diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /netwerk/base/nsILoadInfo.idl | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | netwerk/base/nsILoadInfo.idl | 1535 |
1 files changed, 1535 insertions, 0 deletions
diff --git a/netwerk/base/nsILoadInfo.idl b/netwerk/base/nsILoadInfo.idl new file mode 100644 index 0000000000..ddfcb223e6 --- /dev/null +++ b/netwerk/base/nsILoadInfo.idl @@ -0,0 +1,1535 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: ft=cpp tw=78 sw=2 et ts=2 sts=2 cin + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" +#include "nsIContentPolicy.idl" +#include "nsIScriptSecurityManager.idl" +#include "nsIInterceptionInfo.idl" + +interface nsIChannel; +interface nsIContentSecurityPolicy; +interface nsICookieJarSettings; +interface nsICSPEventListener; +interface nsINode; +interface nsIPrincipal; +interface nsIRedirectHistoryEntry; +interface nsIURI; +webidl Document; +webidl BrowsingContext; +native LoadContextRef(already_AddRefed<nsISupports>); +%{C++ +#include "nsTArray.h" +#include "mozilla/LoadTainting.h" +#include "mozilla/OriginAttributes.h" +#include "mozilla/UniquePtr.h" +#include "nsRFPService.h" +#include "nsStringFwd.h" + +namespace mozilla { +namespace dom { +class ClientInfo; +class ClientSource; +class PerformanceStorage; +class ServiceWorkerDescriptor; +} // namespace dom +} // namespace mozilla +%} + +[ref] native nsIRedirectHistoryEntryArray(const nsTArray<nsCOMPtr<nsIRedirectHistoryEntry>>); +native OriginAttributes(mozilla::OriginAttributes); +[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes); +[ref] native CStringArrayRef(const nsTArray<nsCString>); +[ref] native StringArrayRef(const nsTArray<nsString>); +[ref] native Uint64ArrayRef(const nsTArray<uint64_t>); +[ref] native PrincipalArrayRef(const nsTArray<nsCOMPtr<nsIPrincipal>>); +[ref] native const_ClientInfoRef(const mozilla::dom::ClientInfo); + native UniqueClientSource(mozilla::UniquePtr<mozilla::dom::ClientSource>); + native UniqueClientSourceMove(mozilla::UniquePtr<mozilla::dom::ClientSource>&&); +[ref] native const_MaybeClientInfoRef(const mozilla::Maybe<mozilla::dom::ClientInfo>); +[ref] native const_ServiceWorkerDescriptorRef(const mozilla::dom::ServiceWorkerDescriptor); +[ref] native const_MaybeServiceWorkerDescriptorRef(const mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor>); +[ref] native const_MaybeRFPTarget(const mozilla::Maybe<mozilla::RFPTarget>); + native RFPTarget(mozilla::RFPTarget); +[ptr] native PerformanceStoragePtr(mozilla::dom::PerformanceStorage); + native LoadTainting(mozilla::LoadTainting); + native CSPRef(already_AddRefed<nsIContentSecurityPolicy>); + +typedef unsigned long nsSecurityFlags; + +/** + * The LoadInfo object contains information about a network load, why it + * was started, and how we plan on using the resulting response. + * If a network request is redirected, the new channel will receive a new + * LoadInfo object. The new object will contain mostly the same + * information as the pre-redirect one, but updated as appropriate. + * For detailed information about what parts of LoadInfo are updated on + * redirect, see documentation on individual properties. + */ +[scriptable, builtinclass, uuid(ddc65bf9-2f60-41ab-b22a-4f1ae9efcd36)] +interface nsILoadInfo : nsISupports +{ + /** + * The following five flags determine the security mode and hence what kind of + * security checks should be performed throughout the lifetime of the channel. + * + * * SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT + * * SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED + * * SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT + * * SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL + * * SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT + * + * Exactly one of these flags are required to be set in order to allow + * the channel to perform the correct security checks (SOP, CORS, ...) and + * return the correct result principal. If none or more than one of these + * flags are set AsyncOpen will fail. + */ + + /** + * Warning: Never use this flag when creating a new channel! + * Only use this flag if you have to create a temporary LoadInfo + * for performing an explicit nsIContentPolicy check, like e.g. + * when loading something from the cache that needs an explicit + * nsIContentPolicy check. In all other cases pick one of the + * security flags underneath. + */ + const unsigned long SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK = 0; + + /* + * Enforce the same origin policy where loads inherit the principal. + * See the documentation for principalToInherit, which describes exactly what + * principal is inherited. + */ + const unsigned long SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT = (1<<0); + + /* + * Enforce the same origin policy and data: loads are blocked. + */ + const unsigned long SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED = (1<<1); + + /** + * Allow loads from other origins. Loads which inherit the principal should + * see the documentation for principalToInherit, which describes exactly what + * principal is inherited. + * + * Commonly used by plain <img>, <video>, <link rel=stylesheet> etc. + */ + const unsigned long SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT = (1 << 2); + + /** + * Allow loads from other origins. Loads from data: will be allowed, + * but the resulting resource will get a null principal. + * Used in blink/webkit for <iframe>s. Likely also the mode + * that should be used by most Chrome