolIs("https");
519
520 return !URLIsSecureURL;
521 }
522
setLocalLoadPolicy(LocalLoadPolicy policy)523 void SecurityOrigin::setLocalLoadPolicy(LocalLoadPolicy policy)
524 {
525 localLoadPolicy = policy;
526 }
527
restrictAccessToLocal()528 bool SecurityOrigin::restrictAccessToLocal()
529 {
530 return localLoadPolicy != SecurityOrigin::AllowLocalLoadsForAll;
531 }
532
allowSubstituteDataAccessToLocal()533 bool SecurityOrigin::allowSubstituteDataAccessToLocal()
534 {
535 return localLoadPolicy != SecurityOrigin::AllowLocalLoadsForLocalOnly;
536 }
537
addOriginAccessWhitelistEntry(const SecurityOrigin & sourceOrigin,const String & destinationProtocol,const String & destinationDomains,bool allowDestinationSubdomains)538 void SecurityOrigin::addOriginAccessWhitelistEntry(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains)
539 {
540 ASSERT(isMainThread());
541 ASSERT(!sourceOrigin.isEmpty());
542 if (sourceOrigin.isEmpty())
543 return;
544
545 String sourceString = sourceOrigin.toString();
546 pair<OriginAccessMap::iterator, bool> result = originAccessMap().add(sourceString, 0);
547 if (result.second)
548 result.first->second = new OriginAccessWhiteList;
549
550 OriginAccessWhiteList* list = result.first->second;
551 list->append(OriginAccessEntry(destinationProtocol, destinationDomains, allowDestinationSubdomains ? OriginAccessEntry::AllowSubdomains : OriginAccessEntry::DisallowSubdomains));
552 }
553
removeOriginAccessWhitelistEntry(const SecurityOrigin & sourceOrigin,const String & destinationProtocol,const String & destinationDomains,bool allowDestinationSubdomains)554 void SecurityOrigin::removeOriginAccessWhitelistEntry(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains)
555 {
556 ASSERT(isMainThread());
557 ASSERT(!sourceOrigin.isEmpty());
558 if (sourceOrigin.isEmpty())
559 return;
560
561 String sourceString = sourceOrigin.toString();
562 OriginAccessMap& map = originAccessMap();
563 OriginAccessMap::iterator it = map.find(sourceString);
564 if (it == map.end())
565 return;
566
567 OriginAccessWhiteList* list = it->second;
568 size_t index = list->find(OriginAccessEntry(destinationProtocol, destinationDomains, allowDestinationSubdomains ? OriginAccessEntry::AllowSubdomains : OriginAccessEntry::DisallowSubdomains));
569 if (index == notFound)
570 return;
571
572 list->remove(index);
573
574 if (!list->isEmpty())
575 return;
576
577 map.remove(it);
578 delete list;
579 }
580
resetOriginAccessWhitelists()581 void SecurityOrigin::resetOriginAccessWhitelists()
582 {
583 ASSERT(isMainThread());
584 OriginAccessMap& map = originAccessMap();
585 deleteAllValues(map);
586 map.clear();
587 }
588
589 } // namespace WebCore
590