cronet/url/origin.h

*6777b538SAndroid Build Coastguard Worker// Copyright 2015 The Chromium Authors
*6777b538SAndroid Build Coastguard Worker// Use of this source code is governed by a BSD-style license that can be
*6777b538SAndroid Build Coastguard Worker// found in the LICENSE file.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#ifndef URL_ORIGIN_H_
*6777b538SAndroid Build Coastguard Worker#define URL_ORIGIN_H_
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#include <stdint.h>
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#include <memory>
*6777b538SAndroid Build Coastguard Worker#include <optional>
*6777b538SAndroid Build Coastguard Worker#include <string>
*6777b538SAndroid Build Coastguard Worker#include <string_view>
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#include "base/component_export.h"
*6777b538SAndroid Build Coastguard Worker#include "base/debug/alias.h"
*6777b538SAndroid Build Coastguard Worker#include "base/debug/crash_logging.h"
*6777b538SAndroid Build Coastguard Worker#include "base/gtest_prod_util.h"
*6777b538SAndroid Build Coastguard Worker#include "base/strings/string_util.h"
*6777b538SAndroid Build Coastguard Worker#include "base/trace_event/base_tracing_forward.h"
*6777b538SAndroid Build Coastguard Worker#include "base/unguessable_token.h"
*6777b538SAndroid Build Coastguard Worker#include "build/build_config.h"
*6777b538SAndroid Build Coastguard Worker#include "build/buildflag.h"
*6777b538SAndroid Build Coastguard Worker#include "build/robolectric_buildflags.h"
*6777b538SAndroid Build Coastguard Worker#include "url/scheme_host_port.h"
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_ROBOLECTRIC)
*6777b538SAndroid Build Coastguard Worker#include "base/android/jni_android.h"
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workerclass GURL;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace blink {
*6777b538SAndroid Build Coastguard Workerclass SecurityOrigin;
*6777b538SAndroid Build Coastguard Workerclass SecurityOriginTest;
*6777b538SAndroid Build Coastguard Workerclass StorageKey;
*6777b538SAndroid Build Coastguard Workerclass StorageKeyTest;
*6777b538SAndroid Build Coastguard Worker}  // namespace blink
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace content {
*6777b538SAndroid Build Coastguard Workerclass SiteInfo;
*6777b538SAndroid Build Coastguard Worker}  // namespace content
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace IPC {
*6777b538SAndroid Build Coastguard Workertemplate <class P>
*6777b538SAndroid Build Coastguard Workerstruct ParamTraits;
*6777b538SAndroid Build Coastguard Worker}  // namespace IPC
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace ipc_fuzzer {
*6777b538SAndroid Build Coastguard Workertemplate <class T>
*6777b538SAndroid Build Coastguard Workerstruct FuzzTraits;
*6777b538SAndroid Build Coastguard Worker}  // namespace ipc_fuzzer
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace mojo {
*6777b538SAndroid Build Coastguard Workertemplate <typename DataViewType, typename T>
*6777b538SAndroid Build Coastguard Workerstruct StructTraits;
*6777b538SAndroid Build Coastguard Workerstruct UrlOriginAdapter;
*6777b538SAndroid Build Coastguard Worker}  // namespace mojo
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace net {
*6777b538SAndroid Build Coastguard Workerclass SchemefulSite;
*6777b538SAndroid Build Coastguard Worker}  // namespace net
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace url {
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace mojom {
*6777b538SAndroid Build Coastguard Workerclass OriginDataView;
*6777b538SAndroid Build Coastguard Worker}  // namespace mojom
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Per https://html.spec.whatwg.org/multipage/origin.html#origin, an origin is
*6777b538SAndroid Build Coastguard Worker// either:
*6777b538SAndroid Build Coastguard Worker// - a tuple origin of (scheme, host, port) as described in RFC 6454.
*6777b538SAndroid Build Coastguard Worker// - an opaque origin with an internal value, and a memory of the tuple origin
*6777b538SAndroid Build Coastguard Worker//   from which it was derived.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// TL;DR: If you need to make a security-relevant decision, use 'url::Origin'.
