Changeset 19952 in webkit

Timestamp:

Mar 2, 2007, 6:18:43 PM (18 years ago)

Author:

kmccullo

Message:

LayoutTests:

Reviewed by Geoff.

• rdar://problem/4922454
• This fixes a security issue by making remote referrers not able to access local resources, unless they register their schemes to be treated as local. The result is that those schemes can access local resources and cannot be accessed by remote referrers. Because this behavior is new a link-on-or-after check is made to determine if the app should use the older, less safe, behavior.

• fast/loader/local-CSS-from-local-expected.txt: Added.
• fast/loader/local-CSS-from-local.html: Added.
• fast/loader/local-JavaScript-from-local-expected.txt: Added.
• fast/loader/local-JavaScript-from-local.html: Added.
• fast/loader/local-iFrame-source-from-local-expected.txt: Added.
• fast/loader/local-iFrame-source-from-local.html: Added.
• fast/loader/local-image-from-local-expected.txt: Added.
• fast/loader/local-image-from-local.html: Added.
• http/tests/security/local-CSS-from-remote-expected.txt: Added.
• http/tests/security/local-CSS-from-remote.html: Added.
• http/tests/security/local-JavaScript-from-remote-expected.txt: Added.
• http/tests/security/local-JavaScript-from-remote.html: Added.
• http/tests/security/local-iFrame-from-remote-expected.txt: Added.
• http/tests/security/local-iFrame-from-remote.html: Added.
• http/tests/security/local-image-from-remote-expected.txt: Added.
• http/tests/security/local-image-from-remote.html: Added.
• http/tests/security/resources/compass.jpg: Added.
• http/tests/security/resources/cssStyle.css: Added.
• http/tests/security/resources/localPage.html: Added.
• http/tests/security/resources/localScript.js: Added.

WebCore:

Reviewed by Geoff.

• rdar://problem/4922454
• This fixes a security issue by making remote referrers not able to access local resources, unless they register their schemes to be treated as local. The result is that those schemes can access local resources and cannot be accessed by remote referrers. Because this behavior is new a link-on-or-after check is made to determine if the app should use the older, less safe, behavior.

• WebCore.exp: added exported functions
• bindings/objc/DOM.mm: consolodated function to base class (-[DOMElement image]): (-[DOMElement _imageTIFFRepresentation]):
• dom/Document.cpp: Cache the document's ability to load local resources. (WebCore::Document::Document): (WebCore::Document::setURL): (WebCore::Document::shouldBeAllowedToLoadLocalResources): (WebCore::Document::stylesheetLoaded):
• dom/Document.h: Cache the docuent's ability to load local resources. (WebCore::Document::getPendingSheet): (WebCore::Document::isAllowedToLoadLocalResources):
• html/HTMLImageLoader.cpp: Moved functionality into base class. (WebCore::HTMLImageLoader::updateFromElement): (WebCore::HTMLImageLoader::dispatchLoadEvent):
• html/HTMLLinkElement.cpp: Handles null returns correctly now.
• html/HTMLTokenizer.cpp: Moved functionality into base class. (WebCore::HTMLTokenizer::notifyFinished):
• ksvg2/misc/SVGImageLoader.cpp: Moved functionality into base class. (WebCore::SVGImageLoader::dispatchLoadEvent):
• loader/Cache.cpp: Checks if the cached resource can be loaded. (WebCore::Cache::requestResource):
• loader/CachedCSSStyleSheet.cpp: Moved functionality into base class. (WebCore::CachedCSSStyleSheet::ref): (WebCore::CachedCSSStyleSheet::error):
• loader/CachedImage.cpp: Moved functionality into base class. (WebCore::CachedImage::CachedImage):
• loader/CachedImage.h: Moved functionality into base class. (WebCore::CachedImage::canRender):
• loader/CachedResource.cpp: Cache if the CachedResource should be treated as local (WebCore::CachedResource::CachedResource):
• loader/CachedResource.h: Moved functionality into base class. (WebCore::CachedResource::errorOccurred): (WebCore::CachedResource::shouldTreatAsLocal):
• loader/CachedScript.cpp: Moved functionality into base class. (WebCore::CachedScript::CachedScript):
• loader/CachedScript.h: Moved functionality into base class. (WebCore::CachedScript::schedule):
• loader/CachedXBLDocument.cpp: Moved functionality into base class. (WebCore::CachedXBLDocument::error):
• loader/CachedXSLStyleSheet.cpp: Moved functionality into base class. (WebCore::CachedXSLStyleSheet::error):
• loader/FrameLoader.cpp: See comments for each function below. (WebCore::FrameLoader::loadSubframe): Use new canLoad. (WebCore::FrameLoader::restrictAccessToLocal): return value of linked-on-or-after check. (WebCore::FrameLoader::setRestrictAccessToLocal): set value for linked-on-or-after check. (WebCore::localSchemes): Return set of schemes that are to be treated as local. (WebCore::FrameLoader::loadPlugin): Use new canLoad. (WebCore::FrameLoader::canLoad): Now multiple functions that each do the same work but some can take advantage of the cached values, if they were computed previously. (WebCore::FrameLoader::shouldHideReferrer): Extracted out the logic to determine if the referrer should be hidden so it is only calculated when needed. (WebCore::FrameLoader::loadResourceSynchronously): No longer calls canLoad to get hideReferrer info. (WebCore::FrameLoader::registerSchemeAsLocal): Functionality to register a scheme to be treated as local. (WebCore::FrameLoader::treatURLAsLocal): Given a URL this function determines if it should be treated as local.
• loader/FrameLoader.h: Declared functions for this security fix. See above.
• loader/MainResourceLoader.cpp: Optized order of bools to regain performance. (WebCore::MainResourceLoader::continueAfterContentPolicy):
• loader/SubresourceLoader.cpp: Now restricts remote from loading local resources. (WebCore::SubresourceLoader::create):
• page/EventHandler.cpp: Moved functionality into base class. (WebCore::selectCursor):
• platform/KURL.cpp: KURLs need to check all the registered schemes now. (WebCore::KURL::isLocalFile):
• rendering/HitTestResult.cpp: Moved functionality into base class. (WebCore::HitTestResult::image):
• rendering/RenderImage.cpp: Moved functionality into base class. (WebCore::RenderImage::setCachedImage): (WebCore::RenderImage::imageChanged): (WebCore::RenderImage::paint): (WebCore::RenderImage::layout): (WebCore::RenderImage::calcAspectRatioWidth): (WebCore::RenderImage::calcAspectRatioHeight):
• rendering/RenderImage.h: Moved functionality into base class. (WebCore::RenderImage::errorOccurred):
• rendering/RenderListItem.cpp: Moved functionality into base class. (WebCore::RenderListItem::setStyle):
• rendering/RenderListMarker.cpp: Moved functionality into base class. (WebCore::RenderListMarker::isImage):
• xml/xmlhttprequest.cpp: Check doc's cached value instead of determining independently. (WebCore::XMLHttpRequest::urlMatchesDocumentDomain):

WebKit:

Reviewed by Geoff.

