Enforce no remote access from local URLs for XHR

Add a specific setting to disable remote access for local URLs and also
enforce that on data-URLs loaded owned by local URLs.

Change-Id: Ied8ec141eb1c28775644fce184a4759a79e1d177
Task-number: QTBUG-45556
Reviewed-by: Dmitry Shachnev <mitya57@gmail.com>
Reviewed-by: Michael Brüning <michael.bruning@theqtcompany.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/Source/WebCore/page/SecurityOrigin.cpp b/Source/WebCore/page/SecurityOrigin.cpp
index cebc89684..ae2822aaa 100644
--- a/Source/WebCore/page/SecurityOrigin.cpp
+++ b/Source/WebCore/page/SecurityOrigin.cpp
@@ -127,6 +127,7 @@ SecurityOrigin::SecurityOrigin(const KURL& url)
     , m_storageBlockingPolicy(AllowAllStorage)
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
+    , m_deniedCORS(false)
 {
     // document.domain starts as m_host, but can be set by the DOM.
     m_domain = m_host;
@@ -153,6 +154,7 @@ SecurityOrigin::SecurityOrigin()
     , m_storageBlockingPolicy(AllowAllStorage)
     , m_enforceFilePathSeparation(false)
     , m_needsDatabaseIdentifierQuirkForFiles(false)
+    , m_deniedCORS(false)
 {
 }
 
@@ -169,6 +171,7 @@ SecurityOrigin::SecurityOrigin(const SecurityOrigin* other)
     , m_storageBlockingPolicy(other->m_storageBlockingPolicy)
     , m_enforceFilePathSeparation(other->m_enforceFilePathSeparation)
     , m_needsDatabaseIdentifierQuirkForFiles(other->m_needsDatabaseIdentifierQuirkForFiles)
+    , m_deniedCORS(other->m_deniedCORS)
 {
 }
 
@@ -442,6 +445,11 @@ void SecurityOrigin::grantUniversalAccess()
     m_universalAccess = true;
 }
 
+void SecurityOrigin::denyCrossOriginRequests()
+{
+    m_deniedCORS = true;
+}
+
 #if ENABLE(CACHE_PARTITIONING)
 String SecurityOrigin::cachePartition() const
 {