1 /*
2 * Copyright (C) 2007 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include "config.h"
30 #include "platform/weborigin/SecurityOrigin.h"
31
32 #include "platform/weborigin/KURL.h"
33 #include "platform/weborigin/KnownPorts.h"
34 #include "platform/weborigin/SchemeRegistry.h"
35 #include "platform/weborigin/SecurityOriginCache.h"
36 #include "platform/weborigin/SecurityPolicy.h"
37 #include "url/url_canon_ip.h"
38 #include "wtf/HexNumber.h"
39 #include "wtf/MainThread.h"
40 #include "wtf/StdLibExtras.h"
41 #include "wtf/text/StringBuilder.h"
42
43 namespace WebCore {
44
45 const int InvalidPort = 0;
46 const int MaxAllowedPort = 65535;
47
48 static SecurityOriginCache* s_originCache = 0;
49
schemeRequiresAuthority(const KURL & url)50 static bool schemeRequiresAuthority(const KURL& url)
51 {
52 // We expect URLs with these schemes to have authority components. If the
53 // URL lacks an authority component, we get concerned and mark the origin
54 // as unique.
55 return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
56 }
57
cachedOrigin(const KURL & url)58 static SecurityOrigin* cachedOrigin(const KURL& url)
59 {
60 if (s_originCache)
61 return s_originCache->cachedOrigin(url);
62 return 0;
63 }
64
shouldUseInnerURL(const KURL & url)65 bool SecurityOrigin::shouldUseInnerURL(const KURL& url)
66 {
67 // FIXME: Blob URLs don't have inner URLs. Their form is "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL is incorrect.
68 if (url.protocolIs("blob"))
69 return true;
70 if (url.protocolIs("filesystem"))
71 return true;
72 return false;
73 }
74
75 // In general, extracting the inner URL varies by scheme. It just so happens
76 // that all the URL schemes we currently support that use inner URLs for their
77 // security origin can be parsed using this algorithm.
extractInnerURL(const KURL & url)78 KURL SecurityOrigin::extractInnerURL(const KURL& url)
79 {
80 if (url.innerURL())
81 return *url.innerURL();
82 // FIXME: Update this callsite to use the innerURL member function when
83 // we finish implementing it.
84 return KURL(ParsedURLString, decodeURLEscapeSequences(url.path()));
85 }
86
setCache(SecurityOriginCache * originCache)87 void SecurityOrigin::setCache(SecurityOriginCache* originCache)
88 {
89 s_originCache = originCache;
90 }
91
shouldTreatAsUniqueOrigin(const KURL & url)92 static bool shouldTreatAsUniqueOrigin(const KURL& url)
93 {
94 if (!url.isValid())
95 return true;
96
97 // FIXME: Do we need to unwrap the URL further?
98 KURL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
99
100 // FIXME: Check whether innerURL is valid.
101
102 // For edge case URLs that were probably misparsed, make sure that the origin is unique.
103 // FIXME: Do we really need to do this? This looks to be a hack around a
104 // security bug in CFNetwork that might have been fixed.
105 if (schemeRequiresAuthority(innerURL) && innerURL.host().isEmpty())
106 return true;
107
108 // SchemeRegistry needs a lower case protocol because it uses HashMaps
109 // that assume the scheme has already been canonicalized.
110 String protocol = innerURL.protocol().lower();
111
112 if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(protocol))
113 return true;
114
115 // This is the common case.
116 return false;
117 }
118
SecurityOrigin(const KURL & url)119 SecurityOrigin::SecurityOrigin(const KURL& url)
120 : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
121 , m_host(url.host().isNull() ? "" : url.host().lower())
122 , m_port(url.port())
123 , m_isUnique(false)
124 , m_universalAccess(false)
125 , m_domainWasSetInDOM(false)
126 , m_enforceFilePathSeparation(false)
127 , m_needsDatabaseIdentifierQuirkForFiles(false)
128 {
129 // document.domain starts as m_host, but can be set by the DOM.
130 m_domain = m_host;
131
132 if (isDefaultPortForProtocol(m_port, m_protocol))
133 m_port = InvalidPort;
134
135 // By default, only local SecurityOrigins can load local resources.
136 m_canLoadLocalResources = isLocal();
137
138 if (m_canLoadLocalResources)
139 m_filePath = url.path(); // In case enforceFilePathSeparation() is called.
