From 0dbf5e54fc4b7e720564cca07868840c8b4ecdb8 Mon Sep 17 00:00:00 2001
From: Ben Woolley <tautolog@gmail.com>
Date: Wed, 7 Jan 2015 17:01:32 -0800
Subject: [PATCH 5/5] same-origin policy

---
 config.def.h      |   6 +
 originprompt.html | 176 +++++++++++++++++++++++++++
 surf.c            | 349 +++++++++++++++++++++++++++++++++++++++++++++++-------
 3 files changed, 487 insertions(+), 44 deletions(-)
 create mode 100644 originprompt.html

diff --git a/config.def.h b/config.def.h
index 033adfe..7126115 100644
--- a/config.def.h
+++ b/config.def.h
@@ -6,6 +6,10 @@ static char *downloadfolder = "~/Downloads/";
 static char *stylefile      = "~/.surf/style.css";
 static char *scriptfile     = "~/.surf/script.js";
 static char *cachefolder    = "~/.surf/cache/";
+static char *originpromptfile = NULL;
+static char *originpromptdigestsalt = "Surf Origin Prompt Digest Salt 123456789"; /* change me; changing invalidates the origin trust state */
+static char *originprompthmackey    = "Surf Origin Prompt HMAC Key 123456789";    /* " */
+static char *origincachefolder = "~/.surf/origins/%s/cache/";
 
 static Bool kioskmode       = FALSE; /* Ignore shortcuts */
 static Bool showindicators  = TRUE;  /* Show indicators in window title */
@@ -17,6 +21,7 @@ static gfloat zoomlevel = 1.0;       /* Default zoom level */
 
 /* Soup default features */
 static char *cookiefile     = "~/.surf/cookies.txt";
+static char *origincookiefile = "~/.surf/origins/%s/cookies.txt";
 static char *cookiepolicies = "Aa@"; /* A: accept all; a: accept nothing,
                                         @: accept no third party */
 static char *cafile         = "/etc/ssl/certs/ca-certificates.crt";
@@ -34,6 +39,7 @@ static Bool enableinspector = TRUE;
 static Bool loadimages = TRUE;
 static Bool hidebackground  = FALSE;
 static Bool allowgeolocation = TRUE;
+static Bool sameoriginpolicy = TRUE;
 