*6777b538SAndroid Build Coastguard Worker// If you only need to extract the bits of a URL which are relevant for a
*6777b538SAndroid Build Coastguard Worker// network connection, use 'url::SchemeHostPort'.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// STL;SDR: If you aren't making actual network connections, use 'url::Origin'.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// This class ought to be used when code needs to determine if two resources
*6777b538SAndroid Build Coastguard Worker// are "same-origin", and when a canonical serialization of an origin is
*6777b538SAndroid Build Coastguard Worker// required. Note that the canonical serialization of an origin *must not* be
*6777b538SAndroid Build Coastguard Worker// used to determine if two resources are same-origin.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// A tuple origin, like 'SchemeHostPort', is composed of a tuple of (scheme,
*6777b538SAndroid Build Coastguard Worker// host, port), but contains a number of additional concepts which make it
*6777b538SAndroid Build Coastguard Worker// appropriate for use as a security boundary and access control mechanism
*6777b538SAndroid Build Coastguard Worker// between contexts. Two tuple origins are same-origin if the tuples are equal.
*6777b538SAndroid Build Coastguard Worker// A tuple origin may also be re-created from its serialization.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// An opaque origin has an internal globally unique identifier. When creating a
*6777b538SAndroid Build Coastguard Worker// new opaque origin from a URL, a fresh globally unique identifier is
*6777b538SAndroid Build Coastguard Worker// generated. However, if an opaque origin is copied or moved, the internal
*6777b538SAndroid Build Coastguard Worker// globally unique identifier is preserved. Two opaque origins are same-origin
*6777b538SAndroid Build Coastguard Worker// iff the globally unique identifiers match. Unlike tuple origins, an opaque
*6777b538SAndroid Build Coastguard Worker// origin cannot be re-created from its serialization, which is always the
*6777b538SAndroid Build Coastguard Worker// string "null".
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// IMPORTANT: Since opaque origins always serialize as the string "null", it is
*6777b538SAndroid Build Coastguard Worker// *never* safe to use the serialization for security checks!
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// A tuple origin and an opaque origin are never same-origin.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// There are a few subtleties to note:
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * A default constructed Origin is opaque, with no precursor origin.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * Invalid and non-standard GURLs are parsed as opaque origins. This includes
*6777b538SAndroid Build Coastguard Worker//   non-hierarchical URLs like 'data:text/html,...' and 'javascript:alert(1)'.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * GURLs with schemes of 'filesystem' or 'blob' parse the origin out of the
*6777b538SAndroid Build Coastguard Worker//   internals of the URL. That is, 'filesystem:https://example.com/temporary/f'
*6777b538SAndroid Build Coastguard Worker//   is parsed as ('https', 'example.com', 443).
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * GURLs with a 'file' scheme are tricky. They are parsed as ('file', '', 0),
*6777b538SAndroid Build Coastguard Worker//   but their behavior may differ from embedder to embedder.
*6777b538SAndroid Build Coastguard Worker//   TODO(dcheng): This behavior is not consistent with Blink's notion of file
*6777b538SAndroid Build Coastguard Worker//   URLs, which always creates an opaque origin.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * The host component of an IPv6 address includes brackets, just like the URL
*6777b538SAndroid Build Coastguard Worker//   representation.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * Constructing origins from GURLs (or from SchemeHostPort) is typically a red
*6777b538SAndroid Build Coastguard Worker//   flag (this is true for `url::Origin::Create` but also to some extent for
*6777b538SAndroid Build Coastguard Worker//   `url::Origin::Resolve`). See docs/security/origin-vs-url.md for more.
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker// * To answer the question "Are |this| and |that| "same-origin" with each
*6777b538SAndroid Build Coastguard Worker//   other?", use |Origin::IsSameOriginWith|:
*6777b538SAndroid Build Coastguard Worker//
*6777b538SAndroid Build Coastguard Worker//     if (this.IsSameOriginWith(that)) {
*6777b538SAndroid Build Coastguard Worker//       // Amazingness goes here.
*6777b538SAndroid Build Coastguard Worker//     }
*6777b538SAndroid Build Coastguard Workerclass COMPONENT_EXPORT(URL) Origin {
*6777b538SAndroid Build Coastguard Worker public:
*6777b538SAndroid Build Coastguard Worker  // Creates an opaque Origin with a nonce that is different from all previously
*6777b538SAndroid Build Coastguard Worker  // existing origins.
*6777b538SAndroid Build Coastguard Worker  Origin();
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // WARNING: Converting an URL into an Origin is usually a red flag. See
*6777b538SAndroid Build Coastguard Worker  // //docs/security/origin-vs-url.md for more details. Some discussion about
*6777b538SAndroid Build Coastguard Worker  // deprecating the Create method can be found in https://crbug.com/1270878.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // Creates an Origin from `url`, as described at
*6777b538SAndroid Build Coastguard Worker  // https://url.spec.whatwg.org/#origin, with the following additions:
*6777b538SAndroid Build Coastguard Worker  // 1. If `url` is invalid or non-standard, an opaque Origin is constructed.
