Changeset 53049 in webkit

Timestamp:

Jan 10, 2010 12:10:00 AM (14 years ago)

Author:

abarth@webkit.org

Message:

2010-01-09 Adam Barth <​abarth@webkit.org>

Reviewed by Darin Adler.

Unify origin sandbox flag with m_noAccess in SecurityOrigin
​https://bugs.webkit.org/show_bug.cgi?id=32372

It turns out the SandboxOrigin bit is slightly different than the
unique origin concept because the sandbox bit is inherited by iframes.
These concepts are separate in the spec, so I think it's ok to keep
them separate in the implementation as well.

No new tests because there is no behavior change.

• dom/Document.cpp: (WebCore::Document::cookie): (WebCore::Document::setCookie):
• loader/CrossOriginAccessControl.cpp: (WebCore::passesAccessControlCheck):
• page/SecurityOrigin.cpp: (WebCore::schemesWithUniqueOrigins): (WebCore::SecurityOrigin::SecurityOrigin): (WebCore::SecurityOrigin::canAccess): (WebCore::SecurityOrigin::canRequest): (WebCore::SecurityOrigin::taintsCanvas): (WebCore::SecurityOrigin::setSandboxFlags): (WebCore::SecurityOrigin::toString): (WebCore::SecurityOrigin::registerURLSchemeAsNoAccess): (WebCore::SecurityOrigin::shouldTreatURLSchemeAsNoAccess):
• page/SecurityOrigin.h: (WebCore::SecurityOrigin::canAccessDatabase): (WebCore::SecurityOrigin::canAccessStorage): (WebCore::SecurityOrigin::canAccessCookies): (WebCore::SecurityOrigin::isUnique):

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/Document.cpp (modified) (2 diffs)
• loader/CrossOriginAccessControl.cpp (modified) (1 diff)
• page/SecurityOrigin.cpp (modified) (11 diffs)
• page/SecurityOrigin.h (modified) (7 diffs)

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-01-09  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        Unify origin sandbox flag with m_noAccess in SecurityOrigin
+        https://bugs.webkit.org/show_bug.cgi?id=32372
+
+        It turns out the SandboxOrigin bit is slightly different than the
+        unique origin concept because the sandbox bit is inherited by iframes.
+        These concepts are separate in the spec, so I think it's ok to keep
+        them separate in the implementation as well.
+
+        No new tests because there is no behavior change.
+
+        * dom/Document.cpp:
+        (WebCore::Document::cookie):
+        (WebCore::Document::setCookie):
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::passesAccessControlCheck):
+        * page/SecurityOrigin.cpp:
+        (WebCore::schemesWithUniqueOrigins):
+        (WebCore::SecurityOrigin::SecurityOrigin):
+        (WebCore::SecurityOrigin::canAccess):
+        (WebCore::SecurityOrigin::canRequest):
+        (WebCore::SecurityOrigin::taintsCanvas):
+        (WebCore::SecurityOrigin::setSandboxFlags):
+        (WebCore::SecurityOrigin::toString):
+        (WebCore::SecurityOrigin::registerURLSchemeAsNoAccess):
+        (WebCore::SecurityOrigin::shouldTreatURLSchemeAsNoAccess):
+        * page/SecurityOrigin.h:
+        (WebCore::SecurityOrigin::canAccessDatabase):
+        (WebCore::SecurityOrigin::canAccessStorage):
+        (WebCore::SecurityOrigin::canAccessCookies):
+        (WebCore::SecurityOrigin::isUnique):
+
 2010-01-09  Adam Barth  <abarth@webkit.org>
 

trunk/WebCore/dom/Document.cpp

@@ -3069 +3069 @@
     // browsing context.
 
-    if (securityOrigin()->isSandboxed(SandboxOrigin)) {
+    if (!securityOrigin()->canAccessCookies()) {
         ec = SECURITY_ERR;
         return String();
@@ -3090 +3090 @@
     // browsing context.
 
