1/*
2 * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#include "config.h"
30#include "SecurityOrigin.h"
31
32#include "BlobURL.h"
33#include "OriginAccessEntry.h"
34#include "PublicSuffix.h"
35#include "SchemeRegistry.h"
36#include "SecurityPolicy.h"
37#include "TextEncoding.h"
38#include "ThreadableBlobRegistry.h"
39#include <wtf/FileSystem.h>
40#include <wtf/MainThread.h>
41#include <wtf/NeverDestroyed.h>
42#include <wtf/StdLibExtras.h>
43#include <wtf/URL.h>
44#include <wtf/text/StringBuilder.h>
45
46namespace WebCore {
47
48static bool schemeRequiresHost(const URL& url)
49{
50 // We expect URLs with these schemes to have authority components. If the
51 // URL lacks an authority component, we get concerned and mark the origin
52 // as unique.
53 return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
54}
55
56bool SecurityOrigin::shouldUseInnerURL(const URL& url)
57{
58 // FIXME: Blob URLs don't have inner URLs. Their form is "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL is incorrect.
59 if (url.protocolIsBlob())
60 return true;
61 UNUSED_PARAM(url);
62 return false;
63}
64
65// In general, extracting the inner URL varies by scheme. It just so happens
66// that all the URL schemes we currently support that use inner URLs for their
67// security origin can be parsed using this algorithm.
68URL SecurityOrigin::extractInnerURL(const URL& url)
69{
70 // FIXME: Update this callsite to use the innerURL member function when
71 // we finish implementing it.
72 return { URL(), decodeURLEscapeSequences(url.path()) };
73}
74
75static RefPtr<SecurityOrigin> getCachedOrigin(const URL& url)
76{
77 if (url.protocolIsBlob())
78 return ThreadableBlobRegistry::getCachedOrigin(url);
79 return nullptr;
80}
81
82static bool shouldTreatAsUniqueOrigin(const URL& url)
83{
84 if (!url.isValid())
85 return true;
86
87 // FIXME: Do we need to unwrap the URL further?
88 URL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
89
90 // FIXME: Check whether innerURL is valid.
91
92 // For edge case URLs that were probably misparsed, make sure that the origin is unique.
93 // This is an additional safety net against bugs in URL parsing, and for network back-ends that parse URLs differently,
94 // and could misinterpret another component for hostname.
95 if (schemeRequiresHost(innerURL) && innerURL.host().isEmpty())
96 return true;
97
98 if (SchemeRegistry::shouldTreatURLSchemeAsNoAccess(innerURL.protocol().toStringWithoutCopying()))
99 return true;
100
101 // This is the common case.
102 return false;
103}
104
105static bool isLoopbackIPAddress(StringView host)
106{
107 // The IPv6 loopback address is 0:0:0:0:0:0:0:1, which compresses to ::1.
108 if (host == "[::1]")
109 return true;
110
111 // Check to see if it's a valid IPv4 address that has the form 127.*.*.*.
112 if (!host.startsWith("127."))
113 return false;
114 size_t dotsFound = 0;
115 for (size_t i = 0; i < host.length(); ++i) {
116 if (host[i] == '.') {
117 dotsFound++;
118 continue;
119 }
120 if (!isASCIIDigit(host[i]))
121 return false;
122 }
123 return dotsFound == 3;
124}
125
126// https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy (Editor's Draft, 17 November 2016)
127static bool shouldTreatAsPotentiallyTrustworthy(const String& protocol, const String& host)
128{
129 if (SchemeRegistry::shouldTreatURLSchemeAsSecure(protocol))
130 return true;
131
132 if (SecurityOrigin::isLocalHostOrLoopbackIPAddress(host))
133 return true;
134
135 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol))
136 return true;
137
138 return false;
139}
140
141bool shouldTreatAsPotentiallyTrustworthy(const URL& url)
142{
143 return shouldTreatAsPotentiallyTrustworthy(url.protocol().toStringWithoutCopying(), url.host().toStringWithoutCopying());
144}
145
146SecurityOrigin::SecurityOrigin(const URL& url)
147 : m_data(SecurityOriginData::fromURL(url))
148 , m_isLocal(SchemeRegistry::shouldTreatURLSchemeAsLocal(m_data.protocol))
149{
150 // document.domain starts as m_data.host, but can be set by the DOM.