• rdar://problem/4922454
• This fixes a security issue by making remote referrers not able to access local resources, unless they register their schemes to be treated as local. The result is that those schemes can access local resources and cannot be accessed by remote referrers. Because this behavior is new a link-on-or-after check is made to determine if the app should use the older, less safe, behavior.

• Misc/WebKitVersionChecks.h: added linked-on-or-after check
• Misc/WebNSAttributedStringExtras.mm: Moved functionalit into the base class. (fileWrapperForElement):
• Plugins/WebNetscapePluginStream.mm: uses new canLoad functions
• Plugins/WebPluginContainerCheck.mm: uses new canLoad functions (-[WebPluginContainerCheck _isForbiddenFileLoad]):
• WebView/WebView.mm: make linked-on-or-after check and cache value, exposes SPI for registering a scheme as local. (-[WebView _commonInitializationWithFrameName:groupName:]): (+[WebView registerSchemeAsLocal:]):
• WebView/WebViewPrivate.h: exposes SPI for registering a scheme as local.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/loader/local-CSS-from-local-expected.txt (added)
• LayoutTests/fast/loader/local-CSS-from-local.html (added)
• LayoutTests/fast/loader/local-JavaScript-from-local-expected.txt (added)
• LayoutTests/fast/loader/local-JavaScript-from-local.html (added)
• LayoutTests/fast/loader/local-iFrame-source-from-local-expected.txt (added)
• LayoutTests/fast/loader/local-iFrame-source-from-local.html (added)
• LayoutTests/fast/loader/local-image-from-local-expected.txt (added)
• LayoutTests/fast/loader/local-image-from-local.html (added)
• LayoutTests/http/tests/security/local-CSS-from-remote-expected.txt (added)
• LayoutTests/http/tests/security/local-CSS-from-remote.html (added)
• LayoutTests/http/tests/security/local-JavaScript-from-remote-expected.txt (added)
• LayoutTests/http/tests/security/local-JavaScript-from-remote.html (added)
• LayoutTests/http/tests/security/local-iFrame-from-remote-expected.txt (added)
• LayoutTests/http/tests/security/local-iFrame-from-remote.html (added)
• LayoutTests/http/tests/security/local-image-from-remote-expected.txt (added)
• LayoutTests/http/tests/security/local-image-from-remote.html (added)
• LayoutTests/http/tests/security/resources/compass.jpg (added)
• LayoutTests/http/tests/security/resources/cssStyle.css (added)
• LayoutTests/http/tests/security/resources/localPage.html (added)
• LayoutTests/http/tests/security/resources/localScript.js (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/WebCore.exp (modified) (3 diffs)
• WebCore/bindings/objc/DOM.mm (modified) (2 diffs)
• WebCore/dom/Document.cpp (modified) (4 diffs)
• WebCore/dom/Document.h (modified) (4 diffs)
• WebCore/html/HTMLImageLoader.cpp (modified) (1 diff)
• WebCore/html/HTMLLinkElement.cpp (modified) (2 diffs)
• WebCore/ksvg2/misc/SVGImageLoader.cpp (modified) (1 diff)
• WebCore/loader/Cache.cpp (modified) (2 diffs)
• WebCore/loader/CachedCSSStyleSheet.cpp (modified) (2 diffs)
• WebCore/loader/CachedImage.cpp (modified) (2 diffs)
• WebCore/loader/CachedImage.h (modified) (3 diffs)
• WebCore/loader/CachedResource.cpp (modified) (2 diffs)
• WebCore/loader/CachedResource.h (modified) (3 diffs)
• WebCore/loader/CachedScript.cpp (modified) (1 diff)
• WebCore/loader/CachedScript.h (modified) (2 diffs)
• WebCore/loader/CachedXBLDocument.cpp (modified) (1 diff)
• WebCore/loader/CachedXSLStyleSheet.cpp (modified) (1 diff)
• WebCore/loader/FrameLoader.cpp (modified) (7 diffs)
• WebCore/loader/FrameLoader.h (modified) (5 diffs)
• WebCore/loader/MainResourceLoader.cpp (modified) (1 diff)
• WebCore/loader/SubresourceLoader.cpp (modified) (1 diff)
• WebCore/page/DragController.cpp (modified) (1 diff)
• WebCore/page/EventHandler.cpp (modified) (1 diff)
• WebCore/platform/KURL.cpp (modified) (1 diff)
• WebCore/rendering/HitTestResult.cpp (modified) (1 diff)
• WebCore/rendering/RenderImage.cpp (modified) (8 diffs)
• WebCore/rendering/RenderImage.h (modified) (1 diff)
• WebCore/rendering/RenderListItem.cpp (modified) (1 diff)
• WebCore/rendering/RenderListMarker.cpp (modified) (1 diff)
• WebCore/xml/xmlhttprequest.cpp (modified) (1 diff)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/Misc/WebKitVersionChecks.h (modified) (1 diff)
• WebKit/Misc/WebNSAttributedStringExtras.mm (modified) (1 diff)
• WebKit/Plugins/WebNetscapePluginStream.mm (modified) (2 diffs)
• WebKit/Plugins/WebPluginContainerCheck.mm (modified) (1 diff)
• WebKit/WebView/WebView.mm (modified) (2 diffs)
• WebKit/WebView/WebViewPrivate.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2007-03-02  Kevin McCullough  <kmccullough@apple.com>
+
+        Reviewed by Geoff.
+
+        - rdar://problem/4922454
+        - This fixes a security issue by making remote referrers not able to access local
+        resources, unless they register their schemes to be treated as local. The result is
+        that those schemes can access local resources and cannot be accessed by remote
+        referrers.
+        Because this behavior is new a link-on-or-after check is made to determine if the
+        app should use the older, less safe, behavior.
+
+        * fast/loader/local-CSS-from-local-expected.txt: Added.
+        * fast/loader/local-CSS-from-local.html: Added.
+        * fast/loader/local-JavaScript-from-local-expected.txt: Added.
+        * fast/loader/local-JavaScript-from-local.html: Added.
+        * fast/loader/local-iFrame-source-from-local-expected.txt: Added.
+        * fast/loader/local-iFrame-source-from-local.html: Added.
+        * fast/loader/local-image-from-local-expected.txt: Added.
+        * fast/loader/local-image-from-local.html: Added.
+        * http/tests/security/local-CSS-from-remote-expected.txt: Added.
+        * http/tests/security/local-CSS-from-remote.html: Added.
+        * http/tests/security/local-JavaScript-from-remote-expected.txt: Added.
+        * http/tests/security/local-JavaScript-from-remote.html: Added.
+        * http/tests/security/local-iFrame-from-remote-expected.txt: Added.
+        * http/tests/security/local-iFrame-from-remote.html: Added.
+        * http/tests/security/local-image-from-remote-expected.txt: Added.
+        * http/tests/security/local-image-from-remote.html: Added.
