diff options
Diffstat (limited to 'Source/WebCore/bindings/generic')
7 files changed, 112 insertions, 253 deletions
diff --git a/Source/WebCore/bindings/generic/BindingSecurity.cpp b/Source/WebCore/bindings/generic/BindingSecurity.cpp new file mode 100644 index 000000000..87f4a574d --- /dev/null +++ b/Source/WebCore/bindings/generic/BindingSecurity.cpp @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2009 Google Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "BindingSecurity.h" + +#include "BindingState.h" +#include "DOMWindow.h" +#include "Document.h" +#include "Frame.h" +#include "HTMLFrameElementBase.h" +#include "HTMLParserIdioms.h" +#include "SecurityOrigin.h" +#include "Settings.h" + +namespace WebCore { + +static bool canAccessDocument(BindingState* state, Document* targetDocument, SecurityReportingOption reportingOption = ReportSecurityError) +{ + if (!targetDocument) + return false; + + DOMWindow* active = activeDOMWindow(state); + if (!active) + return false; + + // If the embedder executes JavaScript synchronously during the didCreateScriptContext callback, + // in some cases the active SecurityOrigin will not yet be copied to the DOMWindow. For example, + // Frame::setDocument can trigger didCreateScriptContext during ScriptController::updateDocument. + // + // FIXME: Remove this branch once we manage to delete DOMWindow::m_securityOrigin. Ideally, we'd + // get the SecurityOrigin from the Document rather than the DOMWindow. In that case, there + // shouldn't ever be a chance to execute script before the SecurityOrigin object is created. + if (!active->securityOrigin()) + return false; + + if (active->securityOrigin()->canAccess(targetDocument->securityOrigin())) + return true; + + if (reportingOption == ReportSecurityError) + immediatelyReportUnsafeAccessTo(state, targetDocument); + + return false; +} + +bool BindingSecurity::shouldAllowAccessToFrame(BindingState* state, Frame* target, SecurityReportingOption reportingOption) +{ + return target && canAccessDocument(state, target->document(), reportingOption); +} + +bool BindingSecurity::shouldAllowAccessToNode(BindingState* state, Node* target) +{ + return target && canAccessDocument(state, target->document()); +} + +bool BindingSecurity::allowSettingFrameSrcToJavascriptUrl(BindingState* state, HTMLFrameElementBase* frame, const String& value) +{ + return !protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(value)) || canAccessDocument(state, frame->contentDocument()); +} + +} diff --git a/Source/WebCore/bindings/generic/BindingSecurity.h b/Source/WebCore/bindings/generic/BindingSecurity.h index 7e5ff7de5..99d7f0097 100644 --- a/Source/WebCore/bindings/generic/BindingSecurity.h +++ b/Source/WebCore/bindings/generic/BindingSecurity.h @@ -31,120 +31,26 @@ #ifndef BindingSecurity_h #define BindingSecurity_h -#include "BindingSecurityBase.h" -#include "DOMWindow.h" -#include "Document.h" -#include "Element.h" -#include "Frame.h" -#include "GenericBinding.h" -#include "HTMLFrameElementBase.h" -#include "HTMLNames.h" -#include "HTMLParserIdioms.h" -#include "ScriptController.h" -#include "Settings.h" +#include "BindingState.h" +#include <wtf/text/WTFString.h> namespace WebCore { -class DOMWindow; +class HTMLFrameElementBase; class Node; -// Security functions shared by various language bindings. -template <class Binding> -class BindingSecurity : public BindingSecurityBase { -public: - // Check if the active execution context can access the target frame. - static bool canAccessFrame(State<Binding>*, Frame*, bool reportError); - - // Check if it is safe to access the given node from the - // current security context. - static bool shouldAllowAccessToNode(State<Binding>*, Node* target); - - static bool allowPopUp(State<Binding>*); - static bool allowSettingFrameSrcToJavascriptUrl(State<Binding>*, HTMLFrameElementBase*, const String& value); - static bool allowSettingSrcToJavascriptURL(State<Binding>*, Element*, const String& name, const String& value); - -private: - explicit BindingSecurity() {} - ~BindingSecurity(); - - // Check if the current DOMWindow's security context can access the target - // DOMWindow. This function does not report errors, so most callers should - // use canAccessFrame instead. - static bool canAccessWindow(State<Binding>*, DOMWindow* target); +enum