151 m_domain = m_data.host;
152
153 if (m_data.port && WTF::isDefaultPortForProtocol(m_data.port.value(), m_data.protocol))
154 m_data.port = WTF::nullopt;
155
156 // By default, only local SecurityOrigins can load local resources.
157 m_canLoadLocalResources = isLocal();
158
159 if (m_canLoadLocalResources)
160 m_filePath = url.fileSystemPath(); // In case enforceFilePathSeparation() is called.
161
162 m_isPotentiallyTrustworthy = shouldTreatAsPotentiallyTrustworthy(url);
163}
164
165SecurityOrigin::SecurityOrigin()
166 : m_data { emptyString(), emptyString(), WTF::nullopt }
167 , m_domain { emptyString() }
168 , m_isUnique { true }
169 , m_isPotentiallyTrustworthy { true }
170{
171}
172
173SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
174 : m_data { other->m_data.isolatedCopy() }
175 , m_domain { other->m_domain.isolatedCopy() }
176 , m_filePath { other->m_filePath.isolatedCopy() }
177 , m_isUnique { other->m_isUnique }
178 , m_universalAccess { other->m_universalAccess }
179 , m_domainWasSetInDOM { other->m_domainWasSetInDOM }
180 , m_canLoadLocalResources { other->m_canLoadLocalResources }
181 , m_storageBlockingPolicy { other->m_storageBlockingPolicy }
182 , m_enforcesFilePathSeparation { other->m_enforcesFilePathSeparation }
183 , m_needsStorageAccessFromFileURLsQuirk { other->m_needsStorageAccessFromFileURLsQuirk }
184 , m_isPotentiallyTrustworthy { other->m_isPotentiallyTrustworthy }
185 , m_isLocal { other->m_isLocal }
186{
187}
188
189Ref<SecurityOrigin> SecurityOrigin::create(const URL& url)
190{
191 if (RefPtr<SecurityOrigin> cachedOrigin = getCachedOrigin(url))
192 return cachedOrigin.releaseNonNull();
193
194 if (shouldTreatAsUniqueOrigin(url))
195 return adoptRef(*new SecurityOrigin);
196
197 if (shouldUseInnerURL(url))
198 return adoptRef(*new SecurityOrigin(extractInnerURL(url)));
199
200 return adoptRef(*new SecurityOrigin(url));
201}
202
203Ref<SecurityOrigin> SecurityOrigin::createUnique()
204{
205 Ref<SecurityOrigin> origin(adoptRef(*new SecurityOrigin));
206 ASSERT(origin.get().isUnique());
207 return origin;
208}
209
210Ref<SecurityOrigin> SecurityOrigin::createNonLocalWithAllowedFilePath(const URL& url, const String& filePath)
211{
212 ASSERT(!url.isLocalFile());
213 auto securityOrigin = SecurityOrigin::create(url);
214 securityOrigin->m_filePath = filePath;
215 return securityOrigin;
216}
217
218Ref<SecurityOrigin> SecurityOrigin::isolatedCopy() const
219{
220 return adoptRef(*new SecurityOrigin(this));
221}
222
223void SecurityOrigin::setDomainFromDOM(const String& newDomain)
224{
225 m_domainWasSetInDOM = true;
226 m_domain = newDomain.convertToASCIILowercase();
227}
228
229bool SecurityOrigin::isSecure(const URL& url)
230{
231 // Invalid URLs are secure, as are URLs which have a secure protocol.
232 if (!url.isValid() || SchemeRegistry::shouldTreatURLSchemeAsSecure(url.protocol().toStringWithoutCopying()))
233 return true;
234
235 // URLs that wrap inner URLs are secure if those inner URLs are secure.
236 if (shouldUseInnerURL(url) && SchemeRegistry::shouldTreatURLSchemeAsSecure(extractInnerURL(url).protocol().toStringWithoutCopying()))
237 return true;
238
239 return false;
240}
241
242bool SecurityOrigin::canAccess(const SecurityOrigin& other) const
243{
244 if (m_universalAccess)
245 return true;
246
247 if (this == &other)
248 return true;
249
250 if (isUnique() || other.isUnique())
251 return false;
252
253 // Here are two cases where we should permit access:
254 //
255 // 1) Neither document has set document.domain. In this case, we insist
256 // that the scheme, host, and port of the URLs match.