+        * http/tests/security/resources/compass.jpg: Added.
+        * http/tests/security/resources/cssStyle.css: Added.
+        * http/tests/security/resources/localPage.html: Added.
+        * http/tests/security/resources/localScript.js: Added.
+
 2007-03-02  Justin Garcia  <justin.garcia@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2007-03-02  Kevin McCullough  <kmccullough@apple.com>
+
+        Reviewed by Geoff.
+
+        - rdar://problem/4922454
+        - This fixes a security issue by making remote referrers not able to access local
+        resources, unless they register their schemes to be treated as local. The result is
+        that those schemes can access local resources and cannot be accessed by remote
+        referrers.
+        Because this behavior is new a link-on-or-after check is made to determine if the
+        app should use the older, less safe, behavior.
+
+        * WebCore.exp: added exported functions
+        * bindings/objc/DOM.mm: consolodated function to base class
+        (-[DOMElement image]):
+        (-[DOMElement _imageTIFFRepresentation]):
+        * dom/Document.cpp: Cache the document's ability to load local resources.
+        (WebCore::Document::Document):
+        (WebCore::Document::setURL):
+        (WebCore::Document::shouldBeAllowedToLoadLocalResources):
+        (WebCore::Document::stylesheetLoaded):
+        * dom/Document.h: Cache the docuent's ability to load local resources.
+        (WebCore::Document::getPendingSheet):
+        (WebCore::Document::isAllowedToLoadLocalResources):
+        * html/HTMLImageLoader.cpp: Moved functionality into base class.
+        (WebCore::HTMLImageLoader::updateFromElement):
+        (WebCore::HTMLImageLoader::dispatchLoadEvent):
+        * html/HTMLLinkElement.cpp: Handles null returns correctly now.
+        * html/HTMLTokenizer.cpp: Moved functionality into base class.
+        (WebCore::HTMLTokenizer::notifyFinished):
+        * ksvg2/misc/SVGImageLoader.cpp: Moved functionality into base class.
+        (WebCore::SVGImageLoader::dispatchLoadEvent):
+        * loader/Cache.cpp: Checks if the cached resource can be loaded.
+        (WebCore::Cache::requestResource):
+        * loader/CachedCSSStyleSheet.cpp: Moved functionality into base class.
+        (WebCore::CachedCSSStyleSheet::ref):
+        (WebCore::CachedCSSStyleSheet::error):
+        * loader/CachedImage.cpp: Moved functionality into base class.
+        (WebCore::CachedImage::CachedImage):
+        * loader/CachedImage.h: Moved functionality into base class.
+        (WebCore::CachedImage::canRender):
+        * loader/CachedResource.cpp: Cache if the CachedResource should be treated as local
+        (WebCore::CachedResource::CachedResource):
+        * loader/CachedResource.h: Moved functionality into base class.
+        (WebCore::CachedResource::errorOccurred):
+        (WebCore::CachedResource::shouldTreatAsLocal):
+        * loader/CachedScript.cpp: Moved functionality into base class.
+        (WebCore::CachedScript::CachedScript):
+        * loader/CachedScript.h: Moved functionality into base class.
+        (WebCore::CachedScript::schedule):
+        * loader/CachedXBLDocument.cpp: Moved functionality into base class.
+        (WebCore::CachedXBLDocument::error):
+        * loader/CachedXSLStyleSheet.cpp: Moved functionality into base class.
+        (WebCore::CachedXSLStyleSheet::error):
+        * loader/FrameLoader.cpp: See comments for each function below.
+        (WebCore::FrameLoader::loadSubframe): Use new canLoad.
+        (WebCore::FrameLoader::restrictAccessToLocal): return value of linked-on-or-after check.
+        (WebCore::FrameLoader::setRestrictAccessToLocal): set value for linked-on-or-after check.
+        (WebCore::localSchemes): Return set of schemes that are to be treated as local.
+        (WebCore::FrameLoader::loadPlugin): Use new canLoad.
+        (WebCore::FrameLoader::canLoad): Now multiple functions that each do the same work but some can take advantage of the cached values, if they were computed previously.
+        (WebCore::FrameLoader::shouldHideReferrer): Extracted out the logic to determine if the referrer should be hidden so it is only calculated when needed.
+        (WebCore::FrameLoader::loadResourceSynchronously): No longer calls canLoad to get hideReferrer info.
+        (WebCore::FrameLoader::registerSchemeAsLocal): Functionality to register a scheme to be treated as local.
+        (WebCore::FrameLoader::treatURLAsLocal): Given a URL this function determines if it should be treated as local.
+        * loader/FrameLoader.h: Declared functions for this security fix.  See above.
+        * loader/MainResourceLoader.cpp: Optized order of bools to regain performance.
+        (WebCore::MainResourceLoader::continueAfterContentPolicy):
+        * loader/SubresourceLoader.cpp: Now restricts remote from loading local resources.
+        (WebCore::SubresourceLoader::create):
+        * page/EventHandler.cpp: Moved functionality into base class.
+        (WebCore::selectCursor):
+        * platform/KURL.cpp: KURLs need to check all the registered schemes now.
+        (WebCore::KURL::isLocalFile):
+        * rendering/HitTestResult.cpp: Moved functionality into base class.
+        (WebCore::HitTestResult::image):
+        * rendering/RenderImage.cpp: Moved functionality into base class.
+        (WebCore::RenderImage::setCachedImage):
+        (WebCore::RenderImage::imageChanged):
+        (WebCore::RenderImage::paint):
+        (WebCore::RenderImage::layout):
+        (WebCore::RenderImage::calcAspectRatioWidth):
+        (WebCore::RenderImage::calcAspectRatioHeight):
+        * rendering/RenderImage.h: Moved functionality into base class.
+        (WebCore::RenderImage::errorOccurred):
+        * rendering/RenderListItem.cpp: Moved functionality into base class.
+        (WebCore::RenderListItem::setStyle):
+        * rendering/RenderListMarker.cpp: Moved functionality into base class.
+        (WebCore::RenderListMarker::isImage):
+        * xml/xmlhttprequest.cpp: Check doc's cached value instead of determining independently.
+        (WebCore::XMLHttpRequest::urlMatchesDocumentDomain):
+
 2007-03-02  Justin Garcia  <justin.garcia@apple.com>
 