SecurityReportingOption { + DoNotReportSecurityError, + ReportSecurityError, }; -// Implementations of templated methods must be in this file. - -template <class Binding> -bool BindingSecurity<Binding>::canAccessWindow(State<Binding>* state, - DOMWindow* targetWindow) -{ - DOMWindow* activeWindow = state->activeWindow(); - return canAccess(activeWindow, targetWindow); -} - -template <class Binding> -bool BindingSecurity<Binding>::canAccessFrame(State<Binding>* state, - Frame* target, - bool reportError) -{ - // The subject is detached from a frame, deny accesses. - if (!target) - return false; - - if (!canAccessWindow(state, getDOMWindow(target))) { - if (reportError) - state->immediatelyReportUnsafeAccessTo(target); - return false; - } - return true; -} - -template <class Binding> -bool BindingSecurity<Binding>::shouldAllowAccessToNode(State<Binding>* state, Node* node) -{ - if (!node) - return false; - - Frame* target = getFrame(node); - - if (!target) - return false; - - return canAccessFrame(state, target, true); -} - -template <class Binding> -bool BindingSecurity<Binding>::allowPopUp(State<Binding>* state) -{ - if (ScriptController::processingUserGesture()) - return true; - - Frame* frame = state->firstFrame(); - ASSERT(frame); - Settings* settings = frame->settings(); - return settings && settings->javaScriptCanOpenWindowsAutomatically(); -} - -template <class Binding> -bool BindingSecurity<Binding>::allowSettingFrameSrcToJavascriptUrl(State<Binding>* state, HTMLFrameElementBase* frame, const String& value) -{ - if (protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(value))) { - Node* contentDoc = frame->contentDocument(); - if (contentDoc && !shouldAllowAccessToNode(state, contentDoc)) - return false; - } - return true; -} - -template <class Binding> -bool BindingSecurity<Binding>::allowSettingSrcToJavascriptURL(State<Binding>* state, Element* element, const String& name, const String& value) -{ - if ((element->hasTagName(HTMLNames::iframeTag) || element->hasTagName(HTMLNames::frameTag)) && equalIgnoringCase(name, "src")) - return allowSettingFrameSrcToJavascriptUrl(state, static_cast<HTMLFrameElementBase*>(element), value); - return true; -} +class BindingSecurity { +public: + static bool shouldAllowAccessToNode(BindingState*, Node*); + static bool shouldAllowAccessToFrame(BindingState*, Frame*, SecurityReportingOption = ReportSecurityError); + static bool allowSettingFrameSrcToJavascriptUrl(BindingState*, HTMLFrameElementBase*, const String& value); +}; } -#endif // BindingSecurity_h +#endif diff --git a/Source/WebCore/bindings/generic/BindingSecurityBase.cpp b/Source/WebCore/bindings/generic/BindingSecurityBase.cpp deleted file mode 100644 index 16a078579..000000000 --- a/Source/WebCore/bindings/generic/BindingSecurityBase.cpp +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2009 Google Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following disclaimer - * in the documentation and/or other materials provided with the - * distribution. - * * Neither the name of Google Inc. nor the names of its - * contributors may be used to endorse or promote products derived from - * this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "config.h" -#include "BindingSecurityBase.h" - -#include "DOMWindow.h" -#include "Document.h" -#include "Frame.h" -#include "SecurityOrigin.h" - -namespace WebCore { - -DOMWindow* BindingSecurityBase::getDOMWindow(Frame* frame) -{ - return frame->domWindow(); -} - -Frame* BindingSecurityBase::getFrame(Node* node) -{ - return node->document()->frame(); -} - -bool BindingSecurityBase::canAccess(DOMWindow* activeWindow, DOMWindow* targetWindow) -{ - ASSERT(targetWindow); - if (activeWindow == targetWindow) - return true; - - if (!activeWindow) - return false; - - SecurityOrigin* activeSecurityOrigin = activeWindow->securityOrigin(); - SecurityOrigin* targetSecurityOrigin = targetWindow->securityOrigin(); - - // We have seen crashes were the security origin of the target has not been - // initialized. Defend against that. - if (!targetSecurityOrigin) - return false; - - if (activeSecurityOrigin->canAccess(targetSecurityOrigin)) - return true; - - return false; -} - -} diff --git a/Source/WebCore/bindings/generic/BindingSecurityBase.h b/Source/WebCore/bindings/generic/BindingSecurityBase.h deleted file mode 100644 index cfa2e9997..000000000 --- a/Source/WebCore/bindings/generic/BindingSecurityBase.