KHtml

security_origin.h
1 /*
2  * Copyright (C) 2007,2008 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  *
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14  * its contributors may be used to endorse or promote products derived
15  * from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  */
28 
29 #ifndef SecurityOrigin_h
30 #define SecurityOrigin_h
31 
32 #include <misc/shared.h>
33 
34 #include <QUrl>
35 
36 namespace khtml
37 {
38 
39 class SecurityOrigin : public Shared<SecurityOrigin>
40 {
41 public:
42  static SecurityOrigin *createFromString(const QString &);
43  static SecurityOrigin *create(const QUrl &);
44  static SecurityOrigin *createEmpty();
45 
46  // Set the domain property of this security origin to newDomain. This
47  // function does not check whether newDomain is a suffix of the current
48  // domain. The caller is responsible for validating newDomain.
49  void setDomainFromDOM(const QString &newDomain);
50  bool domainWasSetInDOM() const
51  {
52  return m_domainWasSetInDOM;
53  }
54 
55  QString protocol() const
56  {
57  return m_protocol;
58  }
59  QString host() const
60  {
61  return m_host;
62  }
63  QString domain() const
64  {
65  return m_domain;
66  }
67  unsigned short port() const
68  {
69  return m_port;
70  }
71 
72  // Returns true if this SecurityOrigin can script objects in the given
73  // SecurityOrigin. For example, call this function before allowing
74  // script from one security origin to read or write objects from
75  // another SecurityOrigin.
76  bool canAccess(const SecurityOrigin *) const;
77 
78  // Returns true if this SecurityOrigin can read content retrieved from
79  // the given URL. For example, call this function before issuing
80  // XMLHttpRequests.
81  bool canRequest(const QUrl &) const;
82 
83  // Returns true if drawing an image from this URL taints a canvas from
84  // this security origin. For example, call this function before
85  // drawing an image onto an HTML canvas element with the drawImage API.
86  bool taintsCanvas(const QUrl &) const;
87 
88  // The local SecurityOrigin is the most privileged SecurityOrigin.
89  // The local SecurityOrigin can script any document, navigate to local
90  // resources, and can set arbitrary headers on XMLHttpRequests.
91  bool isLocal() const;
92 
93  // The empty SecurityOrigin is the least privileged SecurityOrigin.
94  bool isEmpty() const;
95 
96  // The origin is a globally unique identifier assigned when the Document is
97  // created. https://html.spec.whatwg.org/#sandboxOrigin
98  bool isUnique() const
99  {
100  return m_isUnique;
101  }
102 
103  // Marks an origin as being unique.
104  void makeUnique();
105 
106  // Convert this SecurityOrigin into a string. The string
107  // representation of a SecurityOrigin is similar to a URL, except it
108  // lacks a path component. The string representation does not encode
109  // the value of the SecurityOrigin's domain property.
110  //
111  // When using the string value, it's important to remember that it might be
112  // "null". This happens when this SecurityOrigin is unique. For example,
113  // this SecurityOrigin might have come from a sandboxed iframe, the
114  // SecurityOrigin might be empty, or we might have explicitly decided that
115  // we shouldTreatURLSchemeAsNoAccess.
116  QString toString() const;
117 
118  // This method checks for equality, ignoring the value of document.domain
119  // (and whether it was set) but considering the host. It is used for postMessage.
120  bool isSameSchemeHostPort(const SecurityOrigin *) const;
121 
122 private:
123  SecurityOrigin(const QUrl &);
124  explicit SecurityOrigin(const SecurityOrigin *);
125 
126  QString m_protocol;
127  QString m_host;
128  QString m_domain;
129  unsigned short m_port;
130  bool m_domainWasSetInDOM;
131  bool m_isUnique;
132 };
133 
134 } // namespace khtml
135 
136 #endif // SecurityOrigin_h
QAction * create(StandardAction id, const QObject *recvr, Func slot, QObject *parent)
This file is part of the HTML rendering engine for KDE.
char * toString(const T &value)
This file is part of the KDE documentation.
Documentation copyright © 1996-2021 The KDE developers.
Generated on Sat Oct 16 2021 22:48:01 by doxygen 1.8.11 written by Dimitri van Heesch, © 1997-2006

KDE's Doxygen guidelines are available online.