1/*
2 * Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1.  Redistributions of source code must retain the above copyright
9 *     notice, this list of conditions and the following disclaimer.
10 * 2.  Redistributions in binary form must reproduce the above copyright
11 *     notice, this list of conditions and the following disclaimer in the
12 *     documentation and/or other materials provided with the distribution.
13 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 *     its contributors may be used to endorse or promote products derived
15 *     from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#ifndef SecurityOrigin_h
30#define SecurityOrigin_h
31
32#include "FrameLoaderTypes.h"
33#include "PlatformString.h"
34#include <wtf/ThreadSafeRefCounted.h>
35
36namespace WebCore {
37
38class Document;
39class KURL;
40
41class SecurityOrigin : public ThreadSafeRefCounted<SecurityOrigin> {
42public:
43    static PassRefPtr<SecurityOrigin> createFromDatabaseIdentifier(const String&);
44    static PassRefPtr<SecurityOrigin> createFromString(const String&);
45    static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
46    static PassRefPtr<SecurityOrigin> create(const KURL&, SandboxFlags = SandboxNone);
47    static PassRefPtr<SecurityOrigin> createEmpty();
48
49    // Create a deep copy of this SecurityOrigin. This method is useful
50    // when marshalling a SecurityOrigin to another thread.
51    PassRefPtr<SecurityOrigin> threadsafeCopy();
52
53    // Set the domain property of this security origin to newDomain. This
54    // function does not check whether newDomain is a suffix of the current
55    // domain. The caller is responsible for validating newDomain.
56    void setDomainFromDOM(const String& newDomain);
57    bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
58
59    static void setDomainRelaxationForbiddenForURLScheme(bool forbidden, const String&);
60    static bool isDomainRelaxationForbiddenForURLScheme(const String&);
61
62    String protocol() const { return m_protocol; }
63    String host() const { return m_host; }
64    String domain() const { return m_domain; }
65    unsigned short port() const { return m_port; }
66
67    // Returns true if this SecurityOrigin can script objects in the given
68    // SecurityOrigin. For example, call this function before allowing
69    // script from one security origin to read or write objects from
70    // another SecurityOrigin.
71    bool canAccess(const SecurityOrigin*) const;
72
73    // Returns true if this SecurityOrigin can read content retrieved from
74    // the given URL. For example, call this function before issuing
75    // XMLHttpRequests.
76    bool canRequest(const KURL&) const;
77
78    // Returns true if drawing an image from this URL taints a canvas from
79    // this security origin. For example, call this function before
80    // drawing an image onto an HTML canvas element with the drawImage API.
81    bool taintsCanvas(const KURL&) const;
82
83    // Returns true if this SecurityOrigin can receive drag content from the
84    // initiator. For example, call this function before allowing content to be
85    // dropped onto a target.
86    bool canReceiveDragData(const SecurityOrigin* dragInitiator) const;
87
88    // Returns true if |document| can display content from the given URL (e.g.,
89    // in an iframe or as an image). For example, web sites generally cannot
90    // display content from the user's files system.
91    bool canDisplay(const KURL&) const;
92
93    // Returns true if this SecurityOrigin can load local resources, such
94    // as images, iframes, and style sheets, and can link to local URLs.
95    // For example, call this function before creating an iframe to a
96    // file:// URL.
97    //
98    // Note: A SecurityOrigin might be allowed to load local resources
99    //       without being able to issue an XMLHttpRequest for a local URL.
100    //       To determine whether the SecurityOrigin can issue an
101    //       XMLHttpRequest for a URL, call canRequest(url).
102    bool canLoadLocalResources() const { return m_canLoadLocalResources; }
103
104    // Explicitly grant the ability to load local resources to this
105    // SecurityOrigin.
106    //
107    // Note: This method exists only to support backwards compatibility
108    //       with older versions of WebKit.
109    void grantLoadLocalResources();
110
111    // Explicitly grant the ability to access very other SecurityOrigin.
112    //
113    // WARNING: This is an extremely powerful ability. Use with caution!
114    void grantUniversalAccess();
115
116    bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; }
117
118    bool canAccessDatabase() const { return !isUnique(); }
119    bool canAccessLocalStorage() const { return !isUnique(); }
120    bool canAccessCookies() const { return !isUnique(); }
121    bool canAccessPasswordManager() const { return !isUnique(); }
122    bool canAccessFileSystem() const { return !isUnique(); }
123
124    // Technically, we should always allow access to sessionStorage, but we
125    // currently don't handle creating a sessionStorage area for unique
126    // origins.