*6777b538SAndroid Build Coastguard Worker  // 2. 'filesystem' URLs behave as 'blob' URLs (that is, the origin is parsed
*6777b538SAndroid Build Coastguard Worker  //    out of everything in the URL which follows the scheme).
*6777b538SAndroid Build Coastguard Worker  // 3. 'file' URLs all parse as ("file", "", 0).
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // WARNING: `url::Origin::Create(url)` can give unexpected results if:
*6777b538SAndroid Build Coastguard Worker  // 1) `url` is "about:blank", or "about:srcdoc" (returning unique, opaque
*6777b538SAndroid Build Coastguard Worker  //    origin rather than the real origin of the frame)
*6777b538SAndroid Build Coastguard Worker  // 2) `url` comes from a sandboxed frame (potentially returning a non-opaque
*6777b538SAndroid Build Coastguard Worker  //    origin, when an opaque one is needed; see also
*6777b538SAndroid Build Coastguard Worker  //    https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/)
*6777b538SAndroid Build Coastguard Worker  // 3) Wrong `url` is used - e.g. in some navigations `base_url_for_data_url`
*6777b538SAndroid Build Coastguard Worker  //    might need to be used instead of relying on
*6777b538SAndroid Build Coastguard Worker  //    `content::NavigationHandle::GetURL`.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // WARNING: The returned Origin may have a different scheme and host from
*6777b538SAndroid Build Coastguard Worker  // `url` (e.g. in case of blob URLs - see OriginTest.ConstructFromGURL).
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // WARNING: data: URLs will be correctly be translated into opaque origins,
*6777b538SAndroid Build Coastguard Worker  // but the precursor origin will be lost (unlike with `url::Origin::Resolve`).
*6777b538SAndroid Build Coastguard Worker  static Origin Create(const GURL& url);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates an Origin for the resource `url` as if it were requested
*6777b538SAndroid Build Coastguard Worker  // from the context of `base_origin`. If `url` is standard
*6777b538SAndroid Build Coastguard Worker  // (in the sense that it embeds a complete origin, like http/https),
*6777b538SAndroid Build Coastguard Worker  // this returns the same value as would Create().
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // If `url` is "about:blank" or "about:srcdoc", this returns a copy of
*6777b538SAndroid Build Coastguard Worker  // `base_origin`.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // Otherwise, returns a new opaque origin derived from `base_origin`.
*6777b538SAndroid Build Coastguard Worker  // In this case, the resulting opaque origin will inherit the tuple
*6777b538SAndroid Build Coastguard Worker  // (or precursor tuple) of `base_origin`, but will not be same origin
*6777b538SAndroid Build Coastguard Worker  // with `base_origin`, even if `base_origin` is already opaque.
*6777b538SAndroid Build Coastguard Worker  static Origin Resolve(const GURL& url, const Origin& base_origin);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Copyable and movable.
*6777b538SAndroid Build Coastguard Worker  Origin(const Origin&);
*6777b538SAndroid Build Coastguard Worker  Origin& operator=(const Origin&);
*6777b538SAndroid Build Coastguard Worker  Origin(Origin&&) noexcept;
*6777b538SAndroid Build Coastguard Worker  Origin& operator=(Origin&&) noexcept;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates an Origin from a |scheme|, |host|, and |port|. All the parameters
*6777b538SAndroid Build Coastguard Worker  // must be valid and canonicalized. Returns nullopt if any parameter is not
*6777b538SAndroid Build Coastguard Worker  // canonical, or if all the parameters are empty.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // This constructor should be used in order to pass 'Origin' objects back and
*6777b538SAndroid Build Coastguard Worker  // forth over IPC (as transitioning through GURL would risk potentially
*6777b538SAndroid Build Coastguard Worker  // dangerous recanonicalization); other potential callers should prefer the
*6777b538SAndroid Build Coastguard Worker  // 'GURL'-based constructor.
*6777b538SAndroid Build Coastguard Worker  static std::optional<Origin> UnsafelyCreateTupleOriginWithoutNormalization(
*6777b538SAndroid Build Coastguard Worker      std::string_view scheme,
*6777b538SAndroid Build Coastguard Worker      std::string_view host,
*6777b538SAndroid Build Coastguard Worker      uint16_t port);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates an origin without sanity checking that the host is canonicalized.
*6777b538SAndroid Build Coastguard Worker  // This should only be used when converting between already normalized types,
*6777b538SAndroid Build Coastguard Worker  // and should NOT be used for IPC. Method takes std::strings for use with move
*6777b538SAndroid Build Coastguard Worker  // operators to avoid copies.