-    if (securityOrigin()->isSandboxed(SandboxOrigin)) {
+    if (!securityOrigin()->canAccessCookies()) {
         ec = SECURITY_ERR;
         return;

trunk/WebCore/loader/CrossOriginAccessControl.cpp

@@ -101 +101 @@
         return true;
 
-    // A sandboxed frame has a unique origin (for same-origin purposes).
-    if (securityOrigin->isSandboxed(SandboxOrigin))
+    if (securityOrigin->isUnique())
         return false;
 

trunk/WebCore/page/SecurityOrigin.cpp

@@ -66 +66 @@
 }
 
-static URLSchemesMap& noAccessSchemes()
-{
-    DEFINE_STATIC_LOCAL(URLSchemesMap, noAccessSchemes, ());
-
-    if (noAccessSchemes.isEmpty())
-        noAccessSchemes.add("data");
-
-    return noAccessSchemes;
+static URLSchemesMap& schemesWithUniqueOrigins()
+{
+    DEFINE_STATIC_LOCAL(URLSchemesMap, schemesWithUniqueOrigins, ());
+
+    // This is a willful violation of HTML5.
+    // See https://bugs.webkit.org/show_bug.cgi?id=11885
+    if (schemesWithUniqueOrigins.isEmpty())
+        schemesWithUniqueOrigins.add("data");
+
+    return schemesWithUniqueOrigins;
 }
 
 SecurityOrigin::SecurityOrigin(const KURL& url)
-    : m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
+    : m_sandboxFlags(SandboxNone)
+    , m_protocol(url.protocol().isNull() ? "" : url.protocol().lower())
     , m_host(url.host().isNull() ? "" : url.host().lower())
     , m_port(url.port())
-    , m_sandboxFlags(SandboxNone)
-    , m_noAccess(false)
+    , m_isUnique(false)
     , m_universalAccess(false)
     , m_domainWasSetInDOM(false)
@@ -91 +93 @@
     // Some URLs are not allowed access to anything other than themselves.
     if (shouldTreatURLSchemeAsNoAccess(m_protocol))
-        m_noAccess = true;
+        m_isUnique = true;
+
+    // If this ASSERT becomes false in the future, please consider the impact
+    // of m_sandoxFlags on m_isUnique.
+    ASSERT(m_sandboxFlags == SandboxNone);
 
     // document.domain starts as m_host, but can be set by the DOM.
@@ -101 +107 @@
         // Directories should never be readable.
         if (!url.hasPath() || url.path().endsWith("/"))
-            m_noAccess = true;
+            m_isUnique = true;
     }
 
@@ -109 +115 @@
 
 SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
-    : m_protocol(other->m_protocol.threadsafeCopy())
+    : m_sandboxFlags(other->m_sandboxFlags)
+    , m_protocol(other->m_protocol.threadsafeCopy())
     , m_host(other->m_host.threadsafeCopy())
     , m_domain(other->m_domain.threadsafeCopy())
     , m_port(other->m_port)
-    , m_sandboxFlags(other->m_sandboxFlags)
-    , m_noAccess(other->m_noAccess)
+    , m_isUnique(other->m_isUnique)
     , m_universalAccess(other->m_universalAccess)
     , m_domainWasSetInDOM(other->m_domainWasSetInDOM)
@@ -154 +160 @@
         return true;
 
-    if (m_noAccess || other->m_noAccess || isSandboxed(SandboxOrigin) || other->isSandboxed(SandboxOrigin))
+    if (isUnique() || other->isUnique())
         return false;
 
     // Here are two cases where we should permit access:
     //
-    // 1) Neither document has set document.domain.  In this case, we insist
+    // 1) Neither document has set document.domain. In this case, we insist
     //    that the scheme, host, and port of the URLs match.
     //
-    // 2) Both documents have set document.domain.  In this case, we insist
+    // 2) Both documents have set document.domain. In this case, we insist
     //    that the documents have set document.domain to the same value and
     //    that the scheme of the URLs match.
@@ -195 +201 @@
         return true;
 