257 //
258 // 2) Both documents have set document.domain. In this case, we insist
259 // that the documents have set document.domain to the same value and
260 // that the scheme of the URLs match.
261 //
262 // This matches the behavior of Firefox 2 and Internet Explorer 6.
263 //
264 // Internet Explorer 7 and Opera 9 are more strict in that they require
265 // the port numbers to match when both pages have document.domain set.
266 //
267 // FIXME: Evaluate whether we can tighten this policy to require matched
268 // port numbers.
269 //
270 // Opera 9 allows access when only one page has set document.domain, but
271 // this is a security vulnerability.
272
273 bool canAccess = false;
274 if (m_data.protocol == other.m_data.protocol) {
275 if (!m_domainWasSetInDOM && !other.m_domainWasSetInDOM) {
276 if (m_data.host == other.m_data.host && m_data.port == other.m_data.port)
277 canAccess = true;
278 } else if (m_domainWasSetInDOM && other.m_domainWasSetInDOM) {
279 if (m_domain == other.m_domain)
280 canAccess = true;
281 }
282 }
283
284 if (canAccess && isLocal())
285 canAccess = passesFileCheck(other);
286
287 return canAccess;
288}
289
290bool SecurityOrigin::passesFileCheck(const SecurityOrigin& other) const
291{
292 ASSERT(isLocal() && other.isLocal());
293
294 return !m_enforcesFilePathSeparation && !other.m_enforcesFilePathSeparation;
295}
296
297bool SecurityOrigin::canRequest(const URL& url) const
298{
299 if (m_universalAccess)
300 return true;
301
302 if (getCachedOrigin(url) == this)
303 return true;
304
305 if (isUnique())
306 return false;
307
308 Ref<SecurityOrigin> targetOrigin(SecurityOrigin::create(url));
309
310 if (targetOrigin->isUnique())
311 return false;
312
313 // We call isSameSchemeHostPort here instead of canAccess because we want
314 // to ignore document.domain effects.
315 if (isSameSchemeHostPort(targetOrigin.get()))
316 return true;
317
318 if (SecurityPolicy::isAccessWhiteListed(this, &targetOrigin.get()))
319 return true;
320
321 return false;
322}
323
324bool SecurityOrigin::canReceiveDragData(const SecurityOrigin& dragInitiator) const
325{
326 if (this == &dragInitiator)
327 return true;
328
329 return canAccess(dragInitiator);
330}
331
332// This is a hack to allow keep navigation to http/https feeds working. To remove this
333// we need to introduce new API akin to registerURLSchemeAsLocal, that registers a
334// protocols navigation policy.
335// feed(|s|search): is considered a 'nesting' scheme by embedders that support it, so it can be
336// local or remote depending on what is nested. Currently we just check if we are nesting
337// http or https, otherwise we ignore the nesting for the purpose of a security check. We need
338// a facility for registering nesting schemes, and some generalized logic for them.
