/* * Copyright (C) 2007-2017 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "config.h" #include "SecurityOrigin.h" #include "BlobURL.h" #include "FileSystem.h" #include "URL.h" #include "SchemeRegistry.h" #include "SecurityPolicy.h" #include "ThreadableBlobRegistry.h" #include #include #include #include namespace WebCore { static bool schemeRequiresHost(const URL& url) { // We expect URLs with these schemes to have authority components. If the // URL lacks an authority component, we get concerned and mark the origin // as unique. return url.protocolIsInHTTPFamily() || url.protocolIs("ftp"); } bool SecurityOrigin::shouldUseInnerURL(const URL& url) { // FIXME: Blob URLs don't have inner URLs. Their form is "blob:/", so treating the part after "blob:" as a URL is incorrect. if (url.protocolIsBlob()) return true; UNUSED_PARAM(url); return false; } // In general, extracting the inner URL varies by scheme. It just so happens // that all the URL schemes we currently support that use inner URLs for their // security origin can be parsed using this algorithm. URL SecurityOrigin::extractInnerURL(const URL& url) { // FIXME: Update this callsite to use the innerURL member function when // we finish implementing it. return URL(ParsedURLString, decodeURLEscapeSequences(url.path())); } static RefPtr getCachedOrigin(const URL& url) { if (url.protocolIsBlob()) return ThreadableBlobRegistry::getCachedOrigin(url); return nullptr; } static bool shouldTreatAsUniqueOrigin(const URL& url) { if (!url.isValid()) return true; // FIXME: Do we need to unwrap the URL further? URL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; // FIXME: Check whether innerURL is valid. // For edge case URLs that were probably misparsed, make sure that the origin is unique. // This is an additional safety net against bugs in URL parsing, and for network back-ends that parse URLs differently, // and could misinterpret another component for hostname. if (schemeRequiresHost(innerURL) && innerURL.host().isEmpty()) return true; if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(innerURL.protocol().toStringWithoutCopying())) return true; // This is the common case. return false; } SecurityOrigin::SecurityOrigin(const URL& url) : m_protocol(url.protocol().isNull() ? emptyString() : url.protocol().toString().convertToASCIILowercase()) , m_host(url.host().isNull() ? emptyString() : url.host().convertToASCIILowercase()) , m_port(url.port()) { // document.domain starts as m_host, but can be set by the DOM. m_domain = m_host; if (m_port && isDefaultPortForProtocol(m_port.value(), m_protocol)) m_port = std::nullopt; // By default, only local SecurityOrigins can load local resources. m_canLoadLocalResources = isLocal(); if (m_canLoadLocalResources) m_filePath = url.fileSystemPath(); // In case enforceFilePathSeparation() is called. } SecurityOrigin::SecurityOrigin() : m_protocol(emptyString()) , m_host(emptyString()) , m_domain(emptyString()) , m_isUnique(true) { } SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) : m_protocol(other->m_protocol.isolatedCopy()) , m_host(other->m_host.isolatedCopy()) , m_domain(other->m_domain.isolatedCopy()) , m_filePath(other->m_filePath.isolatedCopy()) , m_port(other->m_port) , m_isUnique(other->m_isUnique) , m_universalAccess(other->m_universalAccess) , m_domainWasSetInDOM(other->m_domainWasSetInDOM) , m_canLoadLocalResources(other->m_canLoadLocalResources) , m_storageBlockingPolicy(other->m_storageBlockingPolicy) , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation) , m_needsStorageAccessFromFileURLsQuirk(other->m_needsStorageAccessFromFileURLsQuirk) { } Ref SecurityOrigin::create(const URL& url) { if (RefPtr cachedOrigin = getCachedOrigin(url)) return cachedOrigin.releaseNonNull(); if (shouldTreatAsUniqueOrigin(url)) return adoptRef(*new SecurityOrigin); if (shouldUseInnerURL(url)) return adoptRef(*new SecurityOrigin(extractInnerURL(url))); return adoptRef(*new SecurityOrigin(url)); } Ref SecurityOrigin::createUnique() { Ref origin(adoptRef(*new SecurityOrigin)); ASSERT(origin.get().isUnique()); return origin; } Ref SecurityOrigin::isolatedCopy() const { return adoptRef(*new SecurityOrigin(this)); } void SecurityOrigin::setDomainFromDOM(const String& newDomain) { m_domainWasSetInDOM = true; m_domain = newDomain.convertToASCIILowercase(); } bool SecurityOrigin::isSecure(const URL& url) { // Invalid URLs are secure, as are URLs which have a secure protocol. if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol().toStringWithoutCopying())) return true; // URLs that wrap inner URLs are secure if those inner