-    if (m_noAccess || isSandboxed(SandboxOrigin))
+    if (isUnique())
         return false;
 
     RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
-    if (targetOrigin->m_noAccess)
+    if (targetOrigin->isUnique())
         return false;
 
@@ -222 +228 @@
         return false;
 
-    // This method exists because we treat data URLs as noAccess, contrary
-    // to the current (9/19/2009) draft of the HTML5 specification.  We still
-    // want to let folks paint data URLs onto untainted canvases, so we special
-    // case data URLs below.  If we change to match HTML5 w.r.t. data URL
-    // security, then we can remove this method in favor of !canRequest.
+    // This function exists because we treat data URLs as having a unique origin,
+    // contrary to the current (9/19/2009) draft of the HTML5 specification.
+    // We still want to let folks paint data URLs onto untainted canvases, so
+    // we special case data URLs below. If we change to match HTML5 w.r.t.
+    // data URL security, then we can remove this function in favor of
+    // !canRequest.
     if (url.protocolIs("data"))
         return false;
@@ -249 +256 @@
 void SecurityOrigin::grantLoadLocalResources()
 {
-    // This method exists only to support backwards compatibility with older
-    // versions of WebKit.  Granting privileges to some, but not all, documents
+    // This function exists only to support backwards compatibility with older
+    // versions of WebKit. Granting privileges to some, but not all, documents
     // in a SecurityOrigin is a security hazard because the documents without
     // the privilege can obtain the privilege by injecting script into the
@@ -263 +270 @@
 }
 
+void SecurityOrigin::setSandboxFlags(SandboxFlags flags)
+{
+    m_sandboxFlags = flags;
+    if (isSandboxed(SandboxOrigin))
+        m_isUnique = true;
+
+    // Although you might think that we should set m_isUnique to false when
+    // flags doesn't contain SandboxOrigin, that's not actually the right
+    // behavior. We're supposed to freeze the origin of a document when it
+    // is created, even if the sandbox flags change after that point in time.
+    //
+    // FIXME: Our current behavior here is buggy because we need to
+    //        distinguish between the sandbox flags at creation and the
+    //        sandbox flags that might come about later.
+}
+
 bool SecurityOrigin::isLocal() const
 {
@@ -283 +306 @@
         return "null";
 
-    if (m_noAccess || isSandboxed(SandboxOrigin))
+    if (isUnique())
         return "null";
 
@@ -441 +464 @@
 void SecurityOrigin::registerURLSchemeAsNoAccess(const String& scheme)
 {
-    noAccessSchemes().add(scheme);
+    schemesWithUniqueOrigins().add(scheme);
 }
 
 bool SecurityOrigin::shouldTreatURLSchemeAsNoAccess(const String& scheme)
 {
-    return noAccessSchemes().contains(scheme);
+    return schemesWithUniqueOrigins().contains(scheme);
 }
 

trunk/WebCore/page/SecurityOrigin.h

@@ -53 +53 @@
     static PassRefPtr<SecurityOrigin> createEmpty();
 
-    // Create a deep copy of this SecurityOrigin.  This method is useful
+    // Create a deep copy of this SecurityOrigin. This method is useful
     // when marshalling a SecurityOrigin to another thread.
     PassRefPtr<SecurityOrigin> threadsafeCopy();
 
-    // Set the domain property of this security origin to newDomain.  This
+    // Set the domain property of this security origin to newDomain. This
     // function does not check whether newDomain is a suffix of the current
-    // domain.  The caller is responsible for validating newDomain.
+    // domain. The caller is responsible for validating newDomain.
     void setDomainFromDOM(const String& newDomain);
     bool domainWasSetInDOM() const { return m_domainWasSetInDOM; }
@@ -69 +69 @@
 
