Changeset 53049 in webkit
- Timestamp:
- Jan 10, 2010 12:10:00 AM (14 years ago)
- Location:
- trunk/WebCore
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebCore/ChangeLog
r53046 r53049 1 2010-01-09 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Darin Adler. 4 5 Unify origin sandbox flag with m_noAccess in SecurityOrigin 6 https://bugs.webkit.org/show_bug.cgi?id=32372 7 8 It turns out the SandboxOrigin bit is slightly different than the 9 unique origin concept because the sandbox bit is inherited by iframes. 10 These concepts are separate in the spec, so I think it's ok to keep 11 them separate in the implementation as well. 12 13 No new tests because there is no behavior change. 14 15 * dom/Document.cpp: 16 (WebCore::Document::cookie): 17 (WebCore::Document::setCookie): 18 * loader/CrossOriginAccessControl.cpp: 19 (WebCore::passesAccessControlCheck): 20 * page/SecurityOrigin.cpp: 21 (WebCore::schemesWithUniqueOrigins): 22 (WebCore::SecurityOrigin::SecurityOrigin): 23 (WebCore::SecurityOrigin::canAccess): 24 (WebCore::SecurityOrigin::canRequest): 25 (WebCore::SecurityOrigin::taintsCanvas): 26 (WebCore::SecurityOrigin::setSandboxFlags): 27 (WebCore::SecurityOrigin::toString): 28 (WebCore::SecurityOrigin::registerURLSchemeAsNoAccess): 29 (WebCore::SecurityOrigin::shouldTreatURLSchemeAsNoAccess): 30 * page/SecurityOrigin.h: 31 (WebCore::SecurityOrigin::canAccessDatabase): 32 (WebCore::SecurityOrigin::canAccessStorage): 33 (WebCore::SecurityOrigin::canAccessCookies): 34 (WebCore::SecurityOrigin::isUnique): 35 1 36 2010-01-09 Adam Barth <abarth@webkit.org> 2 37 -
trunk/WebCore/dom/Document.cpp
r53027 r53049 3069 3069 // browsing context. 3070 3070 3071 if ( securityOrigin()->isSandboxed(SandboxOrigin)) {3071 if (!securityOrigin()->canAccessCookies()) { 3072 3072 ec = SECURITY_ERR; 3073 3073 return String(); … … 3090 3090 // browsing context. 3091 3091 3092 if ( securityOrigin()->isSandboxed(SandboxOrigin)) {3092 if (!securityOrigin()->canAccessCookies()) { 3093 3093 ec = SECURITY_ERR; 3094 3094 return; -
trunk/WebCore/loader/CrossOriginAccessControl.cpp
r51577 r53049 101 101 return true; 102 102 103 // A sandboxed frame has a unique origin (for same-origin purposes). 104 if (securityOrigin->isSandboxed(SandboxOrigin)) 103 if (securityOrigin->isUnique()) 105 104 return false; 106 105 -
trunk/WebCore/page/SecurityOrigin.cpp
r51703 r53049 66 66 } 67 67 68 static URLSchemesMap& noAccessSchemes() 69 { 70 DEFINE_STATIC_LOCAL(URLSchemesMap, noAccessSchemes, ()); 71 72 if (noAccessSchemes.isEmpty()) 73 noAccessSchemes.add("data"); 74 75 return noAccessSchemes; 68 static URLSchemesMap& schemesWithUniqueOrigins() 69 { 70 DEFINE_STATIC_LOCAL(URLSchemesMap, schemesWithUniqueOrigins, ()); 71 72 // This is a willful violation of HTML5. 73 // See https://bugs.webkit.org/show_bug.cgi?id=11885 74 if (schemesWithUniqueOrigins.isEmpty()) 75 schemesWithUniqueOrigins.add("data"); 76 77 return schemesWithUniqueOrigins; 76 78 } 77 79 78 80 SecurityOrigin::SecurityOrigin(const KURL& url) 79 : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) 81 : m_sandboxFlags(SandboxNone) 82 , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower()) 80 83 , m_host(url.host().isNull() ? "" : url.host().lower()) 81 84 , m_port(url.port()) 82 , m_sandboxFlags(SandboxNone) 83 , m_noAccess(false) 85 , m_isUnique(false) 84 86 , m_universalAccess(false) 85 87 , m_domainWasSetInDOM(false) … … 91 93 // Some URLs are not allowed access to anything other than themselves. 92 94 if (shouldTreatURLSchemeAsNoAccess(m_protocol)) 93 m_noAccess = true; 95 m_isUnique = true; 96 97 // If this ASSERT becomes false in the future, please consider the impact 98 // of m_sandoxFlags on m_isUnique. 99 ASSERT(m_sandboxFlags == SandboxNone); 94 100 95 101 // document.domain starts as m_host, but can be set by the DOM. … … 101 107 // Directories should never be readable. 