URLs are secure. if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol().toStringWithoutCopying())) return true; return false; } bool SecurityOrigin::canAccess(const SecurityOrigin& other) const { if (m_universalAccess) return true; if (this == &other) return true; if (isUnique() || other.isUnique()) return false; // Here are two cases where we should permit access: // // 1) Neither document has set document.domain. In this case, we insist // that the scheme, host, and port of the URLs match. // // 2) Both documents have set document.domain. In this case, we insist // that the documents have set document.domain to the same value and // that the scheme of the URLs match. // // This matches the behavior of Firefox 2 and Internet Explorer 6. // // Internet Explorer 7 and Opera 9 are more strict in that they require // the port numbers to match when both pages have document.domain set. // // FIXME: Evaluate whether we can tighten this policy to require matched // port numbers. // // Opera 9 allows access when only one page has set document.domain, but // this is a security vulnerability. bool canAccess = false; if (m_protocol == other.m_protocol) { if (!m_domainWasSetInDOM && !other.m_domainWasSetInDOM) { if (m_host == other.m_host && m_port == other.m_port) canAccess = true; } else if (m_domainWasSetInDOM && other.m_domainWasSetInDOM) { if (m_domain == other.m_domain) canAccess = true; } } if (canAccess && isLocal()) canAccess = passesFileCheck(other); return canAccess; } bool SecurityOrigin::passesFileCheck(const SecurityOrigin& other) const { ASSERT(isLocal() && other.isLocal()); if (!m_enforceFilePathSeparation && !other.m_enforceFilePathSeparation) return true; return (m_filePath == other.m_filePath); } bool SecurityOrigin::canRequest(const URL& url) const { if (m_universalAccess) return true; if (getCachedOrigin(url) == this) return true; if (isUnique()) return false; Ref targetOrigin(SecurityOrigin::create(url)); if (targetOrigin->isUnique()) return false; // We call isSameSchemeHostPort here instead of canAccess because we want // to ignore document.domain effects. if (isSameSchemeHostPort(targetOrigin.get())) return true; if (SecurityPolicy::isAccessWhiteListed(this, &targetOrigin.get())) return true; return false; } bool SecurityOrigin::canReceiveDragData(const SecurityOrigin& dragInitiator) const { if (this == &dragInitiator) return true; return canAccess(dragInitiator); } // This is a hack to allow keep navigation to http/https feeds working. To remove this // we need to introduce new API akin to registerURLSchemeAsLocal, that registers a // protocols navigation policy. // feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be // local or remote depending on what is nested. Currently we just check if we are nesting // http or https, otherwise we ignore the nesting for the purpose of a security check. We need // a facility for registering nesting schemes, and some generalized logic for them. // This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196 static bool isFeedWithNestedProtocolInHTTPFamily(const URL& url) { const String& urlString = url.string(); if (!urlString.startsWith("feed", false)) return false; return urlString.startsWith("feed://", false) || urlString.startsWith("feed:http:", false) || urlString.startsWith("feed:https:", false) || urlString.startsWith("feeds:http:", false) || urlString.startsWith("feeds:https:", false) || urlString.startsWith("feedsearch:http:", false) || urlString.startsWith("feedsearch:https:", false); } bool SecurityOrigin::canDisplay(const URL& url) const { if (m_universalAccess) return true; #if !PLATFORM(IOS) if (m_protocol == "file" && url.isLocalFile() && !filesHaveSameVolume(m_filePath, url.fileSystemPath())) return false; #endif if (isFeedWithNestedProtocolInHTTPFamily(url)) return true; String protocol = url.protocol().toString(); if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol)) return canRequest(url); if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol)) return equalIgnoringASCIICase(m_protocol, protocol) || SecurityPolicy::isAccessToURLWhiteListed(this, url); if (SecurityPolicy::restrictAccessToLocal() && SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol)) return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteListed(this, url); return true; } bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin, ShouldAllowFromThirdParty shouldAllowFromThirdParty) const { if (isUnique()) return false; if (isLocal() && !needsStorageAccessFromFileURLsQuirk() && !m_universalAccess && shouldAllowFromThirdParty != AlwaysAllowFromThirdParty) return