339// This function should be removed as an outcome of https://bugs.webkit.org/show_bug.cgi?id=69196
340static bool isFeedWithNestedProtocolInHTTPFamily(const URL& url)
341{
342 const String& string = url.string();
343 if (!startsWithLettersIgnoringASCIICase(string, "feed"))
344 return false;
345 return startsWithLettersIgnoringASCIICase(string, "feed://")
346 || startsWithLettersIgnoringASCIICase(string, "feed:http:")
347 || startsWithLettersIgnoringASCIICase(string, "feed:https:")
348 || startsWithLettersIgnoringASCIICase(string, "feeds:http:")
349 || startsWithLettersIgnoringASCIICase(string, "feeds:https:")
350 || startsWithLettersIgnoringASCIICase(string, "feedsearch:http:")
351 || startsWithLettersIgnoringASCIICase(string, "feedsearch:https:");
352}
353
354bool SecurityOrigin::canDisplay(const URL& url) const
355{
356 if (m_universalAccess)
357 return true;
358
359#if !PLATFORM(IOS_FAMILY)
360 if (m_data.protocol == "file" && url.isLocalFile() && !FileSystem::filesHaveSameVolume(m_filePath, url.fileSystemPath()))
361 return false;
362#endif
363
364 if (isFeedWithNestedProtocolInHTTPFamily(url))
365 return true;
366
367 String protocol = url.protocol().toString();
368
369 if (SchemeRegistry::canDisplayOnlyIfCanRequest(protocol))
370 return canRequest(url);
371
372 if (SchemeRegistry::shouldTreatURLSchemeAsDisplayIsolated(protocol))
373 return equalIgnoringASCIICase(m_data.protocol, protocol) || SecurityPolicy::isAccessToURLWhiteListed(this, url);
374
375 if (!SecurityPolicy::restrictAccessToLocal())
376 return true;
377
378 if (url.isLocalFile() && url.fileSystemPath() == m_filePath)
379 return true;
380
381 if (SchemeRegistry::shouldTreatURLSchemeAsLocal(protocol))
382 return canLoadLocalResources() || SecurityPolicy::isAccessToURLWhiteListed(this, url);
383
384 return true;
385}
386
387bool SecurityOrigin::canAccessStorage(const SecurityOrigin* topOrigin, ShouldAllowFromThirdParty shouldAllowFromThirdParty) const
388{
389 if (isUnique())
390 return false;
391
392 if (isLocal() && !needsStorageAccessFromFileURLsQuirk() && !m_universalAccess && shouldAllowFromThirdParty != AlwaysAllowFromThirdParty)
393 return false;
394
395 if (m_storageBlockingPolicy == BlockAllStorage)
396 return false;
397
398 // FIXME: This check should be replaced with an ASSERT once we can guarantee that topOrigin is not null.
399 if (!topOrigin)
400 return true;
401
402 if (topOrigin->m_storageBlockingPolicy == BlockAllStorage)
403 return false;
404
405 if (shouldAllowFromThirdParty == AlwaysAllowFromThirdParty)
406 return true;
407
408 if (m_universalAccess)
409 return true;
410
411 if ((m_storageBlockingPolicy == BlockThirdPartyStorage || topOrigin->m_storageBlockingPolicy == BlockThirdPartyStorage) && !topOrigin->isSameOriginAs(*this))
412 return false;
413
414 return true;
415}
416
417SecurityOrigin::Policy SecurityOrigin::canShowNotifications() const
418{
419 if (m_universalAccess)
420 return AlwaysAllow;
421 if (isUnique())
422 return AlwaysDeny;
423 return Ask;
424}
425
426bool SecurityOrigin::isSameOriginAs(const SecurityOrigin& other) const
427{
428 if (this == &other)
429 return true;
430
431 if (isUnique() || other.isUnique())
432 return false;
433
434 return isSameSchemeHostPort(other);
435}
436
437bool SecurityOrigin::isMatchingRegistrableDomainSuffix(const String& domainSuffix, bool treatIPAddressAsDomain) const
438{
439 if (domainSuffix.isEmpty())
440 return false;
441
442 auto ipAddressSetting = treatIPAddressAsDomain ? OriginAccessEntry::TreatIPAddressAsDomain : OriginAccessEntry::TreatIPAddressAsIPAddress;
443 OriginAccessEntry accessEntry { protocol(), domainSuffix, OriginAccessEntry::AllowSubdomains, ipAddressSetting };
444 if (!accessEntry.matchesOrigin(*this))
445 return false;
446
447 // Always return true if it is an exact match.
448 if (domainSuffix.length() == host().length())
449 return true;
450
451#if ENABLE(PUBLIC_SUFFIX_LIST)
452 return !isPublicSuffix(domainSuffix);
453#else
454 return true;
455#endif
456}
457
458void SecurityOrigin::grantLoadLocalResources()
459{
460 // Granting privileges to some, but not all, documents in a SecurityOrigin
461 // is a security hazard because the documents without the privilege can
462 // obtain the privilege by injecting script into the documents that have
463 // been granted the privilege.
