File indexing completed on 2024-05-05 16:11:43
0001 /* 0002 * Copyright (C) 2007,2008 Apple Inc. All rights reserved. 0003 * 0004 * Redistribution and use in source and binary forms, with or without 0005 * modification, are permitted provided that the following conditions 0006 * are met: 0007 * 0008 * 1. Redistributions of source code must retain the above copyright 0009 * notice, this list of conditions and the following disclaimer. 0010 * 2. Redistributions in binary form must reproduce the above copyright 0011 * notice, this list of conditions and the following disclaimer in the 0012 * documentation and/or other materials provided with the distribution. 0013 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 0014 * its contributors may be used to endorse or promote products derived 0015 * from this software without specific prior written permission. 0016 * 0017 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 0018 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 0019 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 0020 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 0021 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 0022 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 0023 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 0024 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 0025 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 0026 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 0027 */ 0028 0029 #ifndef SecurityOrigin_h 0030 #define SecurityOrigin_h 0031 0032 #include <misc/shared.h> 0033 0034 #include <QUrl> 0035 0036 namespace khtml 0037 { 0038 0039 class SecurityOrigin : public Shared<SecurityOrigin> 0040 { 0041 public: 0042 static SecurityOrigin *createFromString(const QString &); 0043 static SecurityOrigin *create(const QUrl &); 0044 static SecurityOrigin *createEmpty(); 0045 0046 // Set the domain property of this security origin to newDomain. This 0047 // function does not check whether newDomain is a suffix of the current 0048 // domain. The caller is responsible for validating newDomain. 0049 void setDomainFromDOM(const QString &newDomain); 0050 bool domainWasSetInDOM() const 0051 { 0052 return m_domainWasSetInDOM; 0053 } 0054 0055 QString protocol() const 0056 { 0057 return m_protocol; 0058 } 0059 QString host() const 0060 { 0061 return m_host; 0062 } 0063 QString domain() const 0064 { 0065 return m_domain; 0066 } 0067 unsigned short port() const 0068 { 0069 return m_port; 0070 } 0071 0072 // Returns true if this SecurityOrigin can script objects in the given 0073 // SecurityOrigin. For example, call this function before allowing 0074 // script from one security origin to read or write objects from 0075 // another SecurityOrigin. 0076 bool canAccess(const SecurityOrigin *) const; 0077 0078 // Returns true if this SecurityOrigin can read content retrieved from 0079 // the given URL. For example, call this function before issuing 0080 // XMLHttpRequests. 0081 bool canRequest(const QUrl &) const; 0082 0083 // Returns true if drawing an image from this URL taints a canvas from 0084 // this security origin. For example, call this function before 0085 // drawing an image onto an HTML canvas element with the drawImage API. 0086 bool taintsCanvas(const QUrl &) const; 0087 0088 // The local SecurityOrigin is the most privileged SecurityOrigin. 0089 // The local SecurityOrigin can script any document, navigate to local 0090 // resources, and can set arbitrary headers on XMLHttpRequests. 0091 bool isLocal() const; 0092 0093 // The empty SecurityOrigin is the least privileged SecurityOrigin. 0094 bool isEmpty() const; 0095 0096 // The origin is a globally unique identifier assigned when the Document is 0097 // created. https://html.spec.whatwg.org/#sandboxOrigin 0098 bool isUnique() const 0099 { 0100 return m_isUnique; 0101 } 0102 0103 // Marks an origin as being unique. 0104 void makeUnique(); 0105 0106 // Convert this SecurityOrigin into a string. The string 0107 // representation of a SecurityOrigin is similar to a URL, except it 0108 // lacks a path component. The string representation does not encode 0109 // the value of the SecurityOrigin's domain property. 0110 // 0111 // When using the string value, it's important to remember that it might be 0112 // "null". This happens when this SecurityOrigin is unique. For example, 0113 // this SecurityOrigin might have come from a sandboxed iframe, the 0114 // SecurityOrigin might be empty, or we might have explicitly decided that 0115 // we shouldTreatURLSchemeAsNoAccess. 0116 QString toString() const; 0117 0118 // This method checks for equality, ignoring the value of document.domain 0119 // (and whether it was set) but considering the host. It is used for postMessage. 0120 bool isSameSchemeHostPort(const SecurityOrigin *) const; 0121 0122 private: 0123 SecurityOrigin(const QUrl &); 0124 explicit SecurityOrigin(const SecurityOrigin *); 0125 0126 QString m_protocol; 0127 QString m_host; 0128 QString m_domain; 0129 unsigned short m_port; 0130 bool m_domainWasSetInDOM; 0131 bool m_isUnique; 0132 }; 0133 0134 } // namespace khtml 0135 0136 #endif // SecurityOrigin_h