140 }
141
SecurityOrigin()142 SecurityOrigin::SecurityOrigin()
143 : m_protocol("")
144 , m_host("")
145 , m_domain("")
146 , m_port(InvalidPort)
147 , m_isUnique(true)
148 , m_universalAccess(false)
149 , m_domainWasSetInDOM(false)
150 , m_canLoadLocalResources(false)
151 , m_enforceFilePathSeparation(false)
152 , m_needsDatabaseIdentifierQuirkForFiles(false)
153 {
154 }
155
SecurityOrigin(const SecurityOrigin * other)156 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
157 : m_protocol(other->m_protocol.isolatedCopy())
158 , m_host(other->m_host.isolatedCopy())
159 , m_domain(other->m_domain.isolatedCopy())
160 , m_filePath(other->m_filePath.isolatedCopy())
161 , m_port(other->m_port)
162 , m_isUnique(other->m_isUnique)
163 , m_universalAccess(other->m_universalAccess)
164 , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
165 , m_canLoadLocalResources(other->m_canLoadLocalResources)
166 , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
167 , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles)
168 {
169 }
170
create(const KURL & url)171 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const KURL& url)
172 {
173 if (RefPtr<SecurityOrigin> origin = cachedOrigin(url))
174 return origin.release();
175
176 if (shouldTreatAsUniqueOrigin(url)) {
177 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin());
178
179 if (url.protocolIs("file")) {
180 // Unfortunately, we can't represent all unique origins exactly
181 // the same way because we need to produce a quirky database
182 // identifier for file URLs due to persistent storage in some
183 // embedders of WebKit.
184 origin->m_needsDatabaseIdentifierQuirkForFiles = true;
185 }
186
187 return origin.release();
188 }
189
190 if (shouldUseInnerURL(url))
191 return adoptRef(new SecurityOrigin(extractInnerURL(url)));
192
193 return adoptRef(new SecurityOrigin(url));
194 }
195
createUnique()196 PassRefPtr<SecurityOrigin> SecurityOrigin::createUnique()
197 {
198 RefPtr<SecurityOrigin> origin = adoptRef(new SecurityOrigin());
199 ASSERT(origin->isUnique());
200 return origin.release();
201 }
202
isolatedCopy() const203 PassRefPtr<SecurityOrigin> SecurityOrigin::isolatedCopy() const
204 {
205 return adoptRef(new SecurityOrigin(this));
206 }
207
setDomainFromDOM(const String & newDomain)208 void SecurityOrigin::setDomainFromDOM(const String& newDomain)
209 {
210 m_domainWasSetInDOM = true;
211 m_domain = newDomain.lower();
212 }
213
isSecure(const KURL & url)214 bool SecurityOrigin::isSecure(const KURL& url)
215 {
216 // Invalid URLs are secure, as are URLs which have a secure protocol.
217 if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol()))
218 return true;
219
220 // URLs that wrap inner URLs are secure if those inner URLs are secure.
221 if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol()))
222 return true;
223
224 return false;
225 }
226
canAccess(const SecurityOrigin * other) const227 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
228 {
229 if (m_universalAccess)
230 return true;
231
232 if (this == other)
233 return true;
234
235 if (isUnique() || other->isUnique())
236 return false;
237
238 // Here are two cases where we should permit access:
239 //
240 // 1) Neither document has set document.domain. In this case, we insist
241 // that the scheme, host, and port of the URLs match.
242 //
243 // 2) Both documents have set document.domain. In this case, we insist
244 // that the documents have set document.domain to the same value and
245 // that the scheme of the URLs match.
246 //
247 // This matches the behavior of Firefox 2 and Internet Explorer 6.
248 //
249 // Internet Explorer 7 and Opera 9 are more strict in that they require
250 // the port numbers to match when both pages have document.domain set.
251 //
252 // FIXME: Evaluate whether we can tighten this policy to require matched
253 // port numbers.
254 //
255 // Opera 9 allows access when only one page has set document.domain, but
256 // this is a security vulnerability.