102 108 if (!url.hasPath() || url.path().endsWith("/")) 103 m_ noAccess= true;109 m_isUnique = true; 104 110 } 105 111 … … 109 115 110 116 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) 111 : m_protocol(other->m_protocol.threadsafeCopy()) 117 : m_sandboxFlags(other->m_sandboxFlags) 118 , m_protocol(other->m_protocol.threadsafeCopy()) 112 119 , m_host(other->m_host.threadsafeCopy()) 113 120 , m_domain(other->m_domain.threadsafeCopy()) 114 121 , m_port(other->m_port) 115 , m_sandboxFlags(other->m_sandboxFlags) 116 , m_noAccess(other->m_noAccess) 122 , m_isUnique(other->m_isUnique) 117 123 , m_universalAccess(other->m_universalAccess) 118 124 , m_domainWasSetInDOM(other->m_domainWasSetInDOM) … … 154 160 return true; 155 161 156 if ( m_noAccess || other->m_noAccess || isSandboxed(SandboxOrigin) || other->isSandboxed(SandboxOrigin))162 if (isUnique() || other->isUnique()) 157 163 return false; 158 164 159 165 // Here are two cases where we should permit access: 160 166 // 161 // 1) Neither document has set document.domain. 167 // 1) Neither document has set document.domain. In this case, we insist 162 168 // that the scheme, host, and port of the URLs match. 163 169 // 164 // 2) Both documents have set document.domain. 170 // 2) Both documents have set document.domain. In this case, we insist 165 171 // that the documents have set document.domain to the same value and 166 172 // that the scheme of the URLs match. … … 195 201 return true; 196 202 197 if ( m_noAccess || isSandboxed(SandboxOrigin))203 if (isUnique()) 198 204 return false; 199 205 200 206 RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url); 201 if (targetOrigin-> m_noAccess)207 if (targetOrigin->isUnique()) 202 208 return false; 203 209 … … 222 228 return false; 223 229 224 // This method exists because we treat data URLs as noAccess, contrary 225 // to the current (9/19/2009) draft of the HTML5 specification. We still 226 // want to let folks paint data URLs onto untainted canvases, so we special 227 // case data URLs below. If we change to match HTML5 w.r.t. data URL 228 // security, then we can remove this method in favor of !canRequest. 230 // This function exists because we treat data URLs as having a unique origin, 231 // contrary to the current (9/19/2009) draft of the HTML5 specification. 232 // We still want to let folks paint data URLs onto untainted canvases, so 233 // we special case data URLs below. If we change to match HTML5 w.r.t. 234 // data URL security, then we can remove this function in favor of 235 // !canRequest. 229 236 if (url.protocolIs("data")) 230 237 return false; … … 249 256 void SecurityOrigin::grantLoadLocalResources() 250 257 { 251 // This methodexists only to support backwards compatibility with older252 // versions of WebKit. 258 // This function exists only to support backwards compatibility with older 259 // versions of WebKit. Granting privileges to some, but not all, documents 253 260 // in a SecurityOrigin is a security hazard because the documents without 254 261 // the privilege can obtain the privilege by injecting script into the … … 263 270 } 264 271 272 void SecurityOrigin::setSandboxFlags(SandboxFlags flags) 273 { 274 m_sandboxFlags = flags; 275 if (isSandboxed(SandboxOrigin)) 276 m_isUnique = true; 277 278 // Although you might think that we should set m_isUnique to false when 279 // flags doesn't contain SandboxOrigin, that's not actually the right 280 // behavior. We're supposed to freeze the origin of a document when it 281 // is created, even if the sandbox flags change after that point in time. 282 // 283 // FIXME: Our current behavior here is buggy because we need to 284 // distinguish between the sandbox flags at creation and the 285 // sandbox flags that might come about later. 286 } 287 265 288 bool SecurityOrigin::isLocal() const 266 289 { … … 283 306 return "null"; 284 307 285 if ( m_noAccess || isSandboxed(SandboxOrigin))308 if (isUnique()) 286 309 return "null"; 287 310 … … 441 464 void SecurityOrigin::registerURLSchemeAsNoAccess(const String& scheme) 442 465 { 443 noAccessSchemes().add(scheme);466 schemesWithUniqueOrigins().add(scheme); 444 467 } 445 468 446 469 bool SecurityOrigin::shouldTreatURLSchemeAsNoAccess(const String& scheme) 447 470 { 448 return noAccessSchemes().contains(scheme);471 return schemesWithUniqueOrigins().contains(scheme); 449 472 } 450 473 -
trunk/WebCore/page/SecurityOrigin.h
