chrome/browser/resources/cryptotoken/gstaticorigincheck.js

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 /**
   6  * @fileoverview Implements a check whether an origin is allowed to assert an
   7  * app id based on a fixed set of allowed app ids for the google.com domain.
   8  *
   9  */
  10 'use strict';
  11
  12 /**
  13  * Implements half of the app id policy: whether an origin is allowed to claim
  14  * an app id. For checking whether the app id also lists the origin,
  15  * @see AppIdChecker.
  16  * @implements OriginChecker
  17  * @constructor
  18  */
  19 function GstaticOriginChecker() {
  20 }
  21
  22 /**
  23  * Checks whether the origin is allowed to claim the app ids.
  24  * @param {string} origin The origin claiming the app id.
  25  * @param {!Array.<string>} appIds The app ids being claimed.
  26  * @return {Promise.<boolean>} A promise for the result of the check.
  27  */
  28 GstaticOriginChecker.prototype.canClaimAppIds = function(origin, appIds) {
  29   return Promise.resolve(appIds.every(this.checkAppId_.bind(this, origin)));
  30 };
  31
  32 /**
  33  * Checks if a single appId can be asserted by the given origin.
  34  * @param {string} origin The origin.
  35  * @param {string} appId The appId to check.
  36  * @return {boolean} Whether the given origin can assert the app id.
  37  * @private
  38  */
  39 GstaticOriginChecker.prototype.checkAppId_ = function(origin, appId) {
  40   if (appId == origin) {
  41     // Trivially allowed
  42     return true;
  43   }
  44   var anchor = document.createElement('a');
  45   anchor.href = origin;
  46   if (/google.com$/.test(anchor.hostname)) {
  47     return (appId.indexOf('https://www.gstatic.com') == 0 ||
  48         appId.indexOf('https://static.corp.google.com') == 0);
  49   }
  50   return false;
  51 };