257
258 bool canAccess = false;
259 if (m_protocol == other->m_protocol) {
260 if (!m_domainWasSetInDOM && !other->m_domainWasSetInDOM) {
261 if (m_host == other->m_host && m_port == other->m_port)
262 canAccess = true;
263 } else if (m_domainWasSetInDOM && other->m_domainWasSetInDOM) {
264 if (m_domain == other->m_domain)
265 canAccess = true;
266 }
267 }
268
269 if (canAccess && isLocal())
270 canAccess = passesFileCheck(other);
271
272 return canAccess;
273 }
274
passesFileCheck(const SecurityOrigin * other) const275 bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const
276 {
277 ASSERT(isLocal() && other->isLocal());
278
279 if (!m_enforceFilePathSeparation && !other->m_enforceFilePathSeparation)
280 return true;
281
282 return (m_filePath == other->m_filePath);
283 }
284
canRequest(const KURL & url) const285 bool SecurityOrigin::canRequest(const KURL& url) const
286 {
287 if (m_universalAccess)
288 return true;
289
290 if (cachedOrigin(url) == this)
291 return true;
292
293 if (isUnique())
294 return false;
295
296 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
297
298 if (targetOrigin->isUnique())
299 return false;
300
301 // We call isSameSchemeHostPort here instead of canAccess because we want
302 // to ignore document.domain effects.
303 if (isSameSchemeHostPort(targetOrigin.get()))
304 return true;
305
306 if (SecurityPolicy::isAccessWhiteListed(this, targetOrigin.get()))
307 return true;
308
309 return false;
310 }
311
taintsCanvas(const KURL & url) const312 bool SecurityOrigin::taintsCanvas(const KURL& url) const
313 {
314 if (canRequest(url))
315 return false;
316
317 // This function exists because we treat data URLs as having a unique origin,
318 // contrary to the current (9/19/2009) draft of the HTML5 specification.
319 // We still want to let folks paint data URLs onto untainted canvases, so
320 // we special case data URLs below. If we change to match HTML5 w.r.t.
321 // data URL security, then we can remove this function in favor of
322 // !canRequest.
323 if (url.protocolIsData())
324 return false;
325
326 return true;
327 }
328
canReceiveDragData(const SecurityOrigin * dragInitiator) const329 bool SecurityOrigin::canReceiveDragData(const SecurityOrigin* dragInitiator) const
330 {
331 if (this == dragInitiator)
332 return true;
333
334 return canAccess(dragInitiator);
335 }
336
337 // This is a hack to allow keep navigation to http/https feeds working. To remove this
338 // we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
339 // protocols navigation policy.
340 // feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be
341 // local or remote depending on what is nested. Currently we just check if we are nesting
342 // http or https, otherwise we ignore the nesting for the purpose of a security check. We need
343 // a facility for registering nesting schemes, and some generalized logic for them.
344 // This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196
isFeedWithNestedProtocolInHTTPFamily(const KURL & url)345 static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
346 {
347 const String& urlString = url.string();
348 if (!urlString.startsWith("feed", false))
349 return false;
350
351 return urlString.startsWith("feed://", false)
352 || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false)
353 || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false)
354 || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false);
355 }
356
canDisplay(const KURL & url) const357 bool SecurityOrigin::canDisplay(const KURL& url) const
358 {
359 if (m_universalAccess)
360 return true;
361
362 String protocol = url.protocol().lower();
363
364 if (isFeedWithNestedProtocolInHTTPFamily(url))
365 return true;
366
367 if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol))
368 return canRequest(url);
369
370 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol))
371 return m_protocol == protocol || SecurityPolicy::isAccessToURLWhiteListed(this, url);
372
373 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol))
374 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteListed(this, url);
375
376 return true;
377 }
378
canAccessFeatureRequiringSecureOrigin() const379 bool SecurityOrigin::canAccessFeatureRequiringSecureOrigin() const
380 {
381 ASSERT(m_protocol != "data");
382 return SchemeRegistry::shouldTreatURLSchemeAsSecure(m_protocol) || isLocal() || isLocalhost();
383 }
384
canShowNotifications() const385 SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const
386 {
387 if (m_universalAccess)
388 return AlwaysAllow;
389 if (isUnique())
390 return AlwaysDeny;
391 return Ask;
392 }
393
grantLoadLocalResources()394 void SecurityOrigin::grantLoadLocalResources()
395 {
396 // Granting privileges to some, but not all, documents in a SecurityOrigin
397 // is a security hazard because the documents without the privilege can
398 // obtain the privilege by injecting script into the documents that have
399 // been granted the privilege.