r53038 r53049 53 53 static PassRefPtr<SecurityOrigin> createEmpty(); 54 54 55 // Create a deep copy of this SecurityOrigin. 55 // Create a deep copy of this SecurityOrigin. This method is useful 56 56 // when marshalling a SecurityOrigin to another thread. 57 57 PassRefPtr<SecurityOrigin> threadsafeCopy(); 58 58 59 // Set the domain property of this security origin to newDomain. 59 // Set the domain property of this security origin to newDomain. This 60 60 // function does not check whether newDomain is a suffix of the current 61 // domain. 61 // domain. The caller is responsible for validating newDomain. 62 62 void setDomainFromDOM(const String& newDomain); 63 63 bool domainWasSetInDOM() const { return m_domainWasSetInDOM; } … … 69 69 70 70 // Returns true if this SecurityOrigin can script objects in the given 71 // SecurityOrigin. 71 // SecurityOrigin. For example, call this function before allowing 72 72 // script from one security origin to read or write objects from 73 73 // another SecurityOrigin. … … 75 75 76 76 // Returns true if this SecurityOrigin can read content retrieved from 77 // the given URL. 77 // the given URL. For example, call this function before issuing 78 78 // XMLHttpRequests. 79 79 bool canRequest(const KURL&) const; 80 80 81 81 // Returns true if drawing an image from this URL taints a canvas from 82 // this security origin. 82 // this security origin. For example, call this function before 83 83 // drawing an image onto an HTML canvas element with the drawImage API. 84 84 bool taintsCanvas(const KURL&) const; … … 109 109 // Explicitly grant the ability to access very other SecurityOrigin. 110 110 // 111 // WARNING: This is an extremely powerful ability. 111 // WARNING: This is an extremely powerful ability. Use with caution! 112 112 void grantUniversalAccess(); 113 113 114 // Sandboxing status as determined by the frame. 115 void setSandboxFlags(SandboxFlags flags) { m_sandboxFlags = flags; } 114 void setSandboxFlags(SandboxFlags); 116 115 bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; } 117 116 118 bool canAccessDatabase() const { return !isSandboxed(SandboxOrigin); } 119 bool canAccessStorage() const { return !isSandboxed(SandboxOrigin); } 117 bool canAccessDatabase() const { return !isUnique(); } 118 bool canAccessStorage() const { return !isUnique(); } 119 bool canAccessCookies() const { return !isUnique(); } 120 120 121 121 bool isSecureTransitionTo(const KURL&) const; … … 129 129 bool isEmpty() const; 130 130 131 // Convert this SecurityOrigin into a string. The string 131 // The origin is a globally unique identifier assigned when the Document is 132 // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin 133 // 134 // There's a subtle difference between a unique origin and an origin that 135 // has the SandboxOrigin flag set. The latter implies the former, and, in 136 // addition, the SandboxOrigin flag is inherited by iframes. 137 bool isUnique() const { return m_isUnique; } 138 139 // Convert this SecurityOrigin into a string. The string 132 140 // representation of a SecurityOrigin is similar to a URL, except it 133 // lacks a path component. 141 // lacks a path component. The string representation does not encode 134 142 // the value of the SecurityOrigin's domain property. 135 143 // 136 // When using the string value, it's important to remember that it 137 // might be "null". This happens when this SecurityOrigin has 138 // noAccess to other SecurityOrigins. For example, this SecurityOrigin 139 // might have come from a data URL, the SecurityOrigin might be empty, 140 // or we might have explicitly decided that we 141 // shouldTreatURLSchemeAsNoAccess. 144 // When using the string value, it's important to remember that it might be 145 // "null". This happens when this SecurityOrigin is unique. For example, 146 // this SecurityOrigin might have come from a sandboxed iframe, the 147 // SecurityOrigin might be empty, or we might have explicitly decided that 148 // we shouldTreatURLSchemeAsNoAccess. 142 149 String toString() const; 143 150 … … 147 154 148 155 // This method checks for equality between SecurityOrigins, not whether 149 // one origin can access another. 156 // one origin can access another. It is used for hash table keys. 150 157 // For access checks, use canAccess(). 151 158 // FIXME: If this method is really only useful for hash table keys, it … … 184 191 explicit SecurityOrigin(const SecurityOrigin*); 185 192 193 SandboxFlags m_sandboxFlags; 186 194 String m_protocol; 187 195 String m_host; 188 196 String m_domain; 189 197 unsigned short m_port; 190 SandboxFlags m_sandboxFlags; 191 bool m_noAccess; 198 bool m_isUnique; 192 199 bool m_universalAccess; 193 200 bool m_domainWasSetInDOM;
Note: See TracChangeset
for help on using the changeset viewer.