trunk/WebCore/WebCore.exp

@@ -146 +146 @@
 __ZN7WebCore11FrameLoader16detachFromParentEv
 __ZN7WebCore11FrameLoader18currentHistoryItemEv
+__ZN7WebCore11FrameLoader18shouldHideReferrerERKNS_4KURLERKNS_6StringE
 __ZN7WebCore11FrameLoader20continueLoadWithDataEPNS_12SharedBufferERKNS_6StringES5_RKNS_4KURLE
 __ZN7WebCore11FrameLoader21addPlugInStreamLoaderEPNS_14ResourceLoaderE
+__ZN7WebCore11FrameLoader21registerSchemeAsLocalERKNS_6StringE
 __ZN7WebCore11FrameLoader21setCurrentHistoryItemEN3WTF10PassRefPtrINS_11HistoryItemEEE
 __ZN7WebCore11FrameLoader22setPreviousHistoryItemEN3WTF10PassRefPtrINS_11HistoryItemEEE
@@ -153 +155 @@
 __ZN7WebCore11FrameLoader23timeOfLastCompletedLoadEv
 __ZN7WebCore11FrameLoader24removePlugInStreamLoaderEPNS_14ResourceLoaderE
+__ZN7WebCore11FrameLoader24setRestrictAccessToLocalEb
 __ZN7WebCore11FrameLoader25provisionalDocumentLoaderEv
 __ZN7WebCore11FrameLoader25setProvisionalHistoryItemEN3WTF10PassRefPtrINS_11HistoryItemEEE
@@ -167 +170 @@
 __ZN7WebCore11FrameLoader5clearEb
 __ZN7WebCore11FrameLoader6reloadEv
-__ZN7WebCore11FrameLoader7canLoadERKNS_4KURLERKNS_6StringERb
+__ZN7WebCore11FrameLoader7canLoadERKNS_4KURLEPKNS_8DocumentE
 __ZN7WebCore11HistoryItem12addChildItemEN3WTF10PassRefPtrIS0_EE
 __ZN7WebCore11HistoryItem12setURLStringERKNS_6StringE

trunk/WebCore/bindings/objc/DOM.mm

@@ -492 +492 @@
     if (renderer && renderer->isImage()) {
         WebCore::RenderImage* img = static_cast<WebCore::RenderImage*>(renderer);
-        if (img->cachedImage() && !img->cachedImage()->isErrorImage())
+        if (img->cachedImage() && !img->cachedImage()->errorOccurred())
             return img->cachedImage()->image()->getNSImage();
     }
@@ -517 +517 @@
     if (renderer && renderer->isImage()) {
         WebCore::RenderImage* img = static_cast<WebCore::RenderImage*>(renderer);
-        if (img->cachedImage() && !img->cachedImage()->isErrorImage())
+        if (img->cachedImage() && !img->cachedImage()->errorOccurred())
             return (NSData*)(img->cachedImage()->image()->getTIFFRepresentation());
     }

trunk/WebCore/dom/Document.cpp

@@ -300 +300 @@
     , m_createRenderers(true)
     , m_inPageCache(false)
+    , m_isAllowedToLoadLocalResources(false)
 {
     m_document.resetSkippingRef(this);
@@ -1252 +1253 @@
         setBaseURL(parent->baseURL());
     }
-    else
-        setURL(m_url);
 
     if ((frame() && frame()->loader()->isLoadingMainResource()) || (tokenizer() && tokenizer()->executingScript()))
@@ -1513 +1512 @@
 void Document::setURL(const DeprecatedString& url)
 {
+    if (url == m_url)
+        return;
+
     m_url = url;
     if (m_styleSelector)
         m_styleSelector->setEncodedURL(m_url);
+
+    m_isAllowedToLoadLocalResources = shouldBeAllowedToLoadLocalResources();
+ }
+ 
+bool Document::shouldBeAllowedToLoadLocalResources() const
+{
+    if (FrameLoader::shouldTreatURLAsLocal(m_url))
+        return true;
+
+    Frame* frame = this->frame();
+    if (!frame)
+        return false;
+    
+    DocumentLoader* documentLoader = frame->loader()->documentLoader();
+    if (!documentLoader)
+        return false;
+    
+    return documentLoader->substituteData().isValid();
 }
 