*6777b538SAndroid Build Coastguard Worker  static Origin CreateFromNormalizedTuple(std::string scheme,
*6777b538SAndroid Build Coastguard Worker                                          std::string host,
*6777b538SAndroid Build Coastguard Worker                                          uint16_t port);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  ~Origin();
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // For opaque origins, these return ("", "", 0).
*6777b538SAndroid Build Coastguard Worker  const std::string& scheme() const {
*6777b538SAndroid Build Coastguard Worker    return !opaque() ? tuple_.scheme() : base::EmptyString();
*6777b538SAndroid Build Coastguard Worker  }
*6777b538SAndroid Build Coastguard Worker  const std::string& host() const {
*6777b538SAndroid Build Coastguard Worker    return !opaque() ? tuple_.host() : base::EmptyString();
*6777b538SAndroid Build Coastguard Worker  }
*6777b538SAndroid Build Coastguard Worker  uint16_t port() const { return !opaque() ? tuple_.port() : 0; }
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  bool opaque() const { return nonce_.has_value(); }
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // An ASCII serialization of the Origin as per Section 6.2 of RFC 6454, with
*6777b538SAndroid Build Coastguard Worker  // the addition that all Origins with a 'file' scheme serialize to "file://".
*6777b538SAndroid Build Coastguard Worker  std::string Serialize() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Two non-opaque Origins are "same-origin" if their schemes, hosts, and ports
*6777b538SAndroid Build Coastguard Worker  // are exact matches. Two opaque origins are same-origin only if their
*6777b538SAndroid Build Coastguard Worker  // internal nonce values match. A non-opaque origin is never same-origin with
*6777b538SAndroid Build Coastguard Worker  // an opaque origin.
*6777b538SAndroid Build Coastguard Worker  bool IsSameOriginWith(const Origin& other) const;
*6777b538SAndroid Build Coastguard Worker  bool operator==(const Origin& other) const { return IsSameOriginWith(other); }
*6777b538SAndroid Build Coastguard Worker  bool operator!=(const Origin& other) const {
*6777b538SAndroid Build Coastguard Worker    return !IsSameOriginWith(other);
*6777b538SAndroid Build Coastguard Worker  }
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Non-opaque origin is "same-origin" with `url` if their schemes, hosts, and
*6777b538SAndroid Build Coastguard Worker  // ports are exact matches. Opaque origin is never "same-origin" with any
*6777b538SAndroid Build Coastguard Worker  // `url`.  about:blank, about:srcdoc, and invalid GURLs are never
*6777b538SAndroid Build Coastguard Worker  // "same-origin" with any origin. This method is a shorthand for
*6777b538SAndroid Build Coastguard Worker  // `origin.IsSameOriginWith(url::Origin::Create(url))`.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // See also CanBeDerivedFrom.
*6777b538SAndroid Build Coastguard Worker  bool IsSameOriginWith(const GURL& url) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // This method returns true for any |url| which if navigated to could result
*6777b538SAndroid Build Coastguard Worker  // in an origin compatible with |this|.
*6777b538SAndroid Build Coastguard Worker  bool CanBeDerivedFrom(const GURL& url) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Get the scheme, host, and port from which this origin derives. For
*6777b538SAndroid Build Coastguard Worker  // a tuple Origin, this gives the same values as calling scheme(), host()
*6777b538SAndroid Build Coastguard Worker  // and port(). For an opaque Origin that was created by calling
*6777b538SAndroid Build Coastguard Worker  // Origin::DeriveNewOpaqueOrigin() on a precursor or Origin::Resolve(),
*6777b538SAndroid Build Coastguard Worker  // this returns the tuple inherited from the precursor.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // If this Origin is opaque and was created via the default constructor or
*6777b538SAndroid Build Coastguard Worker  // Origin::Create(), the precursor origin is unknown.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // Use with great caution: opaque origins should generally not inherit
*6777b538SAndroid Build Coastguard Worker  // privileges from the origins they derive from. However, in some cases
*6777b538SAndroid Build Coastguard Worker  // (such as restrictions on process placement, or determining the http lock
*6777b538SAndroid Build Coastguard Worker  // icon) this information may be relevant to ensure that entering an
*6777b538SAndroid Build Coastguard Worker  // opaque origin does not grant privileges initially denied to the original
*6777b538SAndroid Build Coastguard Worker  // non-opaque origin.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // This method has a deliberately obnoxious name to prompt caution in its use.