 #define SETPROP(p, q) { \
 	.v = (char *[]){ "/bin/sh", "-c", \
diff --git a/originprompt.html b/originprompt.html
new file mode 100644
index 0000000..629f577
--- /dev/null
+++ b/originprompt.html
@@ -0,0 +1,176 @@
+<html>
+<head>
+<script type="text/javascript">
+/*
+ A JavaScript implementation of the SHA family of hashes, as
+ defined in FIPS PUB 180-2 as well as the corresponding HMAC implementation
+ as defined in FIPS PUB 198a
+
+ Copyright Brian Turek 2008-2014
+ Distributed under the BSD License
+ See http://caligatio.github.com/jsSHA/ for more information
+
+ Several functions taken from Paul Johnston
+*/
+'use strict';(function(J){function u(a,c,b){var f=0,g=[0],k="",l=null,k=b||"UTF8";if("UTF8"!==k&&"UTF16"!==k)throw"encoding must be UTF8 or UTF16";if("HEX"===c){if(0!==a.length%%2)throw"srcString of HEX type must be in byte increments";l=x(a);f=l.binLen;g=l.value}else if("TEXT"===c)l=y(a,k),f=l.binLen,g=l.value;else if("B64"===c)l=z(a),f=l.binLen,g=l.value;else if("BYTES"===c)l=A(a),f=l.binLen,g=l.value;else throw"inputFormat must be HEX, TEXT, B64, or BYTES";this.getHash=function(a,c,b,k){var l=null,
+e=g.slice(),n=f,m;3===arguments.length?"number"!==typeof b&&(k=b,b=1):2===arguments.length&&(b=1);if(b!==parseInt(b,10)||1>b)throw"numRounds must a integer >= 1";switch(c){case "HEX":l=B;break;case "B64":l=C;break;case "BYTES":l=D;break;default:throw"format must be HEX, B64, or BYTES";}if("SHA-384"===a)for(m=0;m<b;m+=1)e=t(e,n,a),n=384;else if("SHA-512"===a)for(m=0;m<b;m+=1)e=t(e,n,a),n=512;else throw"Chosen SHA variant is not supported";return l(e,E(k))};this.getHMAC=function(a,b,c,l,p){var e,n,
+m,r,q=[],v=[];e=null;switch(l){case "HEX":l=B;break;case "B64":l=C;break;case "BYTES":l=D;break;default:throw"outputFormat must be HEX, B64, or BYTES";}if("SHA-384"===c)n=128,r=384;else if("SHA-512"===c)n=128,r=512;else throw"Chosen SHA variant is not supported";if("HEX"===b)e=x(a),m=e.binLen,e=e.value;else if("TEXT"===b)e=y(a,k),m=e.binLen,e=e.value;else if("B64"===b)e=z(a),m=e.binLen,e=e.value;else if("BYTES"===b)e=A(a),m=e.binLen,e=e.value;else throw"inputFormat must be HEX, TEXT, B64, or BYTES";
+a=8*n;b=n/4-1;n<m/8?(e=t(e,m,c),e[b]&=4294967040):n>m/8&&(e[b]&=4294967040);for(n=0;n<=b;n+=1)q[n]=e[n]^909522486,v[n]=e[n]^1549556828;c=t(v.concat(t(q.concat(g),a+f,c)),a+r,c);return l(c,E(p))}}function p(a,c){this.a=a;this.b=c}function y(a,c){var b=[],f,g=[],k=0,l;if("UTF8"===c)for(l=0;l<a.length;l+=1)for(f=a.charCodeAt(l),g=[],128>f?g.push(f):2048>f?(g.push(192|f>>>6),g.push(128|f&63)):55296>f||57344<=f?g.push(224|f>>>12,128|f>>>6&63,128|f&63):(l+=1,f=65536+((f&1023)<<10|a.charCodeAt(l)&1023),
+g.push(240|f>>>18,128|f>>>12&63,128|f>>>6&63,128|f&63)),f=0;f<g.length;f+=1)(k>>>2)+1>b.length&&b.push(0),b[k>>>2]|=g[f]<<24-k%%4*8,k+=1;else if("UTF16"===c)for(l=0;l<a.length;l+=1)(k>>>2)+1>b.length&&b.push(0),b[k>>>2]|=a.charCodeAt(l)<<16-k%%4*8,k+=2;return{value:b,binLen:8*k}}function x(a){var c=[],b=a.length,f,g;if(0!==b%%2)throw"String of HEX type must be in byte increments";for(f=0;f<b;f+=2){g=parseInt(a.substr(f,2),16);if(isNaN(g))throw"String of HEX type contains invalid characters";c[f>>>3]|=
+g<<24-f%%8*4}return{value:c,binLen:4*b}}function A(a){var c=[],b,f;for(f=0;f<a.length;f+=1)b=a.charCodeAt(f),(f>>>2)+1>c.length&&c.push(0),c[f>>>2]|=b<<24-f%%4*8;return{value:c,binLen:8*a.length}}function z(a){var c=[],b=0,f,g,k,l,p;if(-1===a.search(/^[a-zA-Z0-9=+\/]+$/))throw"Invalid character in base-64 string";f=a.indexOf("=");a=a.replace(/\=/g,"");if(-1!==f&&f<a.length)throw"Invalid '=' found in base-64 string";for(g=0;g<a.length;g+=4){p=a.substr(g,4);for(k=l=0;k<p.length;k+=1)f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".indexOf(p[k]),
+l|=f<<18-6*k;for(k=0;k<p.length-1;k+=1)c[b>>2]|=(l>>>16-8*k&255)<<24-b%%4*8,b+=1}return{value:c,binLen:8*b}}function B(a,c){var b="",f=4*a.length,g,k;for(g=0;g<f;g+=1)k=a[g>>>2]>>>8*(3-g%%4),b+="0123456789abcdef".charAt(k>>>4&15)+"0123456789abcdef".charAt(k&15);return c.outputUpper?b.toUpperCase():b}function C(a,c){var b="",f=4*a.length,g,k,l;for(g=0;g<f;g+=3)for(l=(a[g>>>2]>>>8*(3-g%%4)&255)<<16|(a[g+1>>>2]>>>8*(3-(g+1)%%4)&255)<<8|a[g+2>>>2]>>>8*(3-(g+2)%%4)&255,k=0;4>k;k+=1)b=8*g+6*k<=32*a.length?b+
+"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(l>>>6*(3-k)&63):b+c.b64Pad;return b}function D(a){var c="",b=4*a.length,f,g;for(f=0;f<b;f+=1)g=a[f>>>2]>>>8*(3-f%%4)&255,c+=String.fromCharCode(g);return c}function E(a){var c={outputUpper:!1,b64Pad:"="};try{a.hasOwnProperty("outputUpper")&&(c.outputUpper=a.outputUpper),a.hasOwnProperty("b64Pad")&&(c.b64Pad=a.b64Pad)}catch(b){}if("boolean"!==typeof c.outputUpper)throw"Invalid outputUpper formatting option";if("string"!==typeof c.b64Pad)throw"Invalid b64Pad formatting option";