@@ -1881 +1901 @@
 #endif
 
-    updateStyleSelector();    
+    updateStyleSelector();
 }
 

trunk/WebCore/dom/Document.h

@@ -619 +619 @@
     String iconURL();
     void setIconURL(const String& iconURL, const String& type);
+
+    bool isAllowedToLoadLocalResources() const { return m_isAllowedToLoadLocalResources; }
+
 protected:
     CSSStyleSelector* m_styleSelector;
@@ -629 +632 @@
     DeprecatedString m_baseURL;
     String m_baseTarget;
-    
+
     RefPtr<DocumentType> m_docType;
     RefPtr<DOMImplementation> m_implementation;
@@ -784 +787 @@
 
 private:
+    bool shouldBeAllowedToLoadLocalResources() const;
+
     void updateTitle();
     void removeAllDisconnectedNodeEventListeners();
@@ -831 +836 @@
     bool m_inPageCache;
     String m_iconURL;
+
+    bool m_isAllowedToLoadLocalResources;
 };
 

trunk/WebCore/html/HTMLImageLoader.cpp

@@ -124 +124 @@
     if (!haveFiredLoadEvent() && image()) {
         setHaveFiredLoadEvent(true);
-        element()->dispatchHTMLEvent(image()->isErrorImage() ? errorEvent : loadEvent, false, false);
+        element()->dispatchHTMLEvent(image()->errorOccurred() ? errorEvent : loadEvent, false, false);
     }
 }

trunk/WebCore/html/HTMLLinkElement.cpp

@@ -180 +180 @@
             if (!isAlternate())
                 document()->addPendingSheet();
-            
+
             String chset = getAttribute(charsetAttr);
             if (chset.isEmpty() && document()->frame())
@@ -195 +195 @@
             if (m_cachedSheet)
                 m_cachedSheet->ref(this);
+            else if (!isAlternate()) { // request may have been denied if stylesheet is local and document is remote.
+                m_loading = false;
+                document()->stylesheetLoaded();
+            }
         }
     } else if (m_sheet) {

trunk/WebCore/ksvg2/misc/SVGImageLoader.cpp

@@ -71 +71 @@
     if (!haveFiredLoadEvent() && image()) {
         setHaveFiredLoadEvent(true);
-        if (image()->isErrorImage()) {
+        if (image()->errorOccurred()) {
             // FIXME: We're supposed to put the document in an "error state" per the spec.
         } else

trunk/WebCore/loader/Cache.cpp

@@ -35 +35 @@
 #include "DocLoader.h"
 #include "Document.h"
+#include "FrameLoader.h"
 #include "Image.h"
 #include "ResourceHandle.h"
@@ -88 +89 @@
     CachedResource* resource = m_resources.get(url.url());
 
-    if (!resource) {
+    if (resource) {
+        if (FrameLoader::restrictAccessToLocal()
+         && !FrameLoader::canLoad(*resource, docLoader->doc()))
+            return 0;
+    } else {
+        if (FrameLoader::restrictAccessToLocal()
+         && !FrameLoader::canLoad(url, docLoader->doc()))
+            return 0;
+
         // The resource does not exist.  Create it.
         resource = createResource(type, docLoader, url, expireDate, charset);

trunk/WebCore/loader/CachedCSSStyleSheet.cpp

@@ -60 +60 @@
 
     if (!m_loading)
-        c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), m_sheet);
+        c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), errorOccurred() ? "" : m_sheet);
 }
 
@@ -93 +93 @@
 {
     m_loading = false;
+    m_errorOccurred = true;
     checkNotify();
 }

trunk/WebCore/loader/CachedImage.cpp

@@ -57 +57 @@
 {
     m_image = 0;
-    m_errorOccurred = false;
     m_status = Unknown;
     if (!docLoader || docLoader->autoLoadImages())  {
@@ -71 +70 @@
 {
     m_image = image;
-    m_errorOccurred = false;
     m_status = Cached;
     m_loading = false;

trunk/WebCore/loader/CachedImage.h

@@ -48 +48 @@
     Image* image() const;
 
-    bool canRender() const { return !isErrorImage() && imageSize().width() > 0 && imageSize().height() > 0; }
+    bool canRender() const { return !errorOccurred() && imageSize().width() > 0 && imageSize().height() > 0; }
 
     IntSize imageSize() const;  // returns the size of the complete image
@@ -58 +58 @@
     virtual void data(Vector<char>&, bool allDataReceived);
     virtual void error();
-
-    bool isErrorImage() const { return m_errorOccurred; }
 
     virtual bool schedule() const { return true; }
@@ -81 +79 @@
     Image* m_image;
     int m_dataSize;
-    
-    bool m_errorOccurred : 1;
 
     friend class Cache;

trunk/WebCore/loader/CachedResource.cpp

@@ -31 +31 @@
 
 #include "Cache.h"
+#include "FrameLoader.h"
 #include "Request.h"
 #include <KURL.h>
@@ -55 +56 @@
     m_lruIndex = 0;
 #endif
+    m_errorOccurred = false;
+    m_shouldTreatAsLocal = FrameLoader::shouldTreatURLAsLocal(m_url);
 }
 

trunk/WebCore/loader/CachedResource.h

@@ -128 +128 @@
     void setAccept(const String& accept) { m_accept = accept; }
 
+    bool errorOccurred() const { return m_errorOccurred; }
+    bool treatAsLocal() const { return m_shouldTreatAsLocal; }
+
 protected:
     void setSize(unsigned size);
@@ -142 +145 @@
     Type m_type;
     Status m_status;
+
+    bool m_errorOccurred;
 
 private:
@@ -161 +166 @@
     CachedResource* m_prevInLRUList;
     friend class Cache;
+    
+    bool m_shouldTreatAsLocal;
 };
 

trunk/WebCore/loader/CachedScript.cpp

@@ -46 +46 @@
     // and refuse to serve them if we only accept application/x-javascript.
     setAccept("*/*");
-    m_errorOccurred = false;
     // load the file
     cache()->loader()->load(dl, this, false);

trunk/WebCore/loader/CachedScript.h

@@ -50 +50 @@
 
         virtual bool schedule() const { return false; }
-        
-        bool errorOccurred() const { return m_errorOccurred; }
 
         void checkNotify();
@@ -58 +56 @@
         String m_script;
         TextEncoding m_encoding;
-        bool m_errorOccurred;
     };
 }

trunk/WebCore/loader/CachedXBLDocument.cpp

@@ -104 +104 @@
 {
     m_loading = false;
+    m_errorOccurred = true;
     checkNotify();
 }

trunk/WebCore/loader/CachedXSLStyleSheet.cpp

@@ -93 +93 @@
 {
     m_loading = false;
+    m_errorOccurred = true;
     checkNotify();
 }

trunk/WebCore/loader/FrameLoader.cpp

@@ -83 +83 @@
 #include <kjs/object.h>
 
-using namespace KJS;
+using KJS::UString;
+using KJS::JSLock;
+using KJS::JSValue;
 
 namespace WebCore {
@@ -156 +158 @@
 
 static double storedTimeOfLastCompletedLoad;
+static bool m_restrictAccessToLocal = false;
 
 static bool getString(JSValue* result, String& string)
@@ -953 +956 @@
 }
 
+bool FrameLoader::restrictAccessToLocal()
+{
+    return m_restrictAccessToLocal;
+}
+
+void FrameLoader::setRestrictAccessToLocal(bool access)
+{
+    m_restrictAccessToLocal = access;
+}
+
+static HashSet<String, CaseInsensitiveHash<String> >& localSchemes()
+{
+    static HashSet<String, CaseInsensitiveHash<String> > localSchemes;
+
+    if (localSchemes.isEmpty()) {
+        localSchemes.add("file");
+        localSchemes.add("applewebdata");
+    }
+
+    return localSchemes;
+}
+
 void FrameLoader::commitIconURLToIconDatabase(const KURL& icon)
 {
@@ -1348 +1373 @@
             pluginElement = static_cast<Element*>(renderer->node());
 