464 m_canLoadLocalResources = true;
465}
466
467void SecurityOrigin::grantUniversalAccess()
468{
469 m_universalAccess = true;
470}
471
472void SecurityOrigin::grantStorageAccessFromFileURLsQuirk()
473{
474 m_needsStorageAccessFromFileURLsQuirk = true;
475}
476
477String SecurityOrigin::domainForCachePartition() const
478{
479 if (m_storageBlockingPolicy != BlockThirdPartyStorage)
480 return emptyString();
481
482 if (isHTTPFamily())
483 return host();
484
485 if (SchemeRegistry::shouldPartitionCacheForURLScheme(m_data.protocol))
486 return host();
487
488 return emptyString();
489}
490
491void SecurityOrigin::setEnforcesFilePathSeparation()
492{
493 ASSERT(isLocal());
494 m_enforcesFilePathSeparation = true;
495}
496
497String SecurityOrigin::toString() const
498{
499 if (isUnique())
500 return "null"_s;
501 if (m_data.protocol == "file" && m_enforcesFilePathSeparation)
502 return "null"_s;
503 return toRawString();
504}
505
506String SecurityOrigin::toRawString() const
507{
508 return m_data.toString();
509}
510
511static inline bool areOriginsMatching(const SecurityOrigin& origin1, const SecurityOrigin& origin2)
512{
513 ASSERT(&origin1 != &origin2);
514
515 if (origin1.isUnique() || origin2.isUnique())
516 return origin1.isUnique() == origin2.isUnique();
517
518 if (origin1.protocol() != origin2.protocol())
519 return false;
520
521 if (origin1.protocol() == "file")
522 return origin1.enforcesFilePathSeparation() == origin2.enforcesFilePathSeparation();
523
524 if (origin1.host() != origin2.host())
525 return false;
526
527 return origin1.port() == origin2.port();
528}
529
530// This function mimics the result of string comparison of serialized origins.
531bool serializedOriginsMatch(const SecurityOrigin& origin1, const SecurityOrigin& origin2)
532{
533 if (&origin1 == &origin2)
534 return true;
535
536 ASSERT(!areOriginsMatching(origin1, origin2) || (origin1.toString() == origin2.toString()));
537 return areOriginsMatching(origin1, origin2);
538}
539
540bool serializedOriginsMatch(const SecurityOrigin* origin1, const SecurityOrigin* origin2)
541{
542 if (!origin1 || !origin2)
543 return origin1 == origin2;
544
545 return serializedOriginsMatch(*origin1, *origin2);
546}
547
548Ref<SecurityOrigin> SecurityOrigin::createFromString(const String& originString)
549{
550 return SecurityOrigin::create(URL(URL(), originString));
551}
552
553Ref<SecurityOrigin> SecurityOrigin::create(const String& protocol, const String& host, Optional<uint16_t> port)
554{
555 String decodedHost = decodeURLEscapeSequences(host);
556 auto origin = create(URL(URL(), protocol + "://" + host + "/"));
557 if (port && !WTF::isDefaultPortForProtocol(*port, protocol))
558 origin->m_data.port = port;
559 return origin;
560}
561
562bool SecurityOrigin::equal(const SecurityOrigin* other) const
563{
564 if (other == this)
565 return true;
566
567 if (!isSameSchemeHostPort(*other))
568 return false;
569
570 if (m_domainWasSetInDOM != other->m_domainWasSetInDOM)
571 return false;
572
573 if (m_domainWasSetInDOM && m_domain != other->m_domain)
574 return false;
575
576 return true;
577}
578
579bool SecurityOrigin::isSameSchemeHostPort(const SecurityOrigin& other) const
580{
581 if (m_data != other.m_data)
582 return false;
583
584 if (isLocal() && !passesFileCheck(other))
585 return false;
586
587 return true;
588}
589
590bool SecurityOrigin::isLocalHostOrLoopbackIPAddress(StringView host)
591{
592 if (isLoopbackIPAddress(host))
593 return true;
594
595 // FIXME: Ensure that localhost resolves to the loopback address.
596 if (equalLettersIgnoringASCIICase(host, "localhost"))
597 return true;
598
599 return false;
600}
601
602} // namespace WebCore
603