Changeset 34753 in webkit

Timestamp:

Jun 23, 2008 8:00:21 PM (16 years ago)

Author:

abarth@webkit.org

Message:

2008-06-23 Adam Barth <​abarth@webkit.org>

Reviewed by Darin Adler.

​https://bugs.webkit.org/show_bug.cgi?id=16756

Move isAllowedToLoadLocalResources into SecurityOrigin.

• dom/Document.cpp: (WebCore::Document::Document): (WebCore::Document::setURL): (WebCore::Document::initSecurityContext):
• dom/Document.h:
• loader/FrameLoader.cpp: (WebCore::FrameLoader::canLoad):
• platform/SecurityOrigin.cpp: (WebCore::SecurityOrigin::SecurityOrigin): (WebCore::SecurityOrigin::isLocal):
• platform/SecurityOrigin.h: (WebCore::SecurityOrigin::protocol): (WebCore::SecurityOrigin::host): (WebCore::SecurityOrigin::domain): (WebCore::SecurityOrigin::port): (WebCore::SecurityOrigin::canLoadLocalResources): (WebCore::SecurityOrigin::grantLoadLocalResources):
• xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::setRequestHeader):

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/Document.cpp (modified) (3 diffs)
• dom/Document.h (modified) (3 diffs)
• loader/FrameLoader.cpp (modified) (2 diffs)
• platform/SecurityOrigin.cpp (modified) (5 diffs)
• platform/SecurityOrigin.h (modified) (3 diffs)
• xml/XMLHttpRequest.cpp (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-06-23  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=16756
+
+        Move isAllowedToLoadLocalResources into SecurityOrigin.
+
+        * dom/Document.cpp:
+        (WebCore::Document::Document):
+        (WebCore::Document::setURL):
+        (WebCore::Document::initSecurityContext):
+        * dom/Document.h:
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::canLoad):
+        * platform/SecurityOrigin.cpp:
+        (WebCore::SecurityOrigin::SecurityOrigin):
+        (WebCore::SecurityOrigin::isLocal):
+        * platform/SecurityOrigin.h:
+        (WebCore::SecurityOrigin::protocol):
+        (WebCore::SecurityOrigin::host):
+        (WebCore::SecurityOrigin::domain):
+        (WebCore::SecurityOrigin::port):
+        (WebCore::SecurityOrigin::canLoadLocalResources):
+        (WebCore::SecurityOrigin::grantLoadLocalResources):
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::setRequestHeader):
+
 2008-06-23  Mark Rowe  <mrowe@apple.com>
 

trunk/WebCore/dom/Document.cpp

@@ -288 +288 @@
     , m_createRenderers(true)
     , m_inPageCache(false)
-    , m_isAllowedToLoadLocalResources(false)
     , m_useSecureKeyboardEntryWhenActive(false)
     , m_isXHTML(isXHTML)
@@ -1706 +1705 @@
     m_url = newURL;
     m_documentURI = m_url.string();
-    m_isAllowedToLoadLocalResources = shouldBeAllowedToLoadLocalResources();
     updateBaseURL();
-}
- 
-bool Document::shouldBeAllowedToLoadLocalResources() const
-{
-    if (FrameLoader::shouldTreatURLAsLocal(m_url.string()))
-        return true;
-
-    Frame* frame = this->frame();
-    if (!frame)
-        return false;
-    
-    DocumentLoader* documentLoader = frame->loader()->documentLoader();
-    if (!documentLoader)
-        return false;
-
-    if (m_url == blankURL() && frame->loader()->opener() && frame->loader()->opener()->document()->isAllowedToLoadLocalResources())
-        return true;
-    
-    return documentLoader->substituteData().isValid();
 }
 
@@ -3946 +3925 @@
     m_securityOrigin = SecurityOrigin::create(url);
 
+    // If this document was loaded with substituteData, then the document can
+    // load local resources.  See https://bugs.webkit.org/show_bug.cgi?id=16756
+    // for further discussion.
+    DocumentLoader* documentLoader = m_frame->loader()->documentLoader();
+    if (documentLoader && documentLoader->substituteData().isValid())
+        m_securityOrigin->grantLoadLocalResources();
+
     if (!m_securityOrigin->isEmpty())
         return;

trunk/WebCore/dom/Document.h

@@ -730 +730 @@
     void setIconURL(const String& iconURL, const String& type);
 
-    bool isAllowedToLoadLocalResources() const { return m_isAllowedToLoadLocalResources; }
-
     void setUseSecureKeyboardEntryWhenActive(bool);
     bool useSecureKeyboardEntryWhenActive() const;
@@ -965 +963 @@
 
 private:
-    bool shouldBeAllowedToLoadLocalResources() const;
-
     void updateTitle();
     void removeAllDisconnectedNodeEventListeners();
@@ -1021 +1017 @@
     HashSet<Element*> m_pageCacheCallbackElements;
 
-    bool m_isAllowedToLoadLocalResources;
-
     bool m_useSecureKeyboardEntryWhenActive;
 

trunk/WebCore/loader/FrameLoader.cpp

@@ -2263 +2263 @@
         return true;
 