*6777b538SAndroid Build Coastguard Worker  const SchemeHostPort& GetTupleOrPrecursorTupleIfOpaque() const {
*6777b538SAndroid Build Coastguard Worker    return tuple_;
*6777b538SAndroid Build Coastguard Worker  }
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Efficiently returns what GURL(Serialize()) would without re-parsing the
*6777b538SAndroid Build Coastguard Worker  // URL. This can be used for the (rare) times a GURL representation is needed
*6777b538SAndroid Build Coastguard Worker  // for an Origin.
*6777b538SAndroid Build Coastguard Worker  // Note: The returned URL will not necessarily be serialized to the same value
*6777b538SAndroid Build Coastguard Worker  // as the Origin would. The GURL will have an added "/" path for Origins with
*6777b538SAndroid Build Coastguard Worker  // valid SchemeHostPorts and file Origins.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // Try not to use this method under normal circumstances, as it loses type
*6777b538SAndroid Build Coastguard Worker  // information. Downstream consumers can mistake the returned GURL with a full
*6777b538SAndroid Build Coastguard Worker  // URL (e.g. with a path component).
*6777b538SAndroid Build Coastguard Worker  GURL GetURL() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Same as GURL::DomainIs. If |this| origin is opaque, then returns false.
*6777b538SAndroid Build Coastguard Worker  bool DomainIs(std::string_view canonical_domain) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Allows Origin to be used as a key in STL (for example, a std::set or
*6777b538SAndroid Build Coastguard Worker  // std::map).
*6777b538SAndroid Build Coastguard Worker  bool operator<(const Origin& other) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates a new opaque origin that is guaranteed to be cross-origin to all
*6777b538SAndroid Build Coastguard Worker  // currently existing origins. An origin created by this method retains its
*6777b538SAndroid Build Coastguard Worker  // identity across copies. Copies are guaranteed to be same-origin to each
*6777b538SAndroid Build Coastguard Worker  // other, e.g.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  //   url::Origin page = Origin::Create(GURL("http://example.com"))
*6777b538SAndroid Build Coastguard Worker  //   url::Origin a = page.DeriveNewOpaqueOrigin();
*6777b538SAndroid Build Coastguard Worker  //   url::Origin b = page.DeriveNewOpaqueOrigin();
*6777b538SAndroid Build Coastguard Worker  //   url::Origin c = a;
*6777b538SAndroid Build Coastguard Worker  //   url::Origin d = b;
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // |a| and |c| are same-origin, since |c| was copied from |a|. |b| and |d| are
*6777b538SAndroid Build Coastguard Worker  // same-origin as well, since |d| was copied from |b|. All other combinations
*6777b538SAndroid Build Coastguard Worker  // of origins are considered cross-origin, e.g. |a| is cross-origin to |b| and
*6777b538SAndroid Build Coastguard Worker  // |d|, |b| is cross-origin to |a| and |c|, |c| is cross-origin to |b| and
*6777b538SAndroid Build Coastguard Worker  // |d|, and |d| is cross-origin to |a| and |c|.
*6777b538SAndroid Build Coastguard Worker  Origin DeriveNewOpaqueOrigin() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Returns the nonce associated with the origin, if it is opaque, or nullptr
*6777b538SAndroid Build Coastguard Worker  // otherwise. This is only for use in tests.
*6777b538SAndroid Build Coastguard Worker  const base::UnguessableToken* GetNonceForTesting() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates a string representation of the object that can be used for logging
*6777b538SAndroid Build Coastguard Worker  // and debugging. It serializes the internal state, such as the nonce value
*6777b538SAndroid Build Coastguard Worker  // and precursor information.
*6777b538SAndroid Build Coastguard Worker  std::string GetDebugString(bool include_nonce = true) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_ROBOLECTRIC)
*6777b538SAndroid Build Coastguard Worker  base::android::ScopedJavaLocalRef<jobject> ToJavaObject() const;
*6777b538SAndroid Build Coastguard Worker  static Origin FromJavaObject(
*6777b538SAndroid Build Coastguard Worker      const base::android::JavaRef<jobject>& java_origin);
*6777b538SAndroid Build Coastguard Worker  static jlong CreateNative(JNIEnv* env,
*6777b538SAndroid Build Coastguard Worker                            const base::android::JavaRef<jstring>& java_scheme,
*6777b538SAndroid Build Coastguard Worker                            const base::android::JavaRef<jstring>& java_host,
*6777b538SAndroid Build Coastguard Worker                            uint16_t port,
*6777b538SAndroid Build Coastguard Worker                            bool is_opaque,
*6777b538SAndroid Build Coastguard Worker                            uint64_t tokenHighBits,
*6777b538SAndroid Build Coastguard Worker                            uint64_t tokenLowBits);
*6777b538SAndroid Build Coastguard Worker#endif  // BUILDFLAG(IS_ANDROID)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  void WriteIntoTrace(perfetto::TracedValue context) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Estimates dynamic memory usage.