+return c}function q(a,c){var b=null,b=new p(a.a,a.b);return b=32>=c?new p(b.a>>>c|b.b<<32-c&4294967295,b.b>>>c|b.a<<32-c&4294967295):new p(b.b>>>c-32|b.a<<64-c&4294967295,b.a>>>c-32|b.b<<64-c&4294967295)}function F(a,c){var b=null;return b=32>=c?new p(a.a>>>c,a.b>>>c|a.a<<32-c&4294967295):new p(0,a.a>>>c-32)}function K(a,c,b){return new p(a.a&c.a^~a.a&b.a,a.b&c.b^~a.b&b.b)}function L(a,c,b){return new p(a.a&c.a^a.a&b.a^c.a&b.a,a.b&c.b^a.b&b.b^c.b&b.b)}function M(a){var c=q(a,28),b=q(a,34);a=q(a,39);
+return new p(c.a^b.a^a.a,c.b^b.b^a.b)}function N(a){var c=q(a,14),b=q(a,18);a=q(a,41);return new p(c.a^b.a^a.a,c.b^b.b^a.b)}function O(a){var c=q(a,1),b=q(a,8);a=F(a,7);return new p(c.a^b.a^a.a,c.b^b.b^a.b)}function P(a){var c=q(a,19),b=q(a,61);a=F(a,6);return new p(c.a^b.a^a.a,c.b^b.b^a.b)}function Q(a,c){var b,f,g;b=(a.b&65535)+(c.b&65535);f=(a.b>>>16)+(c.b>>>16)+(b>>>16);g=(f&65535)<<16|b&65535;b=(a.a&65535)+(c.a&65535)+(f>>>16);f=(a.a>>>16)+(c.a>>>16)+(b>>>16);return new p((f&65535)<<16|b&65535,
+g)}function R(a,c,b,f){var g,k,l;g=(a.b&65535)+(c.b&65535)+(b.b&65535)+(f.b&65535);k=(a.b>>>16)+(c.b>>>16)+(b.b>>>16)+(f.b>>>16)+(g>>>16);l=(k&65535)<<16|g&65535;g=(a.a&65535)+(c.a&65535)+(b.a&65535)+(f.a&65535)+(k>>>16);k=(a.a>>>16)+(c.a>>>16)+(b.a>>>16)+(f.a>>>16)+(g>>>16);return new p((k&65535)<<16|g&65535,l)}function S(a,c,b,f,g){var k,l,q;k=(a.b&65535)+(c.b&65535)+(b.b&65535)+(f.b&65535)+(g.b&65535);l=(a.b>>>16)+(c.b>>>16)+(b.b>>>16)+(f.b>>>16)+(g.b>>>16)+(k>>>16);q=(l&65535)<<16|k&65535;k=(a.a&
+65535)+(c.a&65535)+(b.a&65535)+(f.a&65535)+(g.a&65535)+(l>>>16);l=(a.a>>>16)+(c.a>>>16)+(b.a>>>16)+(f.a>>>16)+(g.a>>>16)+(k>>>16);return new p((l&65535)<<16|k&65535,q)}function t(a,c,b){var f,g,k,l,q,t,u,G,x,e,n,m,r,y,v,s,z,A,B,C,D,E,F,H,d,w=[],I,h=[1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,
+2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298];e=[3238371032,914150663,812702999,4144912697,4290775857,1750603025,1694076839,
+3204075428];g=[1779033703,3144134277,1013904242,2773480762,1359893119,2600822924,528734635,1541459225];if("SHA-384"===b||"SHA-512"===b)n=80,f=(c+128>>>10<<5)+31,y=32,v=2,d=p,s=Q,z=R,A=S,B=O,C=P,D=M,E=N,H=L,F=K,h=[new d(h[0],3609767458),new d(h[1],602891725),new d(h[2],3964484399),new d(h[3],2173295548),new d(h[4],4081628472),new d(h[5],3053834265),new d(h[6],2937671579),new d(h[7],3664609560),new d(h[8],2734883394),new d(h[9],1164996542),new d(h[10],1323610764),new d(h[11],3590304994),new d(h[12],
+4068182383),new d(h[13],991336113),new d(h[14],633803317),new d(h[15],3479774868),new d(h[16],2666613458),new d(h[17],944711139),new d(h[18],2341262773),new d(h[19],2007800933),new d(h[20],1495990901),new d(h[21],1856431235),new d(h[22],3175218132),new d(h[23],2198950837),new d(h[24],3999719339),new d(h[25],766784016),new d(h[26],2566594879),new d(h[27],3203337956),new d(h[28],1034457026),new d(h[29],2466948901),new d(h[30],3758326383),new d(h[31],168717936),new d(h[32],1188179964),new d(h[33],1546045734),
+new d(h[34],1522805485),new d(h[35],2643833823),new d(h[36],2343527390),new d(h[37],1014477480),new d(h[38],1206759142),new d(h[39],344077627),new d(h[40],1290863460),new d(h[41],3158454273),new d(h[42],3505952657),new d(h[43],106217008),new d(h[44],3606008344),new d(h[45],1432725776),new d(h[46],1467031594),new d(h[47],851169720),new d(h[48],3100823752),new d(h[49],1363258195),new d(h[50],3750685593),new d(h[51],3785050280),new d(h[52],3318307427),new d(h[53],3812723403),new d(h[54],2003034995),
+new d(h[55],3602036899),new d(h[56],1575990012),new d(h[57],1125592928),new d(h[58],2716904306),new d(h[59],442776044),new d(h[60],593698344),new d(h[61],3733110249),new d(h[62],2999351573),new d(h[63],3815920427),new d(3391569614,3928383900),new d(3515267271,566280711),new d(3940187606,3454069534),new d(4118630271,4000239992),new d(116418474,1914138554),new d(174292421,2731055270),new d(289380356,3203993006),new d(460393269,320620315),new d(685471733,587496836),new d(852142971,1086792851),new d(1017036298,
+365543100),new d(1126000580,2618297676),new d(1288033470,3409855158),new d(1501505948,4234509866),new d(1607167915,987167468),new d(1816402316,1246189591)],e="SHA-384"===b?[new d(3418070365,e[0]),new d(1654270250,e[1]),new d(2438529370,e[2]),new d(355462360,e[3]),new d(1731405415,e[4]),new d(41048885895,e[5]),new d(3675008525,e[6]),new d(1203062813,e[7])]:[new d(g[0],4089235720),new d(g[1],2227873595),new d(g[2],4271175723),new d(g[3],1595750129),new d(g[4],2917565137),new d(g[5],725511199),new d(g[6],
+4215389547),new d(g[7],327033209)];else throw"Unexpected error in SHA-2 implementation";a[c>>>5]|=128<<24-c%%32;a[f]=c;I=a.length;for(m=0;m<I;m+=y){c=e[0];f=e[1];g=e[2];k=e[3];l=e[4];q=e[5];t=e[6];u=e[7];for(r=0;r<n;r+=1)w[r]=16>r?new d(a[r*v+m],a[r*v+m+1]):z(C(w[r-2]),w[r-7],B(w[r-15]),w[r-16]),G=A(u,E(l),F(l,q,t),h[r],w[r]),x=s(D(c),H(c,f,g)),u=t,t=q,q=l,l=s(k,G),k=g,g=f,f=c,c=s(G,x);e[0]=s(c,e[0]);e[1]=s(f,e[1]);e[2]=s(g,e[2]);e[3]=s(k,e[3]);e[4]=s(l,e[4]);e[5]=s(q,e[5]);e[6]=s(t,e[6]);e[7]=s(u,
