091fdb4291e1772c98ecfd8efa08dcaeb6018623
[WebKit-https.git] / Source / WebCore / page / SecurityPolicy.cpp
1 /*
2  * Copyright (C) 2011 Google Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Google, Inc. ("Google") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY GOOGLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28
29 #include "config.h"
30 #include "SecurityPolicy.h"
31
32 #include "OriginAccessEntry.h"
33 #include "SecurityOrigin.h"
34 #include "URL.h"
35 #include <memory>
36 #include <wtf/HashMap.h>
37 #include <wtf/MainThread.h>
38 #include <wtf/NeverDestroyed.h>
39 #include <wtf/text/StringHash.h>
40
41 namespace WebCore {
42
43 static SecurityPolicy::LocalLoadPolicy localLoadPolicy = SecurityPolicy::AllowLocalLoadsForLocalOnly;
44
45 typedef Vector<OriginAccessEntry> OriginAccessWhiteList;
46 typedef HashMap<String, std::unique_ptr<OriginAccessWhiteList>> OriginAccessMap;
47
48 static Lock& originAccessMapLock()
49 {
50     static NeverDestroyed<Lock> lock;
51     return lock;
52 }
53
54 static OriginAccessMap& originAccessMap()
55 {
56     ASSERT(originAccessMapLock().isHeld());
57     static NeverDestroyed<OriginAccessMap> originAccessMap;
58     return originAccessMap;
59 }
60
61 bool SecurityPolicy::shouldHideReferrer(const URL& url, const String& referrer)
62 {
63     bool referrerIsSecureURL = protocolIs(referrer, "https");
64     bool referrerIsWebURL = referrerIsSecureURL || protocolIs(referrer, "http");
65
66     if (!referrerIsWebURL)
67         return true;
68
69     if (!referrerIsSecureURL)
70         return false;
71
72     bool URLIsSecureURL = url.protocolIs("https");
73
74     return !URLIsSecureURL;
75 }
76
77 String SecurityPolicy::referrerToOriginString(const String& referrer)
78 {
79     String originString = SecurityOrigin::createFromString(referrer)->toString();
80     if (originString == "null")
81         return String();
82     // A security origin is not a canonical URL as it lacks a path. Add /
83     // to turn it into a canonical URL we can use as referrer.
84     return originString + "/";
85 }
86
87 String SecurityPolicy::generateReferrerHeader(ReferrerPolicy referrerPolicy, const URL& url, const String& referrer)
88 {
89     ASSERT(referrer == URL(URL(), referrer).strippedForUseAsReferrer());
90
91     if (referrer.isEmpty())
92         return String();
93
94     if (!protocolIsInHTTPFamily(referrer))
95         return String();
96
97     switch (referrerPolicy) {
98     case ReferrerPolicy::EmptyString:
99         ASSERT_NOT_REACHED();
100         break;
101     case ReferrerPolicy::NoReferrer:
102         return String();
103     case ReferrerPolicy::NoReferrerWhenDowngrade:
104         break;
105     case ReferrerPolicy::SameOrigin: {
106         auto origin = SecurityOrigin::createFromString(referrer);
107         if (!origin->canRequest(url))
108             return String();
109         break;
110     }
111     case ReferrerPolicy::Origin:
112         return referrerToOriginString(referrer);
113     case ReferrerPolicy::StrictOrigin:
114         if (shouldHideReferrer(url, referrer))
115             return String();
116         return referrerToOriginString(referrer);
117     case ReferrerPolicy::OriginWhenCrossOrigin: {
118         auto origin = SecurityOrigin::createFromString(referrer);
119         if (!origin->canRequest(url))
120             return referrerToOriginString(referrer);
121         break;
122     }
123     case ReferrerPolicy::StrictOriginWhenCrossOrigin: {
124         auto origin = SecurityOrigin::createFromString(referrer);
