Add nonce for tracking identity of unique url::Origin objects.

The nonce allows a unique origin to be same origin with itself, as well as copies of itself. blink::SecurityOrigin and IPC are not yet updated to propagate the necessary information through all the layers. Bug: 768460 Change-Id: I1bfce592f3fa576dff18eb7fe2071742e82d1768 Reviewed-on: https://chromium-review.googlesource.com/745986 Commit-Queue: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#586129}

Add nonce for tracking identity of unique url::Origin objects.
The nonce allows a unique origin to be same origin with itself, as well as copies of itself. blink::SecurityOrigin and IPC are not yet updated to propagate the necessary information through all the layers. Bug: 768460 Change-Id: I1bfce592f3fa576dff18eb7fe2071742e82d1768 Reviewed-on: https://chromium-review.googlesource.com/745986 Commit-Queue: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Victor Costan <pwnall@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#586129}
62ff0189 · Daniel Cheng · Commit Bot · 3ce1fba2 · 62ff0189 · 62ff0189
Commit 62ff0189 authored Aug 25, 2018 by Daniel Cheng Committed by Commit Bot Aug 25, 2018
Expand all Show whitespace changes
Inline Side-by-side

Showing with 273 additions and 86 deletions

url/origin.cc url/origin.cc +44 -17

url/origin.h url/origin.h +94 -24

url/origin_unittest.cc url/origin_unittest.cc +135 -45

No files found.
--- a/url/origin.cc
+++ b/url/origin.cc
@@ -17,7 +17,7 @@
 namespace url {
-Origin::Origin() : unique_(true) {}
+Origin::Origin() {}
 Origin Origin::Create(const GURL& url) {
  if (!url.is_valid() || (!url.IsStandard() && !url.SchemeIsBlob()))
@@ -43,15 +43,36 @@ Origin Origin::Create(const GURL& url) {
  return Origin(std::move(tuple));
 }
-Origin::Origin(SchemeHostPort tuple)
+// Note: this is very similar to Create(const GURL&), but opaque origins are
-    : tuple_(std::move(tuple)), unique_(false) {
+// created with CreateUniqueOpaque() rather than the default constructor.
-  DCHECK(!tuple_.IsInvalid());
+Origin Origin::CreateCanonical(const GURL& url) {
+  if (!url.is_valid() || (!url.IsStandard() && !url.SchemeIsBlob()))
+    return CreateUniqueOpaque();
+  SchemeHostPort tuple;
+  if (url.SchemeIsFileSystem()) {
+    tuple = SchemeHostPort(*url.inner_url());
+  } else if (url.SchemeIsBlob()) {
+    // If we're dealing with a 'blob:' URL, https://url.spec.whatwg.org/#origin
+    // defines the origin as the origin of the URL which results from parsing
+    // the "path", which boils down to everything after the scheme. GURL's
+    // 'GetContent()' gives us exactly that.
+    tuple = SchemeHostPort(GURL(url.GetContent()));
+  } else {
+    tuple = SchemeHostPort(url);
+  }
+  if (tuple.IsInvalid())
+    return CreateUniqueOpaque();
+  return Origin(std::move(tuple));
 }
-Origin::Origin(const Origin&) = default;
+Origin::Origin(const Origin& other) = default;
-Origin& Origin::operator=(const Origin&) = default;
+Origin& Origin::operator=(const Origin& other) = default;
-Origin::Origin(Origin&&) = default;
+Origin::Origin(Origin&& other) = default;
-Origin& Origin::operator=(Origin&&) = default;
+Origin& Origin::operator=(Origin&& other) = default;
 Origin::~Origin() = default;
@@ -94,24 +115,30 @@ GURL Origin::GetURL() const {
  if (scheme() == kFileScheme)
    return GURL("file:///");
-  GURL tuple_url(tuple_.GetURL());
+  return tuple_.GetURL();
-  return tuple_url;
 }
 bool Origin::IsSameOriginWith(const Origin& other) const {
-  if (unique_ || other.unique_)
+  return tuple_.Equals(other.tuple_) &&
-    return false;
+         (!unique() || (nonce_ && nonce_ == other.nonce_));
-  return tuple_.Equals(other.tuple_);
 }
 bool Origin::DomainIs(base::StringPiece canonical_domain) const {
-  return !unique_ && url::DomainIs(tuple_.host(), canonical_domain);
+  return !unique() && url::DomainIs(tuple_.host(), canonical_domain);
 }
 bool Origin::operator<(const Origin& other) const {
-  return tuple_ < other.tuple_;
+  return std::tie(tuple_, nonce_) < std::tie(other.tuple_, other.nonce_);
+}
+Origin Origin::CreateUniqueOpaque() {
+  return Origin(ConstructAsOpaque::kTag);
+}
+Origin::Origin(ConstructAsOpaque) : nonce_(base::UnguessableToken::Create()) {}
+Origin::Origin(SchemeHostPort tuple) : tuple_(std::move(tuple)) {
+  DCHECK(!tuple_.IsInvalid());
 }
 std::ostream& operator<<(std::ostream& out, const url::Origin& origin) {