-        bool hideReferrer;
-        if (!canLoad(url, outgoingReferrer(), hideReferrer))
+        if (!canLoad(url, frame()->document()))
             return false;
 
@@ -1864 +1888 @@
 bool FrameLoader::canLoad(const KURL& url, const String& referrer, bool& hideReferrer)
 {
-    bool referrerIsWebURL = referrer.startsWith("http:", false) || referrer.startsWith("https:", false);
-    bool referrerIsLocalURL = referrer.startsWith("file:", false) || referrer.startsWith("applewebdata:");
-    bool URLIsFileURL = url.protocol().startsWith("file", false);
+    hideReferrer = shouldHideReferrer(url, referrer);
+
+    if (!shouldTreatURLAsLocal(url.url()))
+        return true;
+
+    return shouldTreatURLAsLocal(referrer);
+}
+
+bool FrameLoader::canLoad(const KURL& url, const Document* doc)
+{
+    if (!shouldTreatURLAsLocal(url.url()))
+        return true;
+
+    return doc && doc->isAllowedToLoadLocalResources();
+}
+
+bool FrameLoader::canLoad(const CachedResource& resource, const Document* doc)
+{
+    if (!resource.treatAsLocal())
+        return true;
+
+    return doc && doc->isAllowedToLoadLocalResources();
+}
+
+bool FrameLoader::shouldHideReferrer(const KURL& url, const String& referrer)
+{
     bool referrerIsSecureURL = referrer.startsWith("https:", false);
-    bool URLIsSecureURL = url.protocol().startsWith("https", false);
-    
-    hideReferrer = !referrerIsWebURL || (referrerIsSecureURL && !URLIsSecureURL);
-    return !URLIsFileURL || referrerIsLocalURL;
+    bool referrerIsWebURL = referrerIsSecureURL || referrer.startsWith("http:", false);
+
+    if (!referrerIsWebURL)
+        return true;
+
+    if (!referrerIsSecureURL)
+        return false;
+
+    bool URLIsSecureURL = url.url().startsWith("https:", false);
+
+    return !URLIsSecureURL;
 }
 
@@ -2926 +2980 @@
     // But we still want to know whether we should hide the referrer or not, so we call the canLoad method.
     String referrer = m_outgoingReferrer;
-    bool hideReferrer;
-    canLoad(request.url(), referrer, hideReferrer);
-    if (hideReferrer)
+    if (shouldHideReferrer(request.url(), referrer))
         referrer = String();
     
@@ -4247 +4299 @@
 }
 
+void FrameLoader::registerSchemeAsLocal(const String& scheme)
+{
+    localSchemes().add(scheme);
+}
+
+bool FrameLoader::shouldTreatURLAsLocal(const String& url)
+{
+    // This avoids an allocation of another String and the HashSet containts()
+    // call for the file: and http: schemes.
+    if (url.length() >= 5) {
+        const UChar* s = url.characters();
+        if (s[0] == 'h' && s[1] == 't' && s[2] == 't' && s[3] == 'p' && s[4] == ':')
+            return false;
+        if (s[0] == 'f' && s[1] == 'i' && s[2] == 'l' && s[3] == 'e' && s[4] == ':')
+            return true;
+    }
+
+    int loc = url.find(':');
+    if (loc == -1)
+        return false;
+
+    String scheme = url.left(loc);
+    return localSchemes().contains(scheme);
+}
+
 } // namespace WebCore

trunk/WebCore/loader/FrameLoader.h

@@ -30 +30 @@
 #define FrameLoader_h
 
+#include "CachedResource.h"
 #include "CachePolicy.h"
 #include "FormState.h"
@@ -51 +52 @@
 
     class AuthenticationChallenge;
+    class Document;
     class DocumentLoader;
     class Element;
@@ -149 +151 @@
         void load(DocumentLoader*, FrameLoadType, PassRefPtr<FormState>);
 
-        bool canLoad(const KURL&, const String& referrer, bool& hideReferrer);
+        static bool canLoad(const KURL&, const String& referrer, bool& hideReferrer);
+        static bool canLoad(const KURL&, const Document*);
+        static bool canLoad(const CachedResource&, const Document*);
+
+        static bool shouldHideReferrer(const KURL& url, const String& referrer);
 
         Frame* createWindow(const FrameLoadRequest&, const WindowFeatures&);
@@ -391 +397 @@
         bool shouldGoToHistoryItem(HistoryItem*) const;
         bool shouldTreatURLAsSameAsCurrent(const KURL&) const;
-        
+
         void commitProvisionalLoad(PassRefPtr<PageCache>);
 