127    bool canAccessSessionStorage() const { return !isUnique(); }
128
129    bool isSecureTransitionTo(const KURL&) const;
130
131    // The local SecurityOrigin is the most privileged SecurityOrigin.
132    // The local SecurityOrigin can script any document, navigate to local
133    // resources, and can set arbitrary headers on XMLHttpRequests.
134    bool isLocal() const;
135
136    // The origin is a globally unique identifier assigned when the Document is
137    // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
138    //
139    // There's a subtle difference between a unique origin and an origin that
140    // has the SandboxOrigin flag set. The latter implies the former, and, in
141    // addition, the SandboxOrigin flag is inherited by iframes.
142    bool isUnique() const { return m_isUnique; }
143
144    // The empty SecurityOrigin is a unique security orign (in the sense of
145    // isUnique above) that was created for a "blank" document, such about
146    // about:blank. Empty origins differ from unique origins in that they can
147    // sometimes be replaced by non-empty origins, for example when an
148    // about:blank iframe inherits its security origin from its parent frame.
149    bool isEmpty() const;
150
151    // Marks a file:// origin as being in a domain defined by its path.
152    void enforceFilePathSeparation();
153
154    // Convert this SecurityOrigin into a string. The string
155    // representation of a SecurityOrigin is similar to a URL, except it
156    // lacks a path component. The string representation does not encode
157    // the value of the SecurityOrigin's domain property.
158    //
159    // When using the string value, it's important to remember that it might be
160    // "null". This happens when this SecurityOrigin is unique. For example,
161    // this SecurityOrigin might have come from a sandboxed iframe, the
162    // SecurityOrigin might be empty, or we might have explicitly decided that
163    // we shouldTreatURLSchemeAsNoAccess.
164    String toString() const;
165
166    // Serialize the security origin to a string that could be used as part of
167    // file names. This format should be used in storage APIs only.
168    String databaseIdentifier() const;
169
170    // This method checks for equality between SecurityOrigins, not whether
171    // one origin can access another. It is used for hash table keys.
172    // For access checks, use canAccess().
173    // FIXME: If this method is really only useful for hash table keys, it
174    // should be refactored into SecurityOriginHash.
175    bool equal(const SecurityOrigin*) const;
176
177    // This method checks for equality, ignoring the value of document.domain
178    // (and whether it was set) but considering the host. It is used for postMessage.
179    bool isSameSchemeHostPort(const SecurityOrigin*) const;
180
181    static bool shouldHideReferrer(const KURL&, const String& referrer);
182
183    enum LocalLoadPolicy {
184        AllowLocalLoadsForAll, // No restriction on local loads.
185        AllowLocalLoadsForLocalAndSubstituteData,
186        AllowLocalLoadsForLocalOnly,
187    };
188    static void setLocalLoadPolicy(LocalLoadPolicy);
189    static bool restrictAccessToLocal();
190    static bool allowSubstituteDataAccessToLocal();
191
192    static void addOriginAccessWhitelistEntry(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains);
193    static void removeOriginAccessWhitelistEntry(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomains, bool allowDestinationSubdomains);
194    static void resetOriginAccessWhitelists();
195
196private:
197    SecurityOrigin(const KURL&, SandboxFlags);
198    explicit SecurityOrigin(const SecurityOrigin*);
199
200    // FIXME: Rename this function to something more semantic.
201    bool passesFileCheck(const SecurityOrigin*) const;
202
203    bool isAccessWhiteListed(const SecurityOrigin*) const;
204    bool isAccessToURLWhiteListed(const KURL&) const;
205
206    SandboxFlags m_sandboxFlags;
207    String m_protocol;
208    String m_host;
209    mutable String m_encodedHost;
210    String m_domain;
211    String m_filePath;
212    unsigned short m_port;
213    bool m_isUnique;
214    bool m_universalAccess;
215    bool m_domainWasSetInDOM;
216    bool m_canLoadLocalResources;
217    bool m_enforceFilePathSeparation;
218};
219
220} // namespace WebCore
221
222#endif // SecurityOrigin_h
223