*6777b538SAndroid Build Coastguard Worker  // See base/trace_event/memory_usage_estimator.h for more info.
*6777b538SAndroid Build Coastguard Worker  size_t EstimateMemoryUsage() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker private:
*6777b538SAndroid Build Coastguard Worker#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_ROBOLECTRIC)
*6777b538SAndroid Build Coastguard Worker  friend Origin CreateOpaqueOriginForAndroid(
*6777b538SAndroid Build Coastguard Worker      const std::string& scheme,
*6777b538SAndroid Build Coastguard Worker      const std::string& host,
*6777b538SAndroid Build Coastguard Worker      uint16_t port,
*6777b538SAndroid Build Coastguard Worker      const base::UnguessableToken& nonce_token);
*6777b538SAndroid Build Coastguard Worker#endif
*6777b538SAndroid Build Coastguard Worker  friend class blink::SecurityOrigin;
*6777b538SAndroid Build Coastguard Worker  friend class blink::SecurityOriginTest;
*6777b538SAndroid Build Coastguard Worker  friend class blink::StorageKey;
*6777b538SAndroid Build Coastguard Worker  // SiteInfo needs the nonce to compute the site URL for some opaque origins,
*6777b538SAndroid Build Coastguard Worker  // like data: URLs.
*6777b538SAndroid Build Coastguard Worker  friend class content::SiteInfo;
*6777b538SAndroid Build Coastguard Worker  // SchemefulSite needs access to the serialization/deserialization logic which
*6777b538SAndroid Build Coastguard Worker  // includes the nonce.
*6777b538SAndroid Build Coastguard Worker  friend class net::SchemefulSite;
*6777b538SAndroid Build Coastguard Worker  friend class OriginTest;
*6777b538SAndroid Build Coastguard Worker  friend struct mojo::UrlOriginAdapter;
*6777b538SAndroid Build Coastguard Worker  friend struct ipc_fuzzer::FuzzTraits<Origin>;
*6777b538SAndroid Build Coastguard Worker  friend struct mojo::StructTraits<url::mojom::OriginDataView, url::Origin>;
*6777b538SAndroid Build Coastguard Worker  friend IPC::ParamTraits<url::Origin>;
*6777b538SAndroid Build Coastguard Worker  friend COMPONENT_EXPORT(URL) std::ostream& operator<<(std::ostream& out,
*6777b538SAndroid Build Coastguard Worker                                                        const Origin& origin);
*6777b538SAndroid Build Coastguard Worker  friend class blink::StorageKeyTest;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Origin::Nonce is a wrapper around base::UnguessableToken that generates
*6777b538SAndroid Build Coastguard Worker  // the random value only when the value is first accessed. The lazy generation
*6777b538SAndroid Build Coastguard Worker  // allows Origin to be default-constructed quickly, without spending time
*6777b538SAndroid Build Coastguard Worker  // in random number generation.
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // TODO(nick): Should this optimization move into UnguessableToken, once it no
*6777b538SAndroid Build Coastguard Worker  // longer treats the Null case specially?
*6777b538SAndroid Build Coastguard Worker  class COMPONENT_EXPORT(URL) Nonce {
*6777b538SAndroid Build Coastguard Worker   public:
*6777b538SAndroid Build Coastguard Worker    // Creates a nonce to hold a newly-generated UnguessableToken. The actual
*6777b538SAndroid Build Coastguard Worker    // token value will be generated lazily.
*6777b538SAndroid Build Coastguard Worker    Nonce();
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker    // Creates a nonce to hold an already-generated UnguessableToken value. This
*6777b538SAndroid Build Coastguard Worker    // constructor should only be used for IPC serialization and testing --
*6777b538SAndroid Build Coastguard Worker    // regular code should never need to touch the UnguessableTokens directly,
*6777b538SAndroid Build Coastguard Worker    // and the default constructor is faster.
*6777b538SAndroid Build Coastguard Worker    explicit Nonce(const base::UnguessableToken& token);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker    // Accessor, which lazily initializes the underlying |token_| member.