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (C) 2009 Google Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are - * met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following disclaimer - * in the documentation and/or other materials provided with the - * distribution. - * * Neither the name of Google Inc. nor the names of its - * contributors may be used to endorse or promote products derived from - * this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef BindingSecurityBase_h -#define BindingSecurityBase_h - -namespace WebCore { - -class DOMWindow; -class Frame; -class Node; - -// Helper functions for BindingSecurity that depend on WebCore classes, and -// thus should not be implemented in BindingSecurity.h, which contains template -// method definitions. -class BindingSecurityBase { -protected: - static DOMWindow* getDOMWindow(Frame*); - static Frame* getFrame(Node*); - static bool canAccess(DOMWindow* active, DOMWindow* target); -}; - -} - -#endif // BindingSecurityBase_h diff --git a/Source/WebCore/bindings/generic/GenericBinding.h b/Source/WebCore/bindings/generic/GenericBinding.h index 69d31fa0a..fd1181f9f 100644 --- a/Source/WebCore/bindings/generic/GenericBinding.h +++ b/Source/WebCore/bindings/generic/GenericBinding.h @@ -31,32 +31,15 @@ #ifndef GenericBinding_h #define GenericBinding_h +#include "BindingState.h" #include "Document.h" #include "Frame.h" -#include "FrameLoader.h" namespace WebCore { -// Used to instantiate binding templates for any methods shared among all -// language bindings. -class GenericBinding {}; - -// Class to represent execution state for each language binding. -template <class T> -class State {}; - -// Common notion of execution state for language bindings. -template <> -class State<GenericBinding> { - // Any methods shared across bindings can go here. -}; - -template <class Binding> -KURL completeURL(State<Binding>* state, const String& relativeURL) +inline KURL completeURL(BindingState* state, const String& relativeURL) { - // For historical reasons, we need to complete the URL using the - // dynamic frame. - Frame* frame = state->firstFrame(); + Frame* frame = firstFrame(state); if (!frame) return KURL(); return frame->document()->completeURL(relativeURL); diff --git a/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.cpp b/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.cpp index a22f44501..59ec0628d 100644 --- a/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.cpp +++ b/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.cpp @@ -188,6 +188,8 @@ bool RuntimeEnabledFeatures::isEncryptedMediaEnabled = false; #if ENABLE(SHADOW_DOM) bool RuntimeEnabledFeatures::isShadowDOMEnabled = false; + +bool RuntimeEnabledFeatures::isAuthorShadowDOMForAnyElementEnabled = false; #endif #if ENABLE(STYLE_SCOPED) diff --git a/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.h b/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.h index 684c57d8b..c68c3a80e 100644 --- a/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.h +++ b/Source/WebCore/bindings/generic/RuntimeEnabledFeatures.h @@ -188,6 +188,7 @@ public: static bool peerConnectionEnabled() { return isMediaStreamEnabled && isPeerConnectionEnabled; } static void setPeerConnectionEnabled(bool isEnabled) { isPeerConnectionEnabled = isEnabled; } static bool webkitPeerConnection00Enabled() { return peerConnectionEnabled(); } + static bool webkitRTCPeerConnectionEnabled() { return peerConnectionEnabled(); } #endif #if ENABLE(GAMEPAD) @@ -218,6 +219,9 @@ public: #if ENABLE(SHADOW_DOM) static bool shadowDOMEnabled() { return isShadowDOMEnabled; } static void setShadowDOMEnabled(bool isEnabled) { isShadowDOMEnabled = isEnabled; } + + static bool authorShadowDOMForAnyElementEnabled() { return isAuthorShadowDOMForAnyElementEnabled; } + static void setAuthorShadowDOMForAnyElementEnabled(bool isEnabled) { isAuthorShadowDOMForAnyElementEnabled = isEnabled; } #endif #if ENABLE(STYLE_SCOPED) @@ -324,6 +328,8 @@ private: #if ENABLE(SHADOW_DOM) static bool isShadowDOMEnabled; + + static bool isAuthorShadowDOMForAnyElementEnabled; #endif #if ENABLE(STYLE_SCOPED) |