diff options
Diffstat (limited to 'security/manager/ssl/nsISiteSecurityService.idl')
| -rw-r--r-- | security/manager/ssl/nsISiteSecurityService.idl | 257 |
1 files changed, 257 insertions, 0 deletions
diff --git a/security/manager/ssl/nsISiteSecurityService.idl b/security/manager/ssl/nsISiteSecurityService.idl new file mode 100644 index 0000000000..b90a782374 --- /dev/null +++ b/security/manager/ssl/nsISiteSecurityService.idl @@ -0,0 +1,257 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIURI; +interface nsIObserver; +interface nsIHttpChannel; +interface nsITransportSecurityInfo; +interface nsISimpleEnumerator; + +%{C++ +#include "nsStringFwd.h" +#include "nsTArrayForwardDeclare.h" +namespace mozilla +{ + namespace pkix + { + class Time; + } +} +%} +[ref] native nsCStringTArrayRef(nsTArray<nsCString>); +[ref] native mozillaPkixTime(mozilla::pkix::Time); +[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes); + +// [infallible] attributes are only allowed on [builtinclass] +[scriptable, uuid(31313372-842c-4110-bdf1-6aea17c845ad), builtinclass] +interface nsISiteSecurityState : nsISupports +{ + [must_use] + readonly attribute ACString hostname; + [infallible] readonly attribute long long expireTime; + [infallible] readonly attribute short securityPropertyState; + [infallible] readonly attribute boolean includeSubdomains; + + [implicit_jscontext, must_use] + readonly attribute jsval originAttributes; + + /* + * SECURITY_PROPERTY_SET and SECURITY_PROPERTY_UNSET correspond to indicating + * a site has or does not have the security property in question, + * respectively. + * SECURITY_PROPERTY_KNOCKOUT indicates a value on a preloaded + * list is being overridden, and the associated site does not have the + * security property in question. + * SECURITY_PROPERTY_NEGATIVE is used when we've gotten a negative result from + * HSTS priming. + */ + const short SECURITY_PROPERTY_UNSET = 0; + const short SECURITY_PROPERTY_SET = 1; + const short SECURITY_PROPERTY_KNOCKOUT = 2; + const short SECURITY_PROPERTY_NEGATIVE = 3; +}; + +// This has to be a builtinclass because it derives from a builtinclass. +[scriptable, uuid(9ff16e40-1029-496c-95c2-bc819872b216), builtinclass] +interface nsISiteHSTSState : nsISiteSecurityState +{ +}; + +[scriptable, uuid(275127f8-dbd7-4681-afbf-6df0c6587a01)] +interface nsISiteSecurityService : nsISupports +{ + const uint32_t HEADER_HSTS = 0; + const uint32_t STATIC_PINNING = 1; // was HEADER_HPKP + // HEADER_OMS was 2 (but was never implemented) + + const uint32_t Success = 0; + const uint32_t ERROR_UNKNOWN = 1; + const uint32_t ERROR_UNTRUSTWORTHY_CONNECTION = 2; + const uint32_t ERROR_COULD_NOT_PARSE_HEADER = 3; + const uint32_t ERROR_NO_MAX_AGE = 4; + const uint32_t ERROR_MULTIPLE_MAX_AGES = 5; + const uint32_t ERROR_INVALID_MAX_AGE = 6; + const uint32_t ERROR_MULTIPLE_INCLUDE_SUBDOMAINS = 7; + const uint32_t ERROR_INVALID_INCLUDE_SUBDOMAINS = 8; + // The constants that were removed below were used in HPKP processing + // (which has been removed entirely). + // ERROR_INVALID_PIN was 9 + // ERROR_MULTIPLE_REPORT_URIS was 10 + // ERROR_PINSET_DOES_NOT_MATCH_CHAIN was 11 + // ERROR_NO_BACKUP_PIN was 12 + const uint32_t ERROR_COULD_NOT_SAVE_STATE = 13; + // ERROR_ROOT_NOT_BUILT_IN was 14 + + /** + * nsISiteSecurityService::IsSecureURI can optionally return a flag + * indicating the source of the HSTS cache entry, if it comes from the + * preload list, was seen naturally, or is a result of HSTS priming. + */ + const uint32_t SOURCE_UNKNOWN = 0; + const uint32_t SOURCE_PRELOAD_LIST = 1; + const uint32_t SOURCE_ORGANIC_REQUEST = 2; + + /** + * Parses a given HTTP header and records the results internally. + * Currently one header type is supported: HSTS (aka STS). + * The format of the HSTS header is defined by the HSTS specification: + * https://tools.ietf.org/html/rfc6797 + * and allows a host to specify that future HTTP requests should be + * upgraded to HTTPS. + * + * @param aType the type of security header in question. + * @param aSourceURI the URI of the resource with the HTTP header. + * @param aHeader the HTTP response header specifying security data. + * @param aSecInfo the TransportSecurityInfo of the current channel. + * @param aFlags options for this request as defined in nsISocketProvider: + * NO_PERMANENT_STORAGE + * @param aOriginAttributes the origin attributes that isolate this origin, + * (note that this implementation does not isolate + * by userContextId because of the risk of man-in- + * the-middle attacks before trust-on-second-use + * happens). + * @param aSource the source of the header, whether it was from the preload + * list, an organic header, or HSTS priming, or unknown. + * @param aMaxAge the parsed max-age directive of the header. + * @param aIncludeSubdomains the parsed includeSubdomains directive. + * @param aFailureResult a more specific failure result if NS_ERROR_FAILURE + was returned. + * @return NS_OK if it succeeds + * NS_ERROR_FAILURE