+e[7])}if("SHA-384"===b)a=[e[0].a,e[0].b,e[1].a,e[1].b,e[2].a,e[2].b,e[3].a,e[3].b,e[4].a,e[4].b,e[5].a,e[5].b];else if("SHA-512"===b)a=[e[0].a,e[0].b,e[1].a,e[1].b,e[2].a,e[2].b,e[3].a,e[3].b,e[4].a,e[4].b,e[5].a,e[5].b,e[6].a,e[6].b,e[7].a,e[7].b];else throw"Unexpected error in SHA-2 implementation";return a}"function"===typeof define&&define.amd?define(function(){return u}):"undefined"!==typeof exports?"undefined"!==typeof module&&module.exports?module.exports=exports=u:exports=u:J.jsSHA=u})(this);
+</script>
+<script type="text/javascript">
+	var digest_salt = "%s";
+	var hmac_key = "%s";
+	var cross_from_origin = "%s";
+	var cross_to_uri = "%s";
+	// setCookie() and getCookie() are from w3schools.com
+	function setCookie(cname, cvalue, exdays) {
+		var d = new Date();
+		d.setTime(d.getTime() + (exdays*24*60*60*1000));
+		var expires = "expires="+d.toUTCString();
+		document.cookie = cname + "=" + cvalue + "; " + expires;
+	}
+	function getCookie(cname) {
+		var name = cname + "=";
+		var ca = document.cookie.split(';');
+		for(var i=0; i<ca.length; i++) {
+			var c = ca[i];
+			while (c.charAt(0)==' ') c = c.substring(1);
+			if (c.indexOf(name) == 0) return c.substring(name.length,c.length);
+		}
+		return "";
+	}
+	function getProtectedCookie(cname) {
+		var digest_cname = new jsSHA(digest_salt + cname, "TEXT");
+		var protected_cname = digest_cname.getHash("SHA-512", "HEX");
+		var protected_cvalue = getCookie(protected_cname);
+		var cvalue, cvalue_proposed_hmac;
+		var cvalue_split = protected_cvalue.split(",", 2);
+		cvalue = cvalue_split[0];
+		cvalue_proposed_hmac = cvalue_split[1];
+		var digest_cvalue = new jsSHA(digest_salt + cname + cvalue, "TEXT");
+		var cvalue_hmac = digest_cvalue.getHMAC(hmac_key, "TEXT", "SHA-512", "HEX");
+		if (cvalue_proposed_hmac == cvalue_hmac) {
+			return cvalue;
+		} else {
+			return "";
+		}
+	}
+	function setProtectedCookie(cname, cvalue, exdays) {
+		var digest_cname = new jsSHA(digest_salt + cname, "TEXT");
+		var protected_cname = digest_cname.getHash("SHA-512", "HEX");
+		var digest_cvalue = new jsSHA(digest_salt + cname + cvalue, "TEXT");
+		var protected_cvalue = cvalue + "," + digest_cvalue.getHMAC(hmac_key, "TEXT", "SHA-512", "HEX");
+		return setCookie(protected_cname, protected_cvalue, exdays);
+	}
+	function suppressfordays(exdays) {
+		var d = new Date();
+		var expire_stamp = d.getTime() + (exdays*24*60*60*1000);
+		setProtectedCookie(cross_from_origin, expire_stamp, exdays);
+	}
+	function bypass() {
+		var d = new Date();
+		var current_stamp = d.getTime();
+		var expire_stamp = getProtectedCookie(cross_from_origin);
+		if (current_stamp <= expire_stamp) {
+			window.location.replace(cross_to_uri);
+		} else {
+			document.getElementById("content").style.display = "block";
+		}
+	}
+</script>
+<style type="text/css">
+#content { display: none; }
+	html, body {
+	margin: 0 auto;
+	width: 800px;
+}
+	h1, h2, h3, h4, h5, h6 {
+	text-align: center;
+}
+table {
+	margin: 1em auto;
+	border-collapse: collapse;
+	border-spacing: 0.5em;
+}
+th, td {
+	padding: 0;
+	border: 1px solid #7f7f7f;
+	padding: 0.25em 0.5em;
+}
+td {
+	width: fill-available;
+	text-align: center;
+}
+th {
+	white-space: nowrap;
+}
+th[scope=row] {
+	text-align: right;
+}
+a.button {
+	display: block;
+	width: fill-available;
+	padding: 0.25em 0.5em;
+	text-decoration: none;
+}
+td.button {
+	padding: 0;
+}
+a.safe {
+	background-color: rgba(0,255,0,0.5);
+	color: inherit;
+}
+a.approval {
+	background-color: rgba(255,255,0,0.5);
+	color: inherit;
+}
+</style>
+<title>Origin Crossing Gate</title>
+</head>
+<body onload="bypass()">
+	<div id="content">
+		<h1>Origin Crossing Gate</h1>
+		<table>
+			<caption>Proceed with Caution</caption>
+			<tr>
+				<th scope="row">From Origin</th>
+				<td><code>%s</code></td>
+			</tr>
+			<tr>
+				<th scope="row">To Origin</th>
+				<td class="button"><a class="button safe" href="%s"><code>%s</code></a></td>
+			</tr>
+			<tr>
+				<th scope="row">To URL</th>
+				<td class="button"><a class="button approval" href="%s"><code>%s</code></a></td>
+			</tr>
+		</table>
+		<table>
+			<caption>Trust This Origin Crossing and Suppress This Prompt For</caption>
+			<tr>
+				<th scope="row">Duration</th>
+				<td><a class="button" href="#" onclick="suppressfordays(1)">1 Day</a></td>
+				<td><a class="button" href="#" onclick="suppressfordays(30)">1 Month</a></td>
+				<td><a class="button" href="#" onclick="suppressfordays(365)">1 Year</a></td>
+			</tr>
+		<table>
+	</div>
+</body>
+</html>
+;
diff --git a/surf.c b/surf.c
index 91a69ed..0ecbdbd 100644
--- a/surf.c
+++ b/surf.c
@@ -34,6 +34,7 @@ char *argv0;
 #define COOKIEJAR(obj)          (G_TYPE_CHECK_INSTANCE_CAST ((obj), COOKIEJAR_TYPE, CookieJar))
 