*6777b538SAndroid Build Coastguard Worker    const base::UnguessableToken& token() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker    // Do not use in cases where lazy initialization is expected! This
*6777b538SAndroid Build Coastguard Worker    // accessor does not initialize the |token_| member.
*6777b538SAndroid Build Coastguard Worker    const base::UnguessableToken& raw_token() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker    // Copyable and movable. Copying a Nonce triggers lazy-initialization,
*6777b538SAndroid Build Coastguard Worker    // moving it does not.
*6777b538SAndroid Build Coastguard Worker    Nonce(const Nonce&);
*6777b538SAndroid Build Coastguard Worker    Nonce& operator=(const Nonce&);
*6777b538SAndroid Build Coastguard Worker    Nonce(Nonce&&) noexcept;
*6777b538SAndroid Build Coastguard Worker    Nonce& operator=(Nonce&&) noexcept;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker    // Note that operator<, used by maps type containers, will trigger |token_|
*6777b538SAndroid Build Coastguard Worker    // lazy-initialization. Equality comparisons do not.
*6777b538SAndroid Build Coastguard Worker    bool operator<(const Nonce& other) const;
*6777b538SAndroid Build Coastguard Worker    bool operator==(const Nonce& other) const;
*6777b538SAndroid Build Coastguard Worker    bool operator!=(const Nonce& other) const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   private:
*6777b538SAndroid Build Coastguard Worker    friend class OriginTest;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker    // mutable to support lazy generation.
*6777b538SAndroid Build Coastguard Worker    mutable base::UnguessableToken token_;
*6777b538SAndroid Build Coastguard Worker  };
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // This needs to be friended within Origin as well, since Nonce is a private
*6777b538SAndroid Build Coastguard Worker  // nested class of Origin.
*6777b538SAndroid Build Coastguard Worker  friend COMPONENT_EXPORT(URL) std::ostream& operator<<(std::ostream& out,
*6777b538SAndroid Build Coastguard Worker                                                        const Nonce& nonce);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates an origin without sanity checking that the host is canonicalized.
*6777b538SAndroid Build Coastguard Worker  // This should only be used when converting between already normalized types,
*6777b538SAndroid Build Coastguard Worker  // and should NOT be used for IPC. Method takes std::strings for use with move
*6777b538SAndroid Build Coastguard Worker  // operators to avoid copies.
*6777b538SAndroid Build Coastguard Worker  static Origin CreateOpaqueFromNormalizedPrecursorTuple(
*6777b538SAndroid Build Coastguard Worker      std::string precursor_scheme,
*6777b538SAndroid Build Coastguard Worker      std::string precursor_host,
*6777b538SAndroid Build Coastguard Worker      uint16_t precursor_port,
*6777b538SAndroid Build Coastguard Worker      const Nonce& nonce);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Creates an opaque Origin with the identity given by |nonce|, and an
*6777b538SAndroid Build Coastguard Worker  // optional precursor origin given by |precursor_scheme|, |precursor_host| and
*6777b538SAndroid Build Coastguard Worker  // |precursor_port|. Returns nullopt if any parameter is not canonical. When
*6777b538SAndroid Build Coastguard Worker  // the precursor is unknown, the precursor parameters should be ("", "", 0).
*6777b538SAndroid Build Coastguard Worker  //
*6777b538SAndroid Build Coastguard Worker  // This factory method should be used in order to pass opaque Origin objects
*6777b538SAndroid Build Coastguard Worker  // back and forth over IPC (as transitioning through GURL would risk
*6777b538SAndroid Build Coastguard Worker  // potentially dangerous recanonicalization).
*6777b538SAndroid Build Coastguard Worker  static std::optional<Origin> UnsafelyCreateOpaqueOriginWithoutNormalization(
*6777b538SAndroid Build Coastguard Worker      std::string_view precursor_scheme,
*6777b538SAndroid Build Coastguard Worker      std::string_view precursor_host,
*6777b538SAndroid Build Coastguard Worker      uint16_t precursor_port,
*6777b538SAndroid Build Coastguard Worker      const Nonce& nonce);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Constructs a non-opaque tuple origin. |tuple| must be valid.
*6777b538SAndroid Build Coastguard Worker  explicit Origin(SchemeHostPort tuple);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Constructs an opaque origin derived from the |precursor| tuple, with the
*6777b538SAndroid Build Coastguard Worker  // given |nonce|.
*6777b538SAndroid Build Coastguard Worker  Origin(const Nonce& nonce, SchemeHostPort precursor);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Get the nonce associated with this origin, if it is opaque, or nullptr
*6777b538SAndroid Build Coastguard Worker  // otherwise. This should be used only when trying to send an Origin across an
*6777b538SAndroid Build Coastguard Worker  // IPC pipe.