if it can't be parsed + * NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA + * if there are unrecognized tokens in the header. + */ + [binaryname(ProcessHeader), noscript, must_use] + void processHeaderNative(in uint32_t aType, + in nsIURI aSourceURI, + in ACString aHeader, + in nsITransportSecurityInfo aSecInfo, + in uint32_t aFlags, + in uint32_t aSource, + in const_OriginAttributesRef aOriginAttributes, + [optional] out unsigned long long aMaxAge, + [optional] out boolean aIncludeSubdomains, + [optional] out uint32_t aFailureResult); + + [binaryname(ProcessHeaderScriptable), implicit_jscontext, optional_argc, + must_use] + void processHeader(in uint32_t aType, + in nsIURI aSourceURI, + in ACString aHeader, + in nsITransportSecurityInfo aSecInfo, + in uint32_t aFlags, + in uint32_t aSource, + [optional] in jsval aOriginAttributes, + [optional] out unsigned long long aMaxAge, + [optional] out boolean aIncludeSubdomains, + [optional] out uint32_t aFailureResult); + + /** + * Given a header type, resets state relating to that header of a host, + * including the includeSubdomains state that would affect subdomains. + * This essentially removes the state for the domain tree rooted at this + * host. If any preloaded information is present for that host, that + * information will then be used instead of any other previously existing + * state. + * + * @param aType the type of security state in question + * @param aURI the URI of the target host + * @param aFlags options for this request as defined in nsISocketProvider: + * NO_PERMANENT_STORAGE + * @param aOriginAttributes the origin attributes that isolate this origin, + * (note that this implementation does not isolate + * by userContextId because of the risk of man-in- + * the-middle attacks before trust-on-second-use + * happens). + */ + [implicit_jscontext, optional_argc, must_use] + void resetState(in uint32_t aType, + in nsIURI aURI, + in uint32_t aFlags, + [optional] in jsval aOriginAttributes); + + /** + * Checks whether or not the URI's hostname has a given security state set. + * For example, for HSTS: + * The URI is an HSTS URI if either the host has the HSTS state set, or one + * of its super-domains has the HSTS "includeSubdomains" flag set. + * NOTE: this function makes decisions based only on the + * host contained in the URI, and disregards other portions of the URI + * such as path and port. + * + * @param aType the type of security state in question. + * @param aURI the URI to query for STS state. + * @param aFlags options for this request as defined in nsISocketProvider: + * NO_PERMANENT_STORAGE + * @param aOriginAttributes the origin attributes that isolate this origin, + * (note that this implementation does not isolate + * by userContextId because of the risk of man-in- + * the-middle attacks before trust-on-second-use + * happens). + * @param aCached true if we have cached information about this host, even + * if the security state is false. + * @param aSource the source of the HSTS entry. One of SOURCE_PRELOAD_LIST, + * SOURCE_ORGANIC_REQUEST, SOURCE_HSTS_PRIMING, or + * SOURCE_UNKNOWN. + */ + [binaryname(IsSecureURI), noscript, must_use] + boolean isSecureURINative(in uint32_t aType, in nsIURI aURI, + in uint32_t aFlags, + in const_OriginAttributesRef aOriginAttributes, + [optional] out boolean aCached, + [optional] out uint32_t aSource); + + [binaryname(IsSecureURIScriptable), implicit_jscontext, optional_argc, + must_use] + boolean isSecureURI(in uint32_t aType, in nsIURI aURI, in uint32_t aFlags, + [optional] in jsval aOriginAttributes, + [optional] out boolean aCached, + [optional] out uint32_t aSource); + + /** + * Removes all non-preloaded security state by resetting to factory-original + * settings. + */ + [must_use] + void clearAll(); + + /** + * Removes all preloaded security state. + */ + [must_use] + void clearPreloads(); + + /** + * Set an HSTS preload entry for a host. The resulting entries will be + * permanent and visible from private and non-private contexts. These + * entries replace any already set by this mechanism or those built-in to + * Gecko. + * + * @param aHost the hostname (punycode) that the entry applies to + * @param aIncludeSubdomains whether this entry also applies to subdomains + * @param aExpires the time this entry should expire (millis since epoch) + */ + [must_use] + boolean setHSTSPreload(in ACString aHost, + in boolean aIncludesSubdomains, + in int64_t aExpires); + + /** + * Returns an enumerator of the nsISiteSecurityService storage. Each item in + * the enumeration is a nsISiteSecurityState that can be QueryInterfaced to + * nsISiteHSTSState. + * Doesn't include preloaded entries (either the hard-coded ones or the + * preloaded-delivered-by-kinto ones). + * + * @param aType the type of security state in question. + */ + [must_use] + nsISimpleEnumerator enumerate(in uint32_t aType); +}; + +%{C++ +#define NS_SSSERVICE_CONTRACTID "@mozilla.org/ssservice;1" +%} |