 enum { AtomFind, AtomGo, AtomUri, AtomLast };
+enum NavTransparency { NavExplicit, NavImplicit };
 
 typedef union Arg Arg;
 union Arg {
@@ -78,11 +79,14 @@ static GdkNativeWindow embed = 0;
 static gboolean showxid = FALSE;
 static char winid[64];
 static gboolean usingproxy = 0;
-static char togglestat[9];
+static char togglestat[10];
 static char pagestat[3];
 static GTlsDatabase *tlsdb;
 static int policysel = 0;
+static char *origin_uri = NULL;
+static char *referring_origin = NULL;
 static SoupCache *diskcache = NULL;
+static char *originprompt = NULL;
 
 static void addaccelgroup(Client *c);
 static void beforerequest(WebKitWebView *w, WebKitWebFrame *f,
@@ -111,6 +115,9 @@ static WebKitWebView *createwindow(WebKitWebView *v, WebKitWebFrame *f,
 static gboolean decidedownload(WebKitWebView *v, WebKitWebFrame *f,
 		WebKitNetworkRequest *r, gchar *m,  WebKitWebPolicyDecision *p,
 		Client *c);
+static gboolean decidenavigation(WebKitWebView *v, WebKitWebFrame *f,
+		WebKitNetworkRequest *r, WebKitWebNavigationAction *n,
+		WebKitWebPolicyDecision *p, Client *c);
 static gboolean decidewindow(WebKitWebView *v, WebKitWebFrame *f,
 		WebKitNetworkRequest *r, WebKitWebNavigationAction *n,
 		WebKitWebPolicyDecision *p, Client *c);
@@ -144,10 +151,18 @@ static void linkhover(WebKitWebView *v, const char* t, const char* l,
 		Client *c);
 static void loadstatuschange(WebKitWebView *view, GParamSpec *pspec,
 		Client *c);
-static void loaduri(Client *c, const Arg *arg);
+static void loadgate(Client *c, const char *cross_from_origin, const char *cross_to_uri);
+static void loaduri(Client *c, const Arg *arg, const enum NavTransparency navtrans);
 static void navigate(Client *c, const Arg *arg);
 static Client *newclient(void);
-static void newwindow(Client *c, const Arg *arg, gboolean noembed);
+static void newwindow(Client *c, const Arg *arg, gboolean noembed, const enum NavTransparency navtrans);
+static int origincmp(const char *uri1, const char *uri2);
+static int originhas(const char *uri);
+static int originhas(const char *uri);
+static const char *origingetproto(const char *uri);
+static char *origingethost(const char *uri);
+static char *origingeturi(const char *uri);
+static int originmatch(const char *uri1, const char *uri2);
 static void pasteuri(GtkClipboard *clipboard, const char *text, gpointer d);
 static gboolean contextmenu(WebKitWebView *view, GtkWidget *menu,
 		WebKitHitTestResult *target, gboolean keyboard, Client *c);
@@ -161,7 +176,7 @@ static void scroll_h(Client *c, const Arg *arg);
 static void scroll_v(Client *c, const Arg *arg);
 static void scroll(GtkAdjustment *a, const Arg *arg);
 static void setatom(Client *c, int a, const char *v);
-static void setup(void);
+static void setup(const char *uri_arg);
 static void sigchld(int unused);
 static void source(Client *c, const Arg *arg);
 static void spawn(Client *c, const Arg *arg);
@@ -175,6 +190,7 @@ static void togglestyle(Client *c, const Arg *arg);
 static void updatetitle(Client *c);
 static void updatewinid(Client *c);
 static void usage(void);
+char *qualify_uri(const char *uri);
 static void windowobjectcleared(GtkWidget *w, WebKitWebFrame *frame,
 		JSContextRef js, JSObjectRef win, Client *c);
 static void zoom(Client *c, const Arg *arg);
@@ -252,7 +268,7 @@ buttonrelease(WebKitWebView *web, GdkEventButton *e, GList *gl) {
 		if(e->button == 2 ||
 				(e->button == 1 && CLEANMASK(e->state) == CLEANMASK(MODKEY))) {
 			g_object_get(result, "link-uri", &arg.v, NULL);
-			newwindow(NULL, &arg, e->state & GDK_CONTROL_MASK);
+			newwindow(NULL, &arg, e->state & GDK_CONTROL_MASK, NavImplicit);
 			return true;
 		}
 	}
@@ -422,6 +438,35 @@ decidedownload(WebKitWebView *v, WebKitWebFrame *f, WebKitNetworkRequest *r,
 }
 
 static gboolean
+decidenavigation(WebKitWebView *view, WebKitWebFrame *f, WebKitNetworkRequest *r,
+		WebKitWebNavigationAction *n, WebKitWebPolicyDecision *p,
+		Client *c) {
+	const char *uri = webkit_network_request_get_uri(r);
+	Arg arg;
+
+	if (!sameoriginpolicy) {
+		/* configured to not bother isolating origins */
+		return FALSE;
+	} else if (webkit_web_frame_get_parent(f)) {
+		/* has a parent, and therefore not an origin */
+		return FALSE;
+	/* branches below operate on the origin, top-most frame */
+	} else if (uri && (uri[0] == '\0' || strcmp(uri, "about:blank") == 0)) {
+		/* nothing is really going to load */
+		return FALSE;
+	} else if (origin_uri == NULL || originmatch(uri, origin_uri)) {
+		/* origin matches */
+		return FALSE;
+	} else {
+		/* top-most frame, and origin differs -- isolate within a new process */
+		webkit_web_policy_decision_ignore(p);
+		arg.v = (void *) uri;
+		newwindow(NULL, &arg, 0, NavImplicit);
+		return TRUE;
+	}
+}
+
+static gboolean
 decidewindow(WebKitWebView *view, WebKitWebFrame *f, WebKitNetworkRequest *r,
 		WebKitWebNavigationAction *n, WebKitWebPolicyDecision *p,
 		Client *c) {
@@ -431,7 +476,7 @@ decidewindow(WebKitWebView *view, WebKitWebFrame *f, WebKitNetworkRequest *r,
 			WEBKIT_WEB_NAVIGATION_REASON_LINK_CLICKED) {
 		webkit_web_policy_decision_ignore(p);
 		arg.v = (void *)webkit_network_request_get_uri(r);
-		newwindow(NULL, &arg, 0);
+		newwindow(NULL, &arg, 0, NavImplicit);
 		return TRUE;
 	}
 	return FALSE;
@@ -534,7 +579,7 @@ geturi(Client *c) {
 	char *uri;
 
 	if(!(uri = (char *)webkit_web_view_get_uri(c->view)))
-		uri = "about:blank";
+		uri = "";
 	return uri;
 }
 