--- a/url/origin.h
+++ b/url/origin.h
@@ -10,8 +10,11 @@
 #include <string>
 #include "base/debug/alias.h"
+#include "base/optional.h"
 #include "base/strings/string16.h"
 #include "base/strings/string_piece.h"
+#include "base/strings/string_util.h"
+#include "base/unguessable_token.h"
 #include "url/scheme_host_port.h"
 #include "url/third_party/mozilla/url_parse.h"
 #include "url/url_canon.h"
@@ -22,7 +25,10 @@ class GURL;
 namespace url {
-// An Origin is a tuple of (scheme, host, port), as described in RFC 6454.
+// Per https://html.spec.whatwg.org/multipage/origin.html#origin, an origin is
+// either:
+// - a tuple origin of (scheme, host, port) as described in RFC 6454.
+// - an opaque origin with an internal value
 //
 // TL;DR: If you need to make a security-relevant decision, use 'url::Origin'.
 // If you only need to extract the bits of a URL which are relevant for a
@@ -30,31 +36,48 @@ namespace url {
 //
 // STL;SDR: If you aren't making actual network connections, use 'url::Origin'.
 //
-// 'Origin', like 'SchemeHostPort', is composed of a tuple of (scheme, host,
-// port), but contains a number of additional concepts which make it appropriate
-// for use as a security boundary and access control mechanism between contexts.
-//
 // This class ought to be used when code needs to determine if two resources
 // are "same-origin", and when a canonical serialization of an origin is
-// required. Note that some origins are "unique", meaning that they are not
+// required. Note that the canonical serialization of an origin *must not* be
-// same-origin with any other origin (including themselves).
+// used to determine if two resources are same-origin.
+//
+// A tuple origin, like 'SchemeHostPort', is composed of a tuple of (scheme,
+// host, port), but contains a number of additional concepts which make it
+// appropriate for use as a security boundary and access control mechanism
+// between contexts. Two tuple origins are same-origin if the tuples are equal.
+// A tuple origin may also be re-created from its serialization.
+//
+// An opaque origin is cross-origin to any origin, including itself and copies
+// of itself. Unlike tuple origins, an opaque origin cannot be re-created from
+// its serialization, which is always the string "null".
+//
+// TODO(https://crbug.com/768460): work is in progress to associate an internal
+// globally unique identifier with an opaque origin: completing this work will
+// allow a copy of an opaque origin to be same-origin to the original instance
+// of that opaque origin.
+//
+// IMPORTANT: Since opaque origins always serialize as the string "null", it is
+// *never* safe to use the serialization for security checks!
+//
+// A tuple origin and an opaque origin are never same-origin.
 //
 // There are a few subtleties to note:
 //
-// * Invalid and non-standard GURLs are parsed as unique origins. This includes
+// * A default constructed Origin is opaque, but unlike the spec definition, has
+//   no associated identifier. A default constructed Origin is cross-origin to
+//   every other Origin object.
+//
+// * Invalid and non-standard GURLs are parsed as opaque origins. This includes
 //   non-hierarchical URLs like 'data:text/html,...' and 'javascript:alert(1)'.
 //
 // * GURLs with schemes of 'filesystem' or 'blob' parse the origin out of the
 //   internals of the URL. That is, 'filesystem:https://example.com/temporary/f'
 //   is parsed as ('https', 'example.com', 443).
 //
-// * Unique origins all serialize to the string "null"; this means that the
-//   serializations of two unique origins are identical to each other, though
-//   the origins themselves are not "the same". This means that origins'
-//   serializations must not be relied upon for security checks.
-//
 // * GURLs with a 'file' scheme are tricky. They are parsed as ('file', '', 0),
 //   but their behavior may differ from embedder to embedder.
+//   TODO(dcheng): This behavior is not consistent with Blink's notion of file
+//   URLs, which always creates an opaque origin.
 //
 // * The host component of an IPv6 address includes brackets, just like the URL
 //   representation.
@@ -78,16 +101,20 @@ namespace url {
 //     }
 class URL_EXPORT Origin {
 public:
-  // Creates a unique Origin.
+  // Creates an opaque and always unique Origin. The returned Origin is
+  // always cross-origin to any Origin, including itself.
  Origin();
  // Creates an Origin from |url|, as described at
