blob: 9486db24f78d46a05d9d24b8362903f0684e47d7 [file] [log] [blame]
// Copyright (c) 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <string>
#include "base/gtest_prod_util.h"
#include "base/strings/string_util.h"
#include "content/common/content_export.h"
#include "url/origin.h"
namespace content {
// This class holds isolated origin patterns, providing support for double
// wildcard origins, e.g. https://[*.] indicates that all domains under
// are to be treated as if they are distinct isolated
// origins. Non-wildcard origins to be isolated are also supported, e.g.
class CONTENT_EXPORT IsolatedOriginPattern {
explicit IsolatedOriginPattern(base::StringPiece pattern);
explicit IsolatedOriginPattern(const url::Origin& origin);
// Copying and moving supported.
IsolatedOriginPattern(const IsolatedOriginPattern& other);
IsolatedOriginPattern& operator=(const IsolatedOriginPattern& other);
IsolatedOriginPattern(IsolatedOriginPattern&& other);
IsolatedOriginPattern& operator=(IsolatedOriginPattern&& other);
bool operator==(const IsolatedOriginPattern& other) const {
// |pattern_| is deliberately not considered during equality comparison as
// it stores the pattern as supplied at construction time, before
// normalisation. This leads to erroneous cases of mismatch where
// IsolatedOriginPattern("") and IsolatedOriginPattern("")
// will fail equality comparison, despite both resolving to the same origin.
return origin_ == other.origin_ &&
isolate_all_subdomains_ == other.isolate_all_subdomains_ &&
is_valid_ == other.is_valid_;
// Returns the url::Origin corresponding to the pattern supplied at
// construction time or via a call to Parse. In the event of parsing failure
// this oriqin will be opaque.
const url::Origin& origin() const { return origin_; }
// True if the supplied pattern was of the form https://[*.],
// indicating all subdomains of are to be isolated.
bool isolate_all_subdomains() const { return isolate_all_subdomains_; }
// Return the original pattern used to construct this instance.
const base::StringPiece pattern() const { return pattern_; }
// Return if this origin is valid for isolation purposes.
bool is_valid() const { return is_valid_; }
friend class ChildProcessSecurityPolicyTest;
// Checks if |pattern| is a wildcard pattern, checks the scheme is one of
// {http, https} and constructs a url::Origin() that can be retrieved if
// parsing is successful. Returns true on successful parsing.
bool Parse(const base::StringPiece& pattern);
std::string pattern_;
url::Origin origin_;
bool isolate_all_subdomains_;
bool is_valid_;
class CONTENT_EXPORT IsolatedOriginUtil {
// Checks whether |origin| matches the isolated origin specified by
// |isolated_origin|. Subdomains are considered to match isolated origins,
// so this will be true if
// (1) |origin| has the same scheme, host, and port as |isolated_origin|, or
// (2) |origin| has the same scheme and port as |isolated_origin|, and its
// host is a subdomain of |isolated_origin|'s host.
// This does not consider site URLs, which don't care about port.
// For example, if |isolated_origin| is, this will
// return true if |origin| is or
//, but it will return false for an |origin| of
// or
static bool DoesOriginMatchIsolatedOrigin(const url::Origin& origin,
const url::Origin& isolated_origin);
// Check if |origin| is a valid isolated origin. Invalid isolated origins
// include unique origins, origins that don't have an HTTP or HTTPS scheme,
// and origins without a valid registry-controlled domain. IP addresses are
// allowed.
static bool IsValidIsolatedOrigin(const url::Origin& origin);
} // namespace content