1/*
2 * Copyright (C) 2007,2008 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1.  Redistributions of source code must retain the above copyright
9 *     notice, this list of conditions and the following disclaimer.
10 * 2.  Redistributions in binary form must reproduce the above copyright
11 *     notice, this list of conditions and the following disclaimer in the
12 *     documentation and/or other materials provided with the distribution.
13 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 *     its contributors may be used to endorse or promote products derived
15 *     from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#ifndef SecurityOrigin_h
30#define SecurityOrigin_h
31
32#include <wtf/HashSet.h>
33#include <wtf/RefCounted.h>
34#include <wtf/PassRefPtr.h>
35#include <wtf/Threading.h>
36
37#include "FrameLoaderTypes.h"
38#include "PlatformString.h"
39#include "StringHash.h"
40
41namespace WebCore {
42
43typedef HashSet<String, CaseFoldingHash> URLSchemesMap;
44
45class Document;
46class KURL;
47
48class SecurityOrigin : public ThreadSafeShared<SecurityOrigin> {
49public:
50    static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&);
51    static PassRefPtr<SecurityOrigin> createFromString(const String&);
52    static PassRefPtr<SecurityOrigin> create(const KURL&, SandboxFlags = SandboxNone);
53    static PassRefPtr<SecurityOrigin> createEmpty();
54
55    // Create a deep copy of this SecurityOrigin. This method is useful
56    // when marshalling a SecurityOrigin to another thread.
57    PassRefPtr<SecurityOrigin> threadsafeCopy();
58
59    // Set the domain property of this security origin to newDomain. This
60    // function does not check whether newDomain is a suffix of the current
61    // domain. The caller is responsible for validating newDomain.
62    void setDomainFromDOM(const String& newDomain);
63    bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
64
65    static void setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String&);
66    static bool isDomainRelaxationForbiddenForURLScheme(const String&);
67
68    String protocol() const { return m_protocol; }
69    String host() const { return m_host; }
70    String domain() const { return m_domain; }
71    unsigned short port() const { return m_port; }
72
73    // Returns true if this SecurityOrigin can script objects in the given
74    // SecurityOrigin. For example, call this function before allowing
75    // script from one security origin to read or write objects from
76    // another SecurityOrigin.
77    bool canAccess(const SecurityOrigin*) const;
78
79    // Returns true if this SecurityOrigin can read content retrieved from
80    // the given URL. For example, call this function before issuing
81    // XMLHttpRequests.
82    bool canRequest(const KURL&) const;
83
84    // Returns true if drawing an image from this URL taints a canvas from
85    // this security origin. For example, call this function before
86    // drawing an image onto an HTML canvas element with the drawImage API.
87    bool taintsCanvas(const KURL&) const;
88
89    // Returns true for any non-local URL. If document parameter is supplied,
90    // its local load policy dictates, otherwise if referrer is non-empty and
91    // represents a local file, then the local load is allowed.
92    static bool canLoad(const KURL&, const String& referrer, Document* document);
93
94    // Returns true if this SecurityOrigin can load local resources, such
95    // as images, iframes, and style sheets, and can link to local URLs.
96    // For example, call this function before creating an iframe to a
97    // file:// URL.
98    //
99    // Note: A SecurityOrigin might be allowed to load local resources
100    //       without being able to issue an XMLHttpRequest for a local URL.
101    //       To determine whether the SecurityOrigin can issue an
102    //       XMLHttpRequest for a URL, call canRequest(url).
103    bool canLoadLocalResources() const { return m_canLoadLocalResources; }
104
105    // Explicitly grant the ability to load local resources to this
106    // SecurityOrigin.
107    //
108    // Note: This method exists only to support backwards compatibility
109    //       with older versions of WebKit.
110    void grantLoadLocalResources();
111
112    // Explicitly grant the ability to access very other SecurityOrigin.
113    //
114    // WARNING: This is an extremely powerful ability. Use with caution!
