diff options
Diffstat (limited to 'Source/WebCore/bindings/generic/BindingSecurity.h')
-rw-r--r-- | Source/WebCore/bindings/generic/BindingSecurity.h | 120 |
1 files changed, 13 insertions, 107 deletions
diff --git a/Source/WebCore/bindings/generic/BindingSecurity.h b/Source/WebCore/bindings/generic/BindingSecurity.h index 7e5ff7de5..99d7f0097 100644 --- a/Source/WebCore/bindings/generic/BindingSecurity.h +++ b/Source/WebCore/bindings/generic/BindingSecurity.h @@ -31,120 +31,26 @@ #ifndef BindingSecurity_h #define BindingSecurity_h -#include "BindingSecurityBase.h" -#include "DOMWindow.h" -#include "Document.h" -#include "Element.h" -#include "Frame.h" -#include "GenericBinding.h" -#include "HTMLFrameElementBase.h" -#include "HTMLNames.h" -#include "HTMLParserIdioms.h" -#include "ScriptController.h" -#include "Settings.h" +#include "BindingState.h" +#include <wtf/text/WTFString.h> namespace WebCore { -class DOMWindow; +class HTMLFrameElementBase; class Node; -// Security functions shared by various language bindings. -template <class Binding> -class BindingSecurity : public BindingSecurityBase { -public: - // Check if the active execution context can access the target frame. - static bool canAccessFrame(State<Binding>*, Frame*, bool reportError); - - // Check if it is safe to access the given node from the - // current security context. - static bool shouldAllowAccessToNode(State<Binding>*, Node* target); - - static bool allowPopUp(State<Binding>*); - static bool allowSettingFrameSrcToJavascriptUrl(State<Binding>*, HTMLFrameElementBase*, const String& value); - static bool allowSettingSrcToJavascriptURL(State<Binding>*, Element*, const String& name, const String& value); - -private: - explicit BindingSecurity() {} - ~BindingSecurity(); - - // Check if the current DOMWindow's security context can access the target - // DOMWindow. This function does not report errors, so most callers should - // use canAccessFrame instead. - static bool canAccessWindow(State<Binding>*, DOMWindow* target); +enum SecurityReportingOption { + DoNotReportSecurityError, + ReportSecurityError, }; -// Implementations of templated methods must be in this file. - -template <class Binding> -bool BindingSecurity<Binding>::canAccessWindow(State<Binding>* state, - DOMWindow* targetWindow) -{ - DOMWindow* activeWindow = state->activeWindow(); - return canAccess(activeWindow, targetWindow); -} - -template <class Binding> -bool BindingSecurity<Binding>::canAccessFrame(State<Binding>* state, - Frame* target, - bool reportError) -{ - // The subject is detached from a frame, deny accesses. - if (!target) - return false; - - if (!canAccessWindow(state, getDOMWindow(target))) { - if (reportError) - state->immediatelyReportUnsafeAccessTo(target); - return false; - } - return true; -} - -template <class Binding> -bool BindingSecurity<Binding>::shouldAllowAccessToNode(State<Binding>* state, Node* node) -{ - if (!node) - return false; - - Frame* target = getFrame(node); - - if (!target) - return false; - - return canAccessFrame(state, target, true); -} - -template <class Binding> -bool BindingSecurity<Binding>::allowPopUp(State<Binding>* state) -{ - if (ScriptController::processingUserGesture()) - return true; - - Frame* frame = state->firstFrame(); - ASSERT(frame); - Settings* settings = frame->settings(); - return settings && settings->javaScriptCanOpenWindowsAutomatically(); -} - -template <class Binding> -bool BindingSecurity<Binding>::allowSettingFrameSrcToJavascriptUrl(State<Binding>* state, HTMLFrameElementBase* frame, const String& value) -{ - if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(value))) { - Node* contentDoc = frame->contentDocument(); - if (contentDoc && !shouldAllowAccessToNode(state, contentDoc)) - return false; - } - return true; -} - -template <class Binding> -bool BindingSecurity<Binding>::allowSettingSrcToJavascriptURL(State<Binding>* state, Element* element, const String& name, const String& value) -{ - if ((element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src")) - return allowSettingFrameSrcToJavascriptUrl(state, static_cast<HTMLFrameElementBase*>(element), value); - return true; -} +class BindingSecurity { +public: + static bool shouldAllowAccessToNode(BindingState*, Node*); + static bool shouldAllowAccessToFrame(BindingState*, Frame*, SecurityReportingOption = ReportSecurityError); + static bool allowSettingFrameSrcToJavascriptUrl(BindingState*, HTMLFrameElementBase*, const String& value); +}; } -#endif // BindingSecurity_h +#endif |