1 /* 2 * Copyright (C) 2009 Google Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are 6 * met: 7 * 8 * * Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * * Redistributions in binary form must reproduce the above 11 * copyright notice, this list of conditions and the following disclaimer 12 * in the documentation and/or other materials provided with the 13 * distribution. 14 * * Neither the name of Google Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived from 16 * this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 22 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 23 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 24 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #ifndef WebSecurityPolicy_h 32 #define WebSecurityPolicy_h 33 34 #include "WebCommon.h" 35 36 namespace WebKit { 37 38 class WebString; 39 class WebURL; 40 41 class WebSecurityPolicy { 42 public: 43 // Registers a URL scheme to be treated as a local scheme (i.e., with the 44 // same security rules as those applied to "file" URLs). This means that 45 // normal pages cannot link to or access URLs of this scheme. 46 WEBKIT_API static void registerURLSchemeAsLocal(const WebString&); 47 48 // Registers a URL scheme to be treated as a noAccess scheme. This means 49 // that pages loaded with this URL scheme cannot access pages loaded with 50 // any other URL scheme. 51 WEBKIT_API static void registerURLSchemeAsNoAccess(const WebString&); 52 53 // Registers a URL scheme to be treated as display-isolated. This means 54 // that pages cannot display these URLs unless they are from the same 55 // scheme. For example, pages in other origin cannot create iframes or 56 // hyperlinks to URLs with the scheme. 57 WEBKIT_API static void registerURLSchemeAsDisplayIsolated(const WebString&); 58 59 // Registers a URL scheme to not generate mixed content warnings when 60 // included by an HTTPS page. 61 WEBKIT_API static void registerURLSchemeAsSecure(const WebString&); 62 63 // Support for whitelisting access to origins beyond the same-origin policy. 64 WEBKIT_API static void addOriginAccessWhitelistEntry( 65 const WebURL& sourceOrigin, const WebString& destinationProtocol, 66 const WebString& destinationHost, bool allowDestinationSubdomains); 67 WEBKIT_API static void removeOriginAccessWhitelistEntry( 68 const WebURL& sourceOrigin, const WebString& destinationProtocol, 69 const WebString& destinationHost, bool allowDestinationSubdomains); 70 WEBKIT_API static void resetOriginAccessWhitelists(); 71 72 // Returns whether the url should be allowed to see the referrer 73 // based on their respective protocols. 74 WEBKIT_API static bool shouldHideReferrer(const WebURL& url, const WebString& referrer); 75 76 private: 77 WebSecurityPolicy(); 78 }; 79 80 } // namespace WebKit 81 82 #endif 83