@@ -640,6 +685,9 @@ loadstatuschange(WebKitWebView *view, GParamSpec *pspec, Client *c) {
 	switch(webkit_web_view_get_load_status (c->view)) {
 	case WEBKIT_LOAD_COMMITTED:
 		uri = geturi(c);
+		if (strcmp(uri, "about:blank") != 0) {
+			origin_uri = uri;
+		}
 		if(strstr(uri, "https://") == uri) {
 			frame = webkit_web_view_get_main_frame(c->view);
 			src = webkit_web_frame_get_data_source(frame);
@@ -663,38 +711,63 @@ loadstatuschange(WebKitWebView *view, GParamSpec *pspec, Client *c) {
 	}
 }
 
-static void
-loaduri(Client *c, const Arg *arg) {
-	char *u = NULL, *rp;
-	const char *uri = (char *)arg->v;
-	Arg a = { .b = FALSE };
+/* needs to be g_free()'d by caller */
+char *
+qualify_uri(const char *uri) {
+	char *qualified_uri = NULL, *rp;
 	struct stat st;
 
-	if(strcmp(uri, "") == 0)
-		return;
-
 	/* In case it's a file path. */
 	if(stat(uri, &st) == 0) {
 		rp = realpath(uri, NULL);
-		u = g_strdup_printf("file://%s", rp);
+		qualified_uri = g_strdup_printf("file://%s", rp);
 		free(rp);
 	} else {
-		u = g_strrstr(uri, "://") ? g_strdup(uri)
+		qualified_uri = g_strrstr(uri, "://") ? g_strdup(uri)
 			: g_strdup_printf("http://%s", uri);
 	}
 
-	setatom(c, AtomUri, uri);
+	return qualified_uri;
+}
+
+static void
+loadgate(Client *c, const char *cross_from_origin, const char *cross_to_uri) {
+	char *cross_to_origin = origingeturi(cross_to_uri);
+	char *content =         g_strdup_printf(originprompt, originpromptdigestsalt, originprompthmackey, cross_from_origin, cross_to_uri, cross_from_origin, cross_to_origin, cross_to_origin, cross_to_uri, cross_to_uri);
+
+	origin_uri = g_strdup(cross_to_uri);
+	webkit_web_view_load_string(c->view, content, "text/html", NULL, cross_to_origin);
+	c->progress = 0;
+	c->title = g_strdup("Origin Crossing Gate");
+	updatetitle(c);
 
-	/* prevents endless loop */
-	if(strcmp(u, geturi(c)) == 0) {
-		reload(c, &a);
+	g_free(cross_to_origin);
+	g_free(content);
+}
+
+static void
+loaduri(Client *c, const Arg *arg, const enum NavTransparency navtrans) {
+	const char *uri = (char *)arg->v;
+	Arg a = { .b = FALSE };
+
+	if(strcmp(uri, "") == 0)
+		return;
+
+	if (!sameoriginpolicy || !origin_uri || !originhas(origin_uri) || originmatch(uri, origin_uri)) {
+		setatom(c, AtomUri, uri);
+
+		/* prevents endless loop */
+		if(strcmp(uri, geturi(c)) == 0) {
+			reload(c, &a);
+		} else {
+			webkit_web_view_load_uri(c->view, uri);
+			c->progress = 0;
+			c->title = copystr(&c->title, uri);
+			updatetitle(c);
+		}
 	} else {
-		webkit_web_view_load_uri(c->view, u);
-		c->progress = 0;
-		c->title = copystr(&c->title, u);
-		updatetitle(c);
+		newwindow(NULL, arg, 0, NavExplicit);
 	}
-	g_free(u);
 }
 
 static void
@@ -773,6 +846,9 @@ newclient(void) {
 			"new-window-policy-decision-requested",
 			G_CALLBACK(decidewindow), c);
 	g_signal_connect(G_OBJECT(c->view),
+			"navigation-policy-decision-requested",
+			G_CALLBACK(decidenavigation), c);
+	g_signal_connect(G_OBJECT(c->view),
 			"mime-type-policy-decision-requested",
 			G_CALLBACK(decidedownload), c);
 	g_signal_connect(G_OBJECT(c->view),
@@ -921,11 +997,12 @@ newclient(void) {
 }
 
 static void
-newwindow(Client *c, const Arg *arg, gboolean noembed) {
+newwindow(Client *c, const Arg *arg, gboolean noembed, const enum NavTransparency navtrans) {
 	guint i = 0;
-	const char *cmd[16], *uri;
+	const char *cmd[22], *uri;
 	const Arg a = { .v = (void *)cmd };
 	char tmp[64];
+	char *origin_packed = NULL;
 