  // https://url.spec.whatwg.org/#origin, with the following additions:
  //
-  // 1. If |url| is invalid or non-standard, a unique Origin is constructed.
+  // 1. If |url| is invalid or non-standard, an opaque Origin is constructed.
  // 2. 'filesystem' URLs behave as 'blob' URLs (that is, the origin is parsed
  //    out of everything in the URL which follows the scheme).
  // 3. 'file' URLs all parse as ("file", "", 0).
+  //
+  // If this method returns an opaque Origin, the returned Origin will be
+  // cross-origin to any Origin, including itself.
  static Origin Create(const GURL& url);
  // Copyable and movable.
@@ -97,8 +124,8 @@ class URL_EXPORT Origin {
  Origin& operator=(Origin&&);
  // Creates an Origin from a |scheme|, |host|, and |port|. All the parameters
-  // must be valid and canonicalized. Do not use this method to create unique
+  // must be valid and canonicalized. Do not use this method to create opaque
-  // origins. Use Origin() for that.
+  // origins. Use Origin() or Origin::CreateOpaque() for that.
  //
  // This constructor should be used in order to pass 'Origin' objects back and
  // forth over IPC (as transitioning through GURL would risk potentially
@@ -119,12 +146,17 @@ class URL_EXPORT Origin {
  ~Origin();
-  // For unique origins, these return ("", "", 0).
+  // For opaque origins, these return ("", "", 0).
-  const std::string& scheme() const { return tuple_.scheme(); }
+  const std::string& scheme() const {
-  const std::string& host() const { return tuple_.host(); }
+    return !unique() ? tuple_.scheme() : base::EmptyString();
-  uint16_t port() const { return tuple_.port(); }
+  }
+  const std::string& host() const {
+    return !unique() ? tuple_.host() : base::EmptyString();
+  }
+  uint16_t port() const { return !unique() ? tuple_.port() : 0; }
-  bool unique() const { return unique_; }
+  // TODO(dcheng): Rename this to opaque().
+  bool unique() const { return tuple_.IsInvalid(); }
  // An ASCII serialization of the Origin as per Section 6.2 of RFC 6454, with
  // the addition that all Origins with a 'file' scheme serialize to "file://".
@@ -157,11 +189,49 @@ class URL_EXPORT Origin {
  bool operator<(const Origin& other) const;
 private:
-  // |tuple| must be valid, implying that the created Origin is never unique.
+  friend class OriginTest;
+  // Creates a new opaque origin that is guaranteed to be cross-origin to all
+  // currently existing origins. An origin created by this method retains its
+  // identity across copies. Copies are guaranteed to be same-origin to each
+  // other, e.g.
+  //
+  //   url::Origin a = Origin::CreateUniqueOpaque();
+  //   url::Origin b = Origin::CreateUniqueOpaque();
+  //   url::Origin c = a;
+  //   url::Origin d = b;
+  //
+  // |a| and |c| are same-origin, since |c| was copied from |a|. |b| and |d| are
+  // same-origin as well, since |d| was copied from |b|. All other combinations
+  // of origins are considered cross-origin, e.g. |a| is cross-origin to |b| and
+  // |d|, |b| is cross-origin to |a| and |c|, |c| is cross-origin to |b| and
+  // |d|, and |d| is cross-origin to |a| and |c|.
+  //
+  // Note that this is private internal helper, since relatively few locations
+  // should be responsible for deriving a canonical origin from a GURL.
+  static Origin CreateUniqueOpaque();
+  // Similar to Create(const GURL&). However, if the returned Origin is an
+  // opaque origin, it will be created with CreateUniqueOpaque(), have an
+  // associated identity, and be considered same-origin to copies of itself.
+  static Origin CreateCanonical(const GURL&);
+  enum class ConstructAsOpaque { kTag };
+  explicit Origin(ConstructAsOpaque);
+  // |tuple| must be valid, implying that the created Origin is never an opaque
+  // origin.
  explicit Origin(SchemeHostPort tuple);
+  // Helpers for managing union for destroy, copy, and move.
+  // The tuple is used for tuple origins (e.g. https://example.com:80). This
+  // is expected to be the common case. |IsInvalid()| will be true for opaque
+  // origins.
  SchemeHostPort tuple_;
-  bool unique_;
+  // The nonce is used for maintaining identity of an opaque origin. This
+  // nonce is preserved when an opaque origin is copied or moved.
+  base::Optional<base::UnguessableToken> nonce_;
 };
 URL_EXPORT std::ostream& operator<<(std::ostream& out, const Origin& origin);

--- a/url/origin_unittest.cc
+++ b/url/origin_unittest.cc