@@ -406 +412 @@
         void setPreviousHistoryItem(PassRefPtr<HistoryItem>);
         void setProvisionalHistoryItem(PassRefPtr<HistoryItem>);
-        
+
         void continueLoadWithData(SharedBuffer*, const String& mimeType, const String& textEncoding, const KURL&); 
+
+        static void registerSchemeAsLocal(const String& scheme);
+        static bool restrictAccessToLocal();
+        static void setRestrictAccessToLocal(bool);
+        static bool shouldTreatURLAsLocal(const String& url);
+
     private:        
         PassRefPtr<HistoryItem> createHistoryItem(bool useOriginal);

trunk/WebCore/loader/MainResourceLoader.cpp

@@ -182 +182 @@
     case PolicyUse: {
         // Prevent remote web archives from loading because they can claim to be from any domain and thus avoid cross-domain security checks (4120255).
-        bool isRemote = !url.isLocalFile();
-        isRemote = isRemote && !m_substituteData.isValid();
-        bool isRemoteWebArchive = isRemote && equalIgnoringCase("application/x-webarchive", mimeType);
+        bool isRemoteWebArchive = equalIgnoringCase("application/x-webarchive", mimeType) && !m_substituteData.isValid() && !url.isLocalFile();
         if (!frameLoader()->canShowMIMEType(mimeType) || isRemoteWebArchive) {
             frameLoader()->cannotShowMIMEType(r);

trunk/WebCore/loader/SubresourceLoader.cpp

@@ -92 +92 @@
 
     ResourceRequest newRequest = request;
-    
-    // Since this is a subresource, we can load any URL (we ignore the return value).
-    // But we still want to know whether we should hide the referrer or not, so we call the canLoadURL method.
-    // FIXME: is that really the rule we want for subresources?
-    bool hideReferrer;
-    fl->canLoad(request.url(), fl->outgoingReferrer(), hideReferrer);
-    if (hideReferrer)
+
+    // If linked-on-or-after check canLoad
+    if (FrameLoader::restrictAccessToLocal()
+    && !FrameLoader::canLoad(request.url(), frame->document()))
+        return 0;
+    
+    if (FrameLoader::shouldHideReferrer(request.url(), fl->outgoingReferrer()))
         newRequest.clearHTTPReferrer();
     else if (!request.httpReferrer())

trunk/WebCore/page/DragController.cpp

@@ -478 +478 @@
     
     RenderImage* image = static_cast<RenderImage*>(renderer);
-    if (image->cachedImage() && !image->cachedImage()->isErrorImage())
+    if (image->cachedImage() && !image->cachedImage()->errorOccurred())
         return image->cachedImage()->image();
     return 0;

trunk/WebCore/page/EventHandler.cpp

@@ -646 +646 @@
             if (cimage->image()->isNull())
                 break;
-            if (!cimage->isErrorImage()) {
+            if (!cimage->errorOccurred())
                 return Cursor(cimage->image(), hotSpot);
-}
         }
     }

trunk/WebCore/platform/KURL.cpp

@@ -793 +793 @@
 bool KURL::isLocalFile() const
 {
-    // FIXME - include feed: here too?
+    // Including feed here might be a bad idea since drag and drop uses this check
+    // and including feed would allow feeds to potentially let someone's blog
+    // read the contents of the clipboard on a drag, even without a drop.
+    // Likewise with using the FrameLoader::shouldTreatURLAsLocal() function.
     return protocol() == "file";
 }

trunk/WebCore/rendering/HitTestResult.cpp

@@ -198 +198 @@
     if (renderer && renderer->isImage()) {
         RenderImage* image = static_cast<WebCore::RenderImage*>(renderer);
-        if (image->cachedImage() && !image->cachedImage()->isErrorImage())
+        if (image->cachedImage() && !image->cachedImage()->errorOccurred())
             return image->cachedImage()->image();
     }

trunk/WebCore/rendering/RenderImage.cpp

@@ -71 +71 @@
     if (m_cachedImage) {
         m_cachedImage->ref(this);
-        if (m_cachedImage->isErrorImage())
+        if (m_cachedImage->errorOccurred())
             imageChanged(m_cachedImage);
     }
@@ -137 +137 @@
 
     // Set image dimensions, taking into account the size of the alt text.
-    if (newImage->isErrorImage())
+    if (newImage->errorOccurred())
         imageSizeChanged = setImageSizeForAltText(newImage);
     
@@ -144 +144 @@
     // Image dimensions have been changed, see what needs to be done
     if (newImage->imageSize().width() != intrinsicWidth() || newImage->imageSize().height() != intrinsicHeight() || imageSizeChanged) {
-        if (!newImage->isErrorImage()) {
+        if (!newImage->errorOccurred()) {
             setIntrinsicWidth(newImage->imageSize().width());
             setIntrinsicHeight(newImage->imageSize().height());
@@ -227 +227 @@
         return;
 
-    if (!m_cachedImage || image()->isNull() || isErrorImage()) {
+    if (!m_cachedImage || image()->isNull() || errorOccurred()) {
         if (paintInfo.phase == PaintPhaseSelection)
             return;
 
         if (cWidth > 2 && cHeight > 2) {
-            if (!isErrorImage()) {
+            if (!errorOccurred()) {
                 context->setStrokeStyle(SolidStroke);
                 context->setStrokeColor(Color::lightGray);
@@ -245 +245 @@
             int usableHeight = cHeight;
 
-            if (isErrorImage() && !image()->isNull() && (usableWidth >= image()->width()) && (usableHeight >= image()->height())) {
+            if (errorOccurred() && !image()->isNull() && (usableWidth >= image()->width()) && (usableHeight >= image()->height())) {
                 // Center the error image, accounting for border and padding.
                 int centerX = (usableWidth - image()->width()) / 2;
@@ -311 +311 @@
 
     // minimum height
-    m_height = m_cachedImage && m_cachedImage->isErrorImage() ? intrinsicHeight() : 0;
+    m_height = m_cachedImage && m_cachedImage->errorOccurred() ? intrinsicHeight() : 0;
 
     calcWidth();
@@ -416 +416 @@
     if (!intrinsicHeight())
         return 0;
-    if (!m_cachedImage || m_cachedImage->isErrorImage())
+    if (!m_cachedImage || m_cachedImage->errorOccurred())
         return intrinsicWidth(); // Don't bother scaling.
     return RenderReplaced::calcReplacedHeight() * intrinsicWidth() / intrinsicHeight();
@@ -425 +425 @@
     if (!intrinsicWidth())
         return 0;
-    if (!m_cachedImage || m_cachedImage->isErrorImage())
+    if (!m_cachedImage || m_cachedImage->errorOccurred())
         return intrinsicHeight(); // Don't bother scaling.
     return RenderReplaced::calcReplacedWidth() * intrinsicHeight() / intrinsicWidth();

trunk/WebCore/rendering/RenderImage.h

@@ -79 +79 @@
     bool isHeightSpecified() const;
 
-    bool isErrorImage() const { return m_cachedImage && m_cachedImage->isErrorImage(); }
+    bool errorOccurred() const { return m_cachedImage && m_cachedImage->errorOccurred(); }
 