 	cmd[i++] = argv0;
 	cmd[i++] = "-a";
@@ -949,8 +1026,20 @@ newwindow(Client *c, const Arg *arg, gboolean noembed) {
 		cmd[i++] = "-s";
 	if(showxid)
 		cmd[i++] = "-x";
+	if(sameoriginpolicy)
+		cmd[i++] = "-O";
+		cmd[i++] = originpromptfile;
 	if(enablediskcache)
 		cmd[i++] = "-D";
+	if(navtrans == NavImplicit) {
+		cmd[i++] = "-R";
+		if (originhas(origin_uri)) {
+			origin_packed = origingeturi(origin_uri);
+		} else {
+			origin_packed = g_strdup("-");
+		}
+		cmd[i++] = origin_packed;
+	}
 	cmd[i++] = "-c";
 	cmd[i++] = cookiefile;
 	cmd[i++] = "--";
@@ -959,6 +1048,7 @@ newwindow(Client *c, const Arg *arg, gboolean noembed) {
 		cmd[i++] = uri;
 	cmd[i++] = NULL;
 	spawn(NULL, &a);
+	g_free(origin_packed);
 }
 
 static gboolean
@@ -1009,11 +1099,112 @@ menuactivate(GtkMenuItem *item, Client *c) {
 	}
 }
 
+static int
+origincmp(const char *uri1, const char *uri2) {
+	/* Doesn't handle default ports, but otherwise should comply with RFC 6454, The Web Origin Concept. */
+	int c;
+	if        (g_str_has_prefix(uri1, "http://")  && g_str_has_prefix(uri2, "http://")) {
+		return strncmp(uri1 + strlen("http://"),  uri2 + strlen("http://"),  strcspn(uri1 + strlen("http://"),  "/?#"));
+	} else if (g_str_has_prefix(uri1, "https://") && g_str_has_prefix(uri2, "https://")) {
+		return strncmp(uri1 + strlen("https://"), uri2 + strlen("https://"), strcspn(uri1 + strlen("https://"), "/?#"));
+	} else {
+		c = strcmp(uri1, uri2);
+		if (c == 0) {
+			/* -1 when 0 to force a mismatch in originmatch() */
+			c = -1;
+		}
+		return c;
+	}
+}
+
+static int
+originhas(const char *uri) {
+	char *origin = origingethost(uri);
+	int has = origin != NULL;
+	free(origin);
+	return has;
+}
+
+static const char *
+origingetproto(const char *uri) {
+	if (g_str_has_prefix(uri, "http://")) {
+		return "http";
+	} else if (g_str_has_prefix(uri, "https://")) {
+		return "https";
+	} else {
+		return NULL;
+	}
+}
+
+/* caller must free() the return value, if not NULL */
+static char *
+origingethost(const char *uri) {
+	/* Doesn't handle default ports, but otherwise should comply with RFC 6454, The Web Origin Concept. */
+	char  *origin = NULL;
+	size_t spansize;
+	size_t spanstart;
+
+	if (       g_str_has_prefix(uri, "http://")) {
+		spanstart =       strlen("http://");
+	} else if (g_str_has_prefix(uri, "https://")) {
+		spanstart =       strlen("https://");
+	} else {
+		/* 
+		 * RFC 6454: this case should return a globally unique origin. 
+		 *
+		 * As long as processes are per-origin
+		 * (that is, new origins get a new process),
+		 * then relying only on process state provides this uniqueness,
+		 * since anything stored would be stored by an inaccessible key. 
+		 *
+		 * So, when the caller gets this error,
+		 * it should just bypass storage altogether.
+		 */
+		return NULL;
+	}
+
+	spansize = strcspn(uri + spanstart, "/?#");
+	if (spansize > 0 && uri[spanstart] == '.') {
+		/* kill attempt to traverse into parent folder */
+		return NULL;
+	}
+	origin = malloc(sizeof(char) * (spansize + 1));
+	if (origin) {
+		strncpy(origin, uri + spanstart, spansize);
+		origin[spansize] = '\0';
+		/* malloc()'d origin */
+		return origin;
+	} else {
+		/* ENOMEM set by malloc() */
+		return NULL;
+	}
+}
+
+/* caller must g_free() the return value, if not NULL */
+static char *
+origingeturi(const char *uri) {
+	const char *origin_proto = origingetproto(uri);
+	char *origin_host = origingethost(uri);
+	char *origin_packed = NULL;
+	if (origin_host) {
+		origin_packed = g_strdup_printf("%s://%s", origin_proto, origin_host);
+	}
+	g_free(origin_host);
+	return origin_packed;
+}
+
+static int
+originmatch(const char *uri1, const char *uri2) {
+	return origincmp(uri1, uri2) == 0;
+}
+
 static void
 pasteuri(GtkClipboard *clipboard, const char *text, gpointer d) {
-	Arg arg = {.v = text };
+	char *qualified_uri = qualify_uri(text);
+	Arg arg = {.v = qualified_uri };
 	if(text != NULL)
-		loaduri((Client *) d, &arg);
+		loaduri((Client *) d, &arg, NavExplicit);
+	g_free(qualified_uri);
 }
 
 static void
@@ -1026,6 +1217,8 @@ processx(GdkXEvent *e, GdkEvent *event, gpointer d) {
 	Client *c = (Client *)d;
 	XPropertyEvent *ev;
 	Arg arg;
+	const char *unqualified_uri = NULL;
+	char *qualified_uri = NULL;
 
 	if(((XEvent *)e)->type == PropertyNotify) {
 		ev = &((XEvent *)e)->xproperty;
@@ -1036,10 +1229,17 @@ processx(GdkXEvent *e, GdkEvent *event, gpointer d) {
 
 				return GDK_FILTER_REMOVE;
 			} else if(ev->atom == atoms[AtomGo]) {
-				arg.v = getatom(c, AtomGo);
-				loaduri(c, &arg);
-
-				return GDK_FILTER_REMOVE;
+				unqualified_uri = getatom(c, AtomGo);
+				if (unqualified_uri) {
+					qualified_uri = qualify_uri(unqualified_uri);
+					if (qualified_uri) {
+						arg.v = qualified_uri;
+						loaduri(c, &arg, NavExplicit);
+						g_free(qualified_uri);
+	
+						return GDK_FILTER_REMOVE;
+					}
+				}
 			}
 		}
 	}
@@ -1106,9 +1306,11 @@ setatom(Client *c, int a, const char *v) {
 }
 
 static void
-setup(void) {
+setup(const char *qualified_uri) {
 	char *proxy;
 	char *new_proxy;
+	char *origin;
+	char *originpath;
 	SoupURI *puri;
 	SoupSession *s;
 	GError *error = NULL;
@@ -1124,11 +1326,30 @@ setup(void) {
 	atoms[AtomGo] = XInternAtom(dpy, "_SURF_GO", False);
 	atoms[AtomUri] = XInternAtom(dpy, "_SURF_URI", False);
 