-    return doc && doc->isAllowedToLoadLocalResources();
+    return doc && doc->securityOrigin()->canLoadLocalResources();
 }
 
@@ -2271 +2271 @@
         return true;
 
-    return doc && doc->isAllowedToLoadLocalResources();
+    return doc && doc->securityOrigin()->canLoadLocalResources();
 }
 

trunk/WebCore/platform/SecurityOrigin.cpp

@@ -70 +70 @@
     m_domain = m_host;
 
+    // By default, only local SecurityOrigins can load local resources.
+    m_canLoadLocalResources = isLocal();
+
     if (isDefaultPortForProtocol(m_port, m_protocol))
         m_port = 0;
@@ -81 +84 @@
     , m_noAccess(other->m_noAccess)
     , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
+    , m_canLoadLocalResources(other->m_canLoadLocalResources)
 {
 }
@@ -112 +116 @@
 bool SecurityOrigin::canAccess(const SecurityOrigin* other) const
 {  
-    if (FrameLoader::shouldTreatSchemeAsLocal(m_protocol))
+    if (isLocal())
         return true;
 
@@ -153 +157 @@
 bool SecurityOrigin::canRequest(const KURL& url) const
 {
-    if (FrameLoader::shouldTreatSchemeAsLocal(m_protocol))
+    if (isLocal())
         return true;
 
@@ -164 +168 @@
     // to ignore document.domain effects.
     return isSameSchemeHostPort(targetOrigin.get());
+}
+
+bool SecurityOrigin::isLocal() const
+{
+    return FrameLoader::shouldTreatSchemeAsLocal(m_protocol);
 }
 

trunk/WebCore/platform/SecurityOrigin.h

@@ -47 +47 @@
         static PassRefPtr<SecurityOrigin> createEmpty();
 
+        // Create a deep copy of this SecurityOrigin.  This method is useful
+        // when marshalling a SecurityOrigin to another thread.
         PassRefPtr<SecurityOrigin> copy();
 
+        // Set the domain property of this security origin to newDomain.  This
+        // function does not check whether newDomain is a suffix of the current
+        // domain.  The caller is responsible for validating newDomain.
         void setDomainFromDOM(const String& newDomain);
+
         String protocol() const { return m_protocol; }
         String host() const { return m_host; }
@@ -56 +62 @@
 
         // Returns true if this SecurityOrigin can script objects in the given
-        // SecurityOrigin.
+        // SecurityOrigin.  For example, call this function before allowing
+        // script from one security origin to read or write objects from
+        // another SecurityOrigin.
         bool canAccess(const SecurityOrigin*) const;
 
         // Returns true if this SecurityOrigin can read content retrieved from
-        // the given URL. For example, call this function before issuing
+        // the given URL.  For example, call this function before issuing
         // XMLHttpRequests.
         bool canRequest(const KURL&) const;
 
+        // Returns true if this SecurityOrigin can load local resources, such
+        // as images, iframes, and style sheets, and can link to local URLs.
+        // For example, call this function before creating an iframe to a
+        // file:// URL.
+        //
+        // Note: A SecurityOrigin might be allowed to load local resources
+        //       without being able to issue an XMLHttpRequest for a local URL.
+        //       To determine whether the SecurityOrigin can issue an
+        //       XMLHttpRequest for a URL, call canRequest(url).
+        bool canLoadLocalResources() const { return m_canLoadLocalResources; }
+
+        // Explicitly grant the ability to load local resources to this
+        // SecurityOrigin.
+        void grantLoadLocalResources() { m_canLoadLocalResources = true; }
+
         bool isSecureTransitionTo(const KURL&) const;
 
+        // The local SecurityOrigin is the most privileged SecurityOrigin.
+        // The local SecurityOrigin can script any document, navigate to local
+        // resources, and can set arbitrary headers on XMLHttpRequests.
+        bool isLocal() const;
+
+        // The empty SecurityOrigin is the least privileged SecurityOrigin.
         bool isEmpty() const;
+
+        // Convert this SecurityOrigin into a string.  The string
+        // representation of a SecurityOrigin is similar to a URL, except it
+        // lacks a path component.  The string representation does not encode
+        // the value of the SecurityOrigin's domain property.  The empty
+        // SecurityOrigin is represented with the null string.
         String toString() const;
 
@@ -95 +130 @@
         bool m_noAccess;
         bool m_domainWasSetInDOM;
+        bool m_canLoadLocalResources;
     };
 

trunk/WebCore/xml/XMLHttpRequest.cpp

@@ -703 +703 @@
         
     // A privileged script (e.g. a Dashboard widget) can set any headers.
-    if (!m_doc->isAllowedToLoadLocalResources() && !isSafeRequestHeader(name)) {
+    if (!m_doc->securityOrigin()->canLoadLocalResources() && !isSafeRequestHeader(name)) {
         if (m_doc && m_doc->frame())
             m_doc->frame()->domWindow()->console()->addMessage(JSMessageSource, ErrorMessageLevel, "Refused to set unsafe header " + name, 1, String());