     // The image we are rendering.

trunk/WebCore/rendering/RenderListItem.cpp

@@ -53 +53 @@
 
     if (style()->listStyleType() != LNONE ||
-        (style()->listStyleImage() && !style()->listStyleImage()->isErrorImage())) {
+        (style()->listStyleImage() && !style()->listStyleImage()->errorOccurred())) {
         RenderStyle* newStyle = new (renderArena()) RenderStyle;
         newStyle->ref();

trunk/WebCore/rendering/RenderListMarker.cpp

@@ -507 +507 @@
 bool RenderListMarker::isImage() const
 {
-    return m_image && !m_image->isErrorImage();
+    return m_image && !m_image->errorOccurred();
 }
 

trunk/WebCore/xml/xmlhttprequest.cpp

@@ -326 +326 @@
 bool XMLHttpRequest::urlMatchesDocumentDomain(const KURL& url) const
 {
-    KURL documentURL(m_doc->URL());
-
     // a local file can load anything
-    if (documentURL.protocol().lower() == "file" || documentURL.protocol().lower() == "applewebdata")
+    if (m_doc->isAllowedToLoadLocalResources())
         return true;
 
     // but a remote document can only load from the same port on the server
+    KURL documentURL = m_doc->URL();
     if (documentURL.protocol().lower() == url.protocol().lower()
             && documentURL.host().lower() == url.host().lower()

trunk/WebKit/ChangeLog

@@ +1 @@
+2007-03-02  Kevin McCullough  <kmccullough@apple.com>
+
+        Reviewed by Geoff.
+
+        - rdar://problem/4922454
+        - This fixes a security issue by making remote referrers not able to access local
+        resources, unless they register their schemes to be treated as local. The result is
+        that those schemes can access local resources and cannot be accessed by remote
+        referrers.
+        Because this behavior is new a link-on-or-after check is made to determine if the
+        app should use the older, less safe, behavior.
+
+        * Misc/WebKitVersionChecks.h: added linked-on-or-after check
+        * Misc/WebNSAttributedStringExtras.mm: Moved functionalit into the base class.
+        (fileWrapperForElement):
+        * Plugins/WebNetscapePluginStream.mm: uses new canLoad functions
+        * Plugins/WebPluginContainerCheck.mm: uses new canLoad functions
+        (-[WebPluginContainerCheck _isForbiddenFileLoad]):
+        * WebView/WebView.mm: make linked-on-or-after check and cache value, exposes SPI
+        for registering a scheme as local. 
+        (-[WebView _commonInitializationWithFrameName:groupName:]):
+        (+[WebView registerSchemeAsLocal:]):
+        * WebView/WebViewPrivate.h: exposes SPI for registering a scheme as local.
+
 2007-03-01  Justin Garcia  <justin.garcia@apple.com>
 

trunk/WebKit/Misc/WebKitVersionChecks.h

@@ -36 +36 @@
 #define WEBKIT_FIRST_VERSION_WITH_3_0_CONTEXT_MENU_TAGS 0x00020000
 #define WEBKIT_FIRST_VERSION_WITHOUT_ACROBAT_QUIRK 0x00020000
+#define WEBKIT_FIRST_VERSION_WITH_LOCAL_RESOURCE_SECURITY_RESTRICTION 0x00020000
 #define WEBKIT_FIRST_VERSION_WITHOUT_APERTURE_QUIRK 0x00020000
 

trunk/WebKit/Misc/WebNSAttributedStringExtras.mm

@@ -99 +99 @@
     if (!wrapper) {
         RenderImage* renderer = static_cast<RenderImage*>(e->renderer());
-        if (renderer->cachedImage() && !renderer->cachedImage()->isErrorImage()) {
+        if (renderer->cachedImage() && !renderer->cachedImage()->errorOccurred()) {
             wrapper = [[NSFileWrapper alloc] initRegularFileWithContents:(NSData *)(renderer->cachedImage()->image()->getTIFFRepresentation())];
             [wrapper setPreferredFilename:@"image.tiff"];

trunk/WebKit/Plugins/WebNetscapePluginStream.mm

@@ -64 +64 @@
     WebBaseNetscapePluginView *view = (WebBaseNetscapePluginView *)thePlugin->ndata;
 
-    bool hideReferrer;
-    if (!core([view webFrame])->loader()->canLoad([theRequest URL], core([view webFrame])->loader()->outgoingReferrer(), hideReferrer))
+    if (!core([view webFrame])->loader()->canLoad([theRequest URL], core([view webFrame])->document()))
         return nil;
 
@@ -79 +78 @@
     
     request = [theRequest mutableCopy];
-    if (hideReferrer)
+    if (core([view webFrame])->loader()->shouldHideReferrer([theRequest URL], core([view webFrame])->loader()->outgoingReferrer()))
         [(NSMutableURLRequest *)request _web_setHTTPReferrer:nil];
 

trunk/WebKit/Plugins/WebPluginContainerCheck.mm

@@ -96 +96 @@
 - (BOOL)_isForbiddenFileLoad
 {
-   bool ignore;
    WebFrameBridge *bridge = [_controller bridge];
    ASSERT(bridge);
-   if (![bridge _frame]->loader()->canLoad([_request URL], [_controller URLPolicyCheckReferrer], ignore)) {
+   if (![bridge _frame]->loader()->canLoad([_request URL], [bridge _frame]->document())) {
        [self _continueWithPolicy:PolicyIgnore];
        return YES;

trunk/WebKit/WebView/WebView.mm

@@ -1651 +1651 @@
     [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(_preferencesChangedNotification:)
                                                  name:WebPreferencesChangedNotification object:[self preferences]];
+
+    if (WebKitLinkedOnOrAfter(WEBKIT_FIRST_VERSION_WITH_LOCAL_RESOURCE_SECURITY_RESTRICTION))
+        FrameLoader::setRestrictAccessToLocal(true);
 }
 
@@ -2817 +2820 @@
 }
 
++ (void)registerSchemeAsLocal:(NSString *)protocol
+{
+    FrameLoader::registerSchemeAsLocal(protocol);
+}
+
 @end
 

trunk/WebKit/WebView/WebViewPrivate.h

@@ -172 +172 @@
 - (void)setAllowsUndo:(BOOL)flag;
 
++ (void)registerSchemeAsLocal:(NSString *)protocol;
+
 @end