     // Returns true if this SecurityOrigin can script objects in the given
-    // SecurityOrigin.  For example, call this function before allowing
+    // SecurityOrigin. For example, call this function before allowing
     // script from one security origin to read or write objects from
     // another SecurityOrigin.
@@ -75 +75 @@
 
     // Returns true if this SecurityOrigin can read content retrieved from
-    // the given URL.  For example, call this function before issuing
+    // the given URL. For example, call this function before issuing
     // XMLHttpRequests.
     bool canRequest(const KURL&) const;
 
     // Returns true if drawing an image from this URL taints a canvas from
-    // this security origin.  For example, call this function before
+    // this security origin. For example, call this function before
     // drawing an image onto an HTML canvas element with the drawImage API.
     bool taintsCanvas(const KURL&) const;
@@ -109 +109 @@
     // Explicitly grant the ability to access very other SecurityOrigin.
     //
-    // WARNING: This is an extremely powerful ability.  Use with caution!
+    // WARNING: This is an extremely powerful ability. Use with caution!
     void grantUniversalAccess();
 
-    // Sandboxing status as determined by the frame.
-    void setSandboxFlags(SandboxFlags flags) { m_sandboxFlags = flags; }
+    void setSandboxFlags(SandboxFlags);
     bool isSandboxed(SandboxFlags mask) const { return m_sandboxFlags & mask; }
 
-    bool canAccessDatabase() const { return !isSandboxed(SandboxOrigin); }
-    bool canAccessStorage() const { return !isSandboxed(SandboxOrigin); }
+    bool canAccessDatabase() const { return !isUnique(); }
+    bool canAccessStorage() const { return !isUnique(); }
+    bool canAccessCookies() const { return !isUnique(); }
 
     bool isSecureTransitionTo(const KURL&) const;
@@ -129 +129 @@
     bool isEmpty() const;
 
-    // Convert this SecurityOrigin into a string.  The string
+    // The origin is a globally unique identifier assigned when the Document is
+    // created. http://www.whatwg.org/specs/web-apps/current-work/#sandboxOrigin
+    //
+    // There's a subtle difference between a unique origin and an origin that
+    // has the SandboxOrigin flag set. The latter implies the former, and, in
+    // addition, the SandboxOrigin flag is inherited by iframes.
+    bool isUnique() const { return m_isUnique; }
+
+    // Convert this SecurityOrigin into a string. The string
     // representation of a SecurityOrigin is similar to a URL, except it
-    // lacks a path component.  The string representation does not encode
+    // lacks a path component. The string representation does not encode
     // the value of the SecurityOrigin's domain property.
     //
-    // When using the string value, it's important to remember that it
-    // might be "null".  This happens when this SecurityOrigin has
-    // noAccess to other SecurityOrigins.  For example, this SecurityOrigin
-    // might have come from a data URL, the SecurityOrigin might be empty,
-    // or we might have explicitly decided that we
-    // shouldTreatURLSchemeAsNoAccess.
+    // When using the string value, it's important to remember that it might be
+    // "null". This happens when this SecurityOrigin is unique. For example,
+    // this SecurityOrigin might have come from a sandboxed iframe, the
+    // SecurityOrigin might be empty, or we might have explicitly decided that
+    // we shouldTreatURLSchemeAsNoAccess.
     String toString() const;
 
@@ -147 +154 @@
 
     // This method checks for equality between SecurityOrigins, not whether
-    // one origin can access another.  It is used for hash table keys.
+    // one origin can access another. It is used for hash table keys.
     // For access checks, use canAccess().
     // FIXME: If this method is really only useful for hash table keys, it
@@ -184 +191 @@
     explicit SecurityOrigin(const SecurityOrigin*);
 
+    SandboxFlags m_sandboxFlags;
     String m_protocol;
     String m_host;
     String m_domain;
     unsigned short m_port;
-    SandboxFlags m_sandboxFlags;
-    bool m_noAccess;
+    bool m_isUnique;
     bool m_universalAccess;
     bool m_domainWasSetInDOM;