*6777b538SAndroid Build Coastguard Worker  const base::UnguessableToken* GetNonceForSerialization() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Serializes this Origin, including its nonce if it is opaque. If an opaque
*6777b538SAndroid Build Coastguard Worker  // origin's |tuple_| is invalid nullopt is returned. If the nonce is not
*6777b538SAndroid Build Coastguard Worker  // initialized, a nonce of 0 is used. Use of this method should be limited as
*6777b538SAndroid Build Coastguard Worker  // an opaque origin will never be matchable in future browser sessions.
*6777b538SAndroid Build Coastguard Worker  std::optional<std::string> SerializeWithNonce() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Like SerializeWithNonce(), but forces |nonce_| to be initialized prior to
*6777b538SAndroid Build Coastguard Worker  // serializing.
*6777b538SAndroid Build Coastguard Worker  std::optional<std::string> SerializeWithNonceAndInitIfNeeded();
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  std::optional<std::string> SerializeWithNonceImpl() const;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // Deserializes an origin from |ToValueWithNonce|. Returns nullopt if the
*6777b538SAndroid Build Coastguard Worker  // value was invalid in any way.
*6777b538SAndroid Build Coastguard Worker  static std::optional<Origin> Deserialize(const std::string& value);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // The tuple is used for both tuple origins (e.g. https://example.com:80), as
*6777b538SAndroid Build Coastguard Worker  // well as for opaque origins, where it tracks the tuple origin from which
*6777b538SAndroid Build Coastguard Worker  // the opaque origin was initially derived (we call this the "precursor"
*6777b538SAndroid Build Coastguard Worker  // origin).
*6777b538SAndroid Build Coastguard Worker  SchemeHostPort tuple_;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  // The nonce is used for maintaining identity of an opaque origin. This
*6777b538SAndroid Build Coastguard Worker  // nonce is preserved when an opaque origin is copied or moved. An Origin
*6777b538SAndroid Build Coastguard Worker  // is considered opaque if and only if |nonce_| holds a value.
*6777b538SAndroid Build Coastguard Worker  std::optional<Nonce> nonce_;
*6777b538SAndroid Build Coastguard Worker};
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// Pretty-printers for logging. These expose the internal state of the nonce.
*6777b538SAndroid Build Coastguard WorkerCOMPONENT_EXPORT(URL)
*6777b538SAndroid Build Coastguard Workerstd::ostream& operator<<(std::ostream& out, const Origin& origin);
*6777b538SAndroid Build Coastguard WorkerCOMPONENT_EXPORT(URL)
*6777b538SAndroid Build Coastguard Workerstd::ostream& operator<<(std::ostream& out, const Origin::Nonce& origin);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerCOMPONENT_EXPORT(URL) bool IsSameOriginWith(const GURL& a, const GURL& b);
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker// DEBUG_ALIAS_FOR_ORIGIN(var_name, origin) copies `origin` into a new
*6777b538SAndroid Build Coastguard Worker// stack-allocated variable named `<var_name>`. This helps ensure that the
*6777b538SAndroid Build Coastguard Worker// value of `origin` gets preserved in crash dumps.
*6777b538SAndroid Build Coastguard Worker#define DEBUG_ALIAS_FOR_ORIGIN(var_name, origin) \
*6777b538SAndroid Build Coastguard Worker  DEBUG_ALIAS_FOR_CSTR(var_name, (origin).Serialize().c_str(), 128)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workernamespace debug {
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Workerclass COMPONENT_EXPORT(URL) ScopedOriginCrashKey {
*6777b538SAndroid Build Coastguard Worker public:
*6777b538SAndroid Build Coastguard Worker  ScopedOriginCrashKey(base::debug::CrashKeyString* crash_key,
*6777b538SAndroid Build Coastguard Worker                       const url::Origin* value);
*6777b538SAndroid Build Coastguard Worker  ~ScopedOriginCrashKey();
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker  ScopedOriginCrashKey(const ScopedOriginCrashKey&) = delete;
*6777b538SAndroid Build Coastguard Worker  ScopedOriginCrashKey& operator=(const ScopedOriginCrashKey&) = delete;
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker private:
*6777b538SAndroid Build Coastguard Worker  base::debug::ScopedCrashKeyString scoped_string_value_;
*6777b538SAndroid Build Coastguard Worker};
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker}  // namespace debug
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker}  // namespace url
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#endif  // URL_ORIGIN_H_