125         if (!origin->canRequest(url)) {
126             if (shouldHideReferrer(url, referrer))
127                 return String();
128             return referrerToOriginString(referrer);
129         }
130         break;
131     }
132     case ReferrerPolicy::UnsafeUrl:
133         return referrer;
134     }
135
136     return shouldHideReferrer(url, referrer) ? String() : referrer;
137 }
138
139 void SecurityPolicy::setLocalLoadPolicy(LocalLoadPolicy policy)
140 {
141     localLoadPolicy = policy;
142 }
143
144 bool SecurityPolicy::restrictAccessToLocal()
145 {
146     return localLoadPolicy != SecurityPolicy::AllowLocalLoadsForAll;
147 }
148
149 bool SecurityPolicy::allowSubstituteDataAccessToLocal()
150 {
151     return localLoadPolicy != SecurityPolicy::AllowLocalLoadsForLocalOnly;
152 }
153
154 bool SecurityPolicy::isAccessWhiteListed(const SecurityOrigin* activeOrigin, const SecurityOrigin* targetOrigin)
155 {
156     Locker<Lock> locker(originAccessMapLock());
157     if (OriginAccessWhiteList* list = originAccessMap().get(activeOrigin->toString())) {
158         for (auto& entry : *list) {
159             if (entry.matchesOrigin(*targetOrigin))
160                 return true;
161         }
162     }
163     return false;
164 }
165
166 bool SecurityPolicy::isAccessToURLWhiteListed(const SecurityOrigin* activeOrigin, const URL& url)
167 {
168     Ref<SecurityOrigin> targetOrigin(SecurityOrigin::create(url));
169     return isAccessWhiteListed(activeOrigin, &targetOrigin.get());
170 }
171
172 void SecurityPolicy::addOriginAccessWhitelistEntry(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomain, bool allowDestinationSubdomains)
173 {
174     ASSERT(!sourceOrigin.isUnique());
175     if (sourceOrigin.isUnique())
176         return;
177
178     String sourceString = sourceOrigin.toString();
179
180     Locker<Lock> locker(originAccessMapLock());
181     OriginAccessMap::AddResult result = originAccessMap().add(sourceString, nullptr);
182     if (result.isNewEntry)
183         result.iterator->value = std::make_unique<OriginAccessWhiteList>();
184
185     OriginAccessWhiteList* list = result.iterator->value.get();
186     list->append(OriginAccessEntry(destinationProtocol, destinationDomain, allowDestinationSubdomains ? OriginAccessEntry::AllowSubdomains : OriginAccessEntry::DisallowSubdomains, OriginAccessEntry::TreatIPAddressAsIPAddress));
187 }
188
189 void SecurityPolicy::removeOriginAccessWhitelistEntry(const SecurityOrigin& sourceOrigin, const String& destinationProtocol, const String& destinationDomain, bool allowDestinationSubdomains)
190 {
191     ASSERT(!sourceOrigin.isUnique());
192     if (sourceOrigin.isUnique())
193         return;
194
195     String sourceString = sourceOrigin.toString();
196
197     Locker<Lock> locker(originAccessMapLock());
198     OriginAccessMap& map = originAccessMap();
199     OriginAccessMap::iterator it = map.find(sourceString);
200     if (it == map.end())
201         return;
202
203     OriginAccessWhiteList& list = *it->value;
204     OriginAccessEntry originAccessEntry(destinationProtocol, destinationDomain, allowDestinationSubdomains ? OriginAccessEntry::AllowSubdomains : OriginAccessEntry::DisallowSubdomains, OriginAccessEntry::TreatIPAddressAsIPAddress);
205     if (!list.removeFirst(originAccessEntry))
206         return;
207
208     if (list.isEmpty())
209         map.remove(it);
210 }
211
212 void SecurityPolicy::resetOriginAccessWhitelists()
213 {
214     Locker<Lock> locker(originAccessMapLock());
215     originAccessMap().clear();
216 }
217
218 } // namespace WebCore