115    void grantUniversalAccess();
116
117    bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; }
118
119    bool canAccessDatabase() const { return !isUnique(); }
120    bool canAccessStorage() const { return !isUnique(); }
121    bool canAccessCookies() const { return !isUnique(); }
122
123    bool isSecureTransitionTo(const KURL&) const;
124
125    // The local SecurityOrigin is the most privileged SecurityOrigin.
126    // The local SecurityOrigin can script any document, navigate to local
127    // resources, and can set arbitrary headers on XMLHttpRequests.
128    bool isLocal() const;
129
130    // The empty SecurityOrigin is the least privileged SecurityOrigin.
131    bool isEmpty() const;
132
133    // The origin is a globally unique identifier assigned when the Document is
134    // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
135    //
136    // There's a subtle difference between a unique origin and an origin that
137    // has the SandboxOrigin flag set. The latter implies the former, and, in
138    // addition, the SandboxOrigin flag is inherited by iframes.
139    bool isUnique() const { return m_isUnique; }
140
141    // Convert this SecurityOrigin into a string. The string
142    // representation of a SecurityOrigin is similar to a URL, except it
143    // lacks a path component. The string representation does not encode
144    // the value of the SecurityOrigin's domain property.
145    //
146    // When using the string value, it's important to remember that it might be
147    // "null". This happens when this SecurityOrigin is unique. For example,
148    // this SecurityOrigin might have come from a sandboxed iframe, the
149    // SecurityOrigin might be empty, or we might have explicitly decided that
150    // we shouldTreatURLSchemeAsNoAccess.
151    String toString() const;
152
153    // Serialize the security origin to a string that could be used as part of
154    // file names. This format should be used in storage APIs only.
155    String databaseIdentifier() const;
156
157    // This method checks for equality between SecurityOrigins, not whether
158    // one origin can access another. It is used for hash table keys.
159    // For access checks, use canAccess().
160    // FIXME: If this method is really only useful for hash table keys, it
161    // should be refactored into SecurityOriginHash.
162    bool equal(const SecurityOrigin*) const;
163
164    // This method checks for equality, ignoring the value of document.domain
165    // (and whether it was set) but considering the host. It is used for postMessage.
166    bool isSameSchemeHostPort(const SecurityOrigin*) const;
167
168    static void registerURLSchemeAsLocal(const String&);
169    static void removeURLSchemeRegisteredAsLocal(const String&);
170    static const URLSchemesMap& localURLSchemes();
171    static bool shouldTreatURLAsLocal(const String&);
172    static bool shouldTreatURLSchemeAsLocal(const String&);
173
174    static bool shouldHideReferrer(const KURL&, const String& referrer);
175
176    enum LocalLoadPolicy {
177        AllowLocalLoadsForAll, // No restriction on local loads.
178        AllowLocalLoadsForLocalAndSubstituteData,
179        AllowLocalLoadsForLocalOnly,
180    };
181    static void setLocalLoadPolicy(LocalLoadPolicy);
182    static bool restrictAccessToLocal();
183    static bool allowSubstituteDataAccessToLocal();
184
185    static void registerURLSchemeAsNoAccess(const String&);
186    static bool shouldTreatURLSchemeAsNoAccess(const String&);
187
188    static void whiteListAccessFromOrigin(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains);
189    static void resetOriginAccessWhiteLists();
190
191private:
192    SecurityOrigin(const KURL&, SandboxFlags);
193    explicit SecurityOrigin(const SecurityOrigin*);
194
195    SandboxFlags m_sandboxFlags;
196    String m_protocol;
197    String m_host;
198    String m_domain;
199    unsigned short m_port;
200    bool m_isUnique;
201    bool m_universalAccess;
202    bool m_domainWasSetInDOM;
203    bool m_canLoadLocalResources;
204};
205
206} // namespace WebCore
207
208#endif // SecurityOrigin_h
209