400 m_canLoadLocalResources = true;
401 }
402
grantUniversalAccess()403 void SecurityOrigin::grantUniversalAccess()
404 {
405 m_universalAccess = true;
406 }
407
enforceFilePathSeparation()408 void SecurityOrigin::enforceFilePathSeparation()
409 {
410 ASSERT(isLocal());
411 m_enforceFilePathSeparation = true;
412 }
413
isLocal() const414 bool SecurityOrigin::isLocal() const
415 {
416 return SchemeRegistry::shouldTreatURLSchemeAsLocal(m_protocol);
417 }
418
isLocalhost() const419 bool SecurityOrigin::isLocalhost() const
420 {
421 if (m_host == "localhost")
422 return true;
423
424 if (m_host == "[::1]")
425 return true;
426
427 // Test if m_host matches 127.0.0.1/8
428 ASSERT(m_host.containsOnlyASCII());
429 CString hostAscii = m_host.ascii();
430 Vector<uint8, 4> ipNumber;
431 ipNumber.resize(4);
432
433 int numComponents;
434 url::Component hostComponent(0, hostAscii.length());
435 url::CanonHostInfo::Family family = url::IPv4AddressToNumber(
436 hostAscii.data(), hostComponent, &(ipNumber)[0], &numComponents);
437 if (family != url::CanonHostInfo::IPV4)
438 return false;
439 return ipNumber[0] == 127;
440 }
441
toString() const442 String SecurityOrigin::toString() const
443 {
444 if (isUnique())
445 return "null";
446 if (m_protocol == "file" && m_enforceFilePathSeparation)
447 return "null";
448 return toRawString();
449 }
450
toAtomicString() const451 AtomicString SecurityOrigin::toAtomicString() const
452 {
453 if (isUnique())
454 return AtomicString("null", AtomicString::ConstructFromLiteral);
455 if (m_protocol == "file" && m_enforceFilePathSeparation)
456 return AtomicString("null", AtomicString::ConstructFromLiteral);
457 return toRawAtomicString();
458 }
459
toRawString() const460 String SecurityOrigin::toRawString() const
461 {
462 if (m_protocol == "file")
463 return "file://";
464
465 StringBuilder result;
466 buildRawString(result);
467 return result.toString();
468 }
469
toRawAtomicString() const470 AtomicString SecurityOrigin::toRawAtomicString() const
471 {
472 if (m_protocol == "file")
473 return AtomicString("file://", AtomicString::ConstructFromLiteral);
474
475 StringBuilder result;
476 buildRawString(result);
477 return result.toAtomicString();
478 }
479
buildRawString(StringBuilder & builder) const480 inline void SecurityOrigin::buildRawString(StringBuilder& builder) const
481 {
482 builder.reserveCapacity(m_protocol.length() + m_host.length() + 10);
483 builder.append(m_protocol);
484 builder.appendLiteral("://");
485 builder.append(m_host);
486
487 if (m_port) {
488 builder.append(':');
489 builder.appendNumber(m_port);
490 }
491 }
492
createFromString(const String & originString)493 PassRefPtr<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
494 {
495 return SecurityOrigin::create(KURL(KURL(), originString));
496 }
497
create(const String & protocol,const String & host,int port)498 PassRefPtr<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, int port)
499 {
500 if (port < 0 || port > MaxAllowedPort)
501 return createUnique();
502 String decodedHost = decodeURLEscapeSequences(host);
503 return create(KURL(KURL(), protocol + "://" + host + ":" + String::number(port) + "/"));
504 }
505
isSameSchemeHostPort(const SecurityOrigin * other) const506 bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin* other) const
507 {
508 if (m_host != other->m_host)
509 return false;
510
511 if (m_protocol != other->m_protocol)
512 return false;
513
514 if (m_port != other->m_port)
515 return false;
516
517 if (isLocal() && !passesFileCheck(other))
518 return false;
519
520 return true;
521 }
522
urlWithUniqueSecurityOrigin()523 const String& SecurityOrigin::urlWithUniqueSecurityOrigin()
524 {
525 ASSERT(isMainThread());
526 DEFINE_STATIC_LOCAL(const String, uniqueSecurityOriginURL, ("data:,"));
527 return uniqueSecurityOriginURL;
528 }
529
530 } // namespace WebCore
531