+	if (originpromptfile)
+		if (!g_file_get_contents(originpromptfile, &originprompt, NULL, NULL))
+			die("Could not open origin prompt file\n");
+
 	/* dirs and files */
-	cookiefile = buildpath(cookiefile);
+	if (sameoriginpolicy && qualified_uri && originhas(qualified_uri)) {
+		origin = origingethost(qualified_uri);
+
+		originpath = g_strdup_printf(origincookiefile, origin);
+		cookiefile = buildpath(originpath);
+		g_free(originpath);
+
+		originpath = g_strdup_printf(origincachefolder, origin);
+		cachefolder = buildpath(originpath);
+		g_free(originpath);
+
+		free(origin);
+	} else {
+		cookiefile = buildpath(cookiefile);
+		cachefolder = buildpath(cachefolder);
+	}
+
 	scriptfile = buildpath(scriptfile);
 	stylefile = buildpath(stylefile);
-	cachefolder = buildpath(cachefolder);
 
 	/* request handler */
 	s = webkit_get_default_session();
@@ -1332,6 +1553,8 @@ gettogglestat(Client *c){
 
 	togglestat[p++] = enablediskcache? 'D': 'd';
 
+	togglestat[p++] = sameoriginpolicy? 'O' : 'o';
+
 	g_object_get(G_OBJECT(settings), "auto-load-images", &value, NULL);
 	togglestat[p++] = value? 'I': 'i';
 
@@ -1365,6 +1588,14 @@ getpagestat(Client *c) {
 static void
 updatetitle(Client *c) {
 	char *t;
+	char *originstat;
+
+	if(originhas(origin_uri)) {
+		originstat = origingethost(origin_uri);
+	} else {
+		originstat = g_strdup("-");
+	}
+			
 
 	if(showindicators) {
 		gettogglestat(c);
@@ -1374,11 +1605,14 @@ updatetitle(Client *c) {
 			t = g_strdup_printf("%s:%s | %s", togglestat,
 					pagestat, c->linkhover);
 		} else if(c->progress != 100) {
-			t = g_strdup_printf("[%i%%] %s:%s | %s", c->progress,
+			t = g_strdup_printf("[%i%%] %s:%s | %s | %s", c->progress,
 					togglestat, pagestat,
+					originstat,
 					(c->title == NULL)? "" : c->title);
 		} else {
-			t = g_strdup_printf("%s:%s | %s", togglestat, pagestat,
+			t = g_strdup_printf(       "%s:%s | %s | %s", 
+					togglestat, pagestat,
+					originstat,
 					(c->title == NULL)? "" : c->title);
 		}
 
@@ -1388,6 +1622,8 @@ updatetitle(Client *c) {
 		gtk_window_set_title(GTK_WINDOW(c->win),
 				(c->title == NULL)? "" : c->title);
 	}
+
+	g_free(originstat);
 }
 
 static void
@@ -1431,6 +1667,7 @@ int
 main(int argc, char *argv[]) {
 	Arg arg;
 	Client *c;
+	char *qualified_uri = NULL;
 
 	memset(&arg, 0, sizeof(arg));
 
@@ -1487,6 +1724,13 @@ main(int argc, char *argv[]) {
 	case 'N':
 		enableinspector = 1;
 		break;
+	case 'o':
+		sameoriginpolicy = 0;
+		break;
+	case 'O':
+		sameoriginpolicy = 1;
+		originpromptfile = EARGF(usage());
+		break;
 	case 'p':
 		enableplugins = 0;
 		break;
@@ -1496,6 +1740,9 @@ main(int argc, char *argv[]) {
 	case 'r':
 		scriptfile = EARGF(usage());
 		break;
+	case 'R':
+		referring_origin = EARGF(usage());
+		break;
 	case 's':
 		enablescripts = 0;
 		break;
@@ -1520,13 +1767,25 @@ main(int argc, char *argv[]) {
 	default:
 		usage();
 	} ARGEND;
-	if(argc > 0)
-		arg.v = argv[0];
+	if(argc > 0) {
+		if (argv[0]) {
+			qualified_uri = qualify_uri(argv[0]);
+		}
+	}
 
-	setup();
+	setup(qualified_uri);
 	c = newclient();
-	if(arg.v) {
-		loaduri(clients, &arg);
+	if(qualified_uri) {
+		if (originhas(qualified_uri)) {
+			origin_uri = qualified_uri;
+		}
+		if (sameoriginpolicy && referring_origin && (strcmp(referring_origin, "-") == 0 || !originmatch(referring_origin, qualified_uri))) {
+			loadgate(clients, referring_origin, qualified_uri);
+		} else {
+			arg.v = qualified_uri;
+			loaduri(clients, &arg, NavImplicit);
+		}
+		g_free(qualified_uri);
 	} else {
 		updatetitle(c);
 	}
@@ -1534,6 +1793,8 @@ main(int argc, char *argv[]) {
 	gtk_main();
 	cleanup();
 
+	g_free(qualified_uri);
+
 	return EXIT_SUCCESS;
 }
 
-- 
2.1.2