false; if (m_storageBlockingPolicy == BlockAllStorage) return false; // FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null. if (!topOrigin) return true; if (topOrigin->m_storageBlockingPolicy == BlockAllStorage) return false; if (shouldAllowFromThirdParty == AlwaysAllowFromThirdParty) return true; if (m_universalAccess) return true; if ((m_storageBlockingPolicy == BlockThirdPartyStorage || topOrigin->m_storageBlockingPolicy == BlockThirdPartyStorage) && !topOrigin->isSameOriginAs(*this)) return false; return true; } SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const { if (m_universalAccess) return AlwaysAllow; if (isUnique()) return AlwaysDeny; return Ask; } bool SecurityOrigin::isSameOriginAs(const SecurityOrigin& other) const { if (this == &other) return true; if (isUnique() || other.isUnique()) return false; return isSameSchemeHostPort(other); } void SecurityOrigin::grantLoadLocalResources() { // Granting privileges to some, but not all, documents in a SecurityOrigin // is a security hazard because the documents without the privilege can // obtain the privilege by injecting script into the documents that have // been granted the privilege. m_canLoadLocalResources = true; } void SecurityOrigin::grantUniversalAccess() { m_universalAccess = true; } void SecurityOrigin::grantStorageAccessFromFileURLsQuirk() { m_needsStorageAccessFromFileURLsQuirk = true; } String SecurityOrigin::domainForCachePartition() const { if (m_storageBlockingPolicy != BlockThirdPartyStorage) return emptyString(); if (isHTTPFamily()) return host(); if (SchemeRegistry::shouldPartitionCacheForURLScheme(m_protocol)) return host(); return emptyString(); } void SecurityOrigin::enforceFilePathSeparation() { ASSERT(isLocal()); m_enforceFilePathSeparation = true; } bool SecurityOrigin::isLocal() const { return SchemeRegistry::shouldTreatURLSchemeAsLocal(m_protocol); } String SecurityOrigin::toString() const { if (isUnique()) return ASCIILiteral("null"); if (m_protocol == "file" && m_enforceFilePathSeparation) return ASCIILiteral("null"); return toRawString(); } String SecurityOrigin::toRawString() const { if (m_protocol == "file") return ASCIILiteral("file://"); StringBuilder result; result.reserveCapacity(m_protocol.length() + m_host.length() + 10); result.append(m_protocol); result.appendLiteral("://"); result.append(m_host); if (m_port) { result.append(':'); result.appendNumber(m_port.value()); } return result.toString(); } static inline bool areOriginsMatching(const SecurityOrigin& origin1, const SecurityOrigin& origin2) { if (origin1.isUnique() || origin2.isUnique()) return origin1.isUnique() == origin2.isUnique(); if (origin1.protocol() != origin2.protocol()) return false; if (origin1.protocol() == "file") return true; if (origin1.host() != origin2.host()) return false; return origin1.port() == origin2.port(); } // This function mimics the result of string comparison of serialized origins bool originsMatch(const SecurityOrigin& origin1, const SecurityOrigin& origin2) { if (&origin1 == &origin2) return true; bool result = areOriginsMatching(origin1, origin2); ASSERT(result == (origin1.toString() == origin2.toString())); return result; } bool originsMatch(const SecurityOrigin* origin1, const SecurityOrigin* origin2) { if (!origin1 || !origin2) return origin1 == origin2; return originsMatch(*origin1, *origin2); } Ref SecurityOrigin::createFromString(const String& originString) { return SecurityOrigin::create(URL(URL(), originString)); } Ref SecurityOrigin::create(const String& protocol, const String& host, std::optional port) { String decodedHost = decodeURLEscapeSequences(host); auto origin = create(URL(URL(), protocol + "://" + host + "/")); if (port && !isDefaultPortForProtocol(*port, protocol)) origin->m_port = port; return origin; } bool SecurityOrigin::equal(const SecurityOrigin* other) const { if (other == this) return true; if (!isSameSchemeHostPort(*other)) return false; if (m_domainWasSetInDOM != other->m_domainWasSetInDOM) return false; if (m_domainWasSetInDOM && m_domain != other->m_domain) return false; return true; } bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin& other) const { if (m_host != other.m_host) return false; if (m_protocol != other.m_protocol) return false; if (m_port != other.m_port) return false; if (isLocal() && !passesFileCheck(other)) return false; return true; } URL SecurityOrigin::urlWithUniqueSecurityOrigin() { ASSERT(isMainThread()); static NeverDestroyed uniqueSecurityOriginURL(ParsedURLString, ASCIILiteral("data:,")); return uniqueSecurityOriginURL; } } // namespace WebCore