code. + */ + const unsigned long SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL = (1<<3); + + /** + * Allow loads from any origin, but require CORS for cross-origin loads. + * See the documentation for principalToInherit, which describes exactly what + * principal is inherited. + * + * Commonly used by <img crossorigin>, <video crossorigin>, + * XHR, fetch(), etc. + */ + const unsigned long SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT = (1<<4); + + /** + * Choose cookie policy. The default policy is equivalent to "INCLUDE" for + * SEC_REQUIRE_SAME_ORIGIN_* and SEC_ALLOW_CROSS_ORIGIN_* modes, and + * equivalent to "SAME_ORIGIN" for SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT mode. + * + * This means that if you want to perform a CORS load with credentials, pass + * SEC_COOKIES_INCLUDE. + * + * Note that these flags are still subject to the user's cookie policies. + * For example, if the user is blocking 3rd party cookies, those cookies + * will be blocked no matter which of these flags are set. + */ + const unsigned long SEC_COOKIES_DEFAULT = (0 << 5); + const unsigned long SEC_COOKIES_INCLUDE = (1 << 5); + const unsigned long SEC_COOKIES_SAME_ORIGIN = (2 << 5); + const unsigned long SEC_COOKIES_OMIT = (3 << 5); + + /** + * Force inheriting of the principal. See the documentation for + * principalToInherit, which describes exactly what principal is inherited. + * + * Setting this flag will cause GetChannelResultPrincipal to return the + * principal to be inherited as the channel principal. + * + * This will happen independently of the scheme of the URI that the + * channel is loading. + * + * So if the principal that gets inherited is "http://a.com/", and the channel + * is loading the URI "http://b.com/whatever", GetChannelResultPrincipal + * will return a principal from "http://a.com/". + * + * This flag can not be used together with SANDBOXED_ORIGIN sandbox flag. If + * both are passed to the LoadInfo constructor then this flag will be dropped. + * If you need to know whether this flag would have been present but was dropped + * due to sandboxing, check for the forceInheritPrincipalDropped flag. + */ + const unsigned long SEC_FORCE_INHERIT_PRINCIPAL = (1<<7); + + /** + * Inherit the Principal for about:blank. + */ + const unsigned long SEC_ABOUT_BLANK_INHERITS = (1<<9); + + /** + * Allow access to chrome: packages that are content accessible. + */ + const unsigned long SEC_ALLOW_CHROME = (1<<10); + + /** + * Disallow access to javascript: uris. + */ + const unsigned long SEC_DISALLOW_SCRIPT = (1<<11); + + /** + * Don't follow redirects. Instead the redirect response is returned + * as a successful response for the channel. + * + * Redirects not initiated by a server response, i.e. REDIRECT_INTERNAL and + * REDIRECT_STS_UPGRADE, are still followed. + * + * Note: If this flag is set and the channel response is a redirect, then + * the response body might not be available. + * This can happen if the redirect was cached. + */ + const unsigned long SEC_DONT_FOLLOW_REDIRECTS = (1<<12); + + /** + * Load an error page, it should be one of following : about:neterror, + * about:certerror, about:blocked, about:tabcrashed or about:restartrequired. + */ + const unsigned long SEC_LOAD_ERROR_PAGE = (1<<13); + + /** + * Force inheriting of the principal, overruling any owner that might be set + * on the channel. (Please note that channel.owner is deprecated and will be + * removed within Bug 1286838). See the documentation for principalToInherit, + * which describes exactly what principal is inherited. + * + * Setting this flag will cause GetChannelResultPrincipal to return the + * principal to be inherited as the channel principal. + * + * This will happen independently of the scheme of the URI that the + * channel is loading. + */ + const unsigned long SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER = (1<<14); + + /** + * This is the principal of the network request's caller/requester where + * the resulting resource will be used. I.e. it is the principal which + * will get access to the result of the request. (Where "get access to" + * might simply mean "embed" depending on the type of resource that is + * loaded). + * + * For example for an image, it is the principal of the document where + * the image is rendered. For a stylesheet it is the principal of the + * document where the stylesheet will be applied. + * + * So if document at http://a.com/page.html loads an image from + * http://b.com/pic.jpg, then loadingPrincipal will be + * http://a.com/page.html. + * + * For <iframe> and <frame> loads, the LoadingPrincipal is the + * principal of the parent document. For top-level loads, the + * LoadingPrincipal is null. For all loads except top-level loads + * the LoadingPrincipal is never null. + * + * If the loadingPrincipal is the system principal, no security checks + * will be done at all. There will be no security checks on the initial + * load or any subsequent redirects. This means there will be no + * nsIContentPolicy checks or any CheckLoadURI checks. Because of + * this, never set the loadingPrincipal to the system principal when + * the URI to be loaded is controlled by a webpage. + * If the loadingPrincipal and triggeringPrincipal are both + * content principals, then we will always call into + * nsIContentPolicies and CheckLoadURI. The call to nsIContentPolicies + * and CheckLoadURI happen even if the URI to be loaded is same-origin + * with the loadingPrincipal or triggeringPrincipal. + */ + readonly attribute nsIPrincipal loadingPrincipal; + + /** + * A C++-friendly version of triggeringPrincipal. + * + * This is a bit awkward because we can't use + * binaryname(GetLoadingPrincipal). + */ + [noscript, notxpcom, nostdcall] + nsIPrincipal virtualGetLoadingPrincipal(); + +%{C++ + nsIPrincipal* GetLoadingPrincipal() { + return VirtualGetLoadingPrincipal(); + } +%} + + /** + * This is the principal which caused the network load to start. I.e. + * this is the principal which provided the URL to be loaded. This is + * often the same as the LoadingPrincipal, but there are a few cases + * where that's not true. + * + * For example for loads into an <iframe>, the LoadingPrincipal is always + * the principal of the parent document. However the triggeringPrincipal + * is the principal of the document which provided the URL that the + * <iframe> is navigating to. This could be the previous document inside + * the <iframe> which set document.location. Or a document elsewhere in + * the frame tree which contained a <a target="..."> which targetted the + * <iframe>. + * + * If a stylesheet links to a sub-resource, like an @imported stylesheet, + * or a background image, then the triggeringPrincipal is the principal + * of the stylesheet, while the LoadingPrincipal is the principal of the + * document being styled. + * + * The triggeringPrincipal is never null. + * + * If the triggeringPrincipal is the system principal, no security checks + * will be done at all. There will be no security checks on the initial + * load or any subsequent redirects. This means there will be no + * nsIContentPolicy checks or any CheckLoadURI checks. Because of + * this, never set the triggeringPrincipal to the system principal when + * the URI to be loaded is controlled by a webpage. + * If the loadingPrincipal and triggeringPrincipal are both + * content principals, then we will always call into + * nsIContentPolicies and CheckLoadURI. The call to nsIContentPolicies + * and CheckLoadURI happen even if the URI to be loaded is same-origin + * with the loadingPrincipal or triggeringPrincipal. + */ + readonly attribute nsIPrincipal triggeringPrincipal; + + /** + * A C++-friendly version of triggeringPrincipal. + */ + [noscript, notxpcom, nostdcall, binaryname(TriggeringPrincipal)] + nsIPrincipal binaryTriggeringPrincipal(); + + /** + * The remote type of the process which caused the network load to start. I.e. + * this is the remote type of the process which provided the URL to be loaded. + * + * For subresource loads, this should be the same as the process which will + * handle the response, however for document loads this may both be different + * than the final process, as well as different from the process which starts + * the navigation. + * + * This field is intentionally not perfectly preserved over IPC, and will be + * reset to the remote type of the sending process when sent from a content + * process to the parent process. + */ + attribute AUTF8String triggeringRemoteType; + + /** + * For non-document loads the principalToInherit is always null. For + * loads of type TYPE_DOCUMENT or TYPE_SUBDOCUMENT the principalToInherit + * might be null. If it's non null, then this is the principal that is + * inherited if a principal needs to be inherited. If the principalToInherit + * is null but the inherit flag is set, then the triggeringPrincipal is + * the principal that is inherited. + */ + attribute nsIPrincipal principalToInherit; + + /** + * A C++-friendly version of principalToInherit. + */ + [noscript, notxpcom, nostdcall, binaryname(PrincipalToInherit)] + nsIPrincipal binaryPrincipalToInherit(); + + /** + * Finds the correct principal to inherit for the given channel, based on + * the values of PrincipalToInherit and TriggeringPrincipal. + */ + [noscript, notxpcom, nostdcall] + nsIPrincipal FindPrincipalToInherit(in nsIChannel aChannel); + + /** + * This is the ownerDocument of the LoadingNode. Unless the LoadingNode + * is a Document, in which case the LoadingDocument is the same as the + * LoadingNode. + * + * For top-level loads, and for loads originating from workers, the + * LoadingDocument is null. When the LoadingDocument is not null, the + * LoadingPrincipal is set to the principal of the LoadingDocument. + */ + readonly attribute Document loadingDocument; + + /** + * A C++-friendly version of loadingDocument (loadingNode). + * This is the Node where the resulting resource will be used. I.e. it is + * the Node which will get access to the result of the request. (Where + * "get access to" might simply mean "embed" depending on the type of + * resource that is loaded). + * + * For example for an <img>/<video> it is the image/video element. For + * document loads inside <iframe> and <frame>s, the LoadingNode is the + * <iframe>/<frame> element. For an XMLHttpRequest, it is the Document + * which contained the JS which initiated the XHR. For a stylesheet, it + * is the Document that contains <link rel=stylesheet>. + * + * For loads triggered by the HTML pre-parser, the LoadingNode is the + * Document which is currently being parsed. + * + * For top-level loads, and for loads originating from workers, the + * LoadingNode is null. If the LoadingNode is non-null, then the + * LoadingPrincipal is the principal of the LoadingNode. + */ + [noscript, notxpcom, nostdcall, binaryname(LoadingNode)] + nsINode binaryLoadingNode(); + + /** + * A C++ friendly version of the loadingContext for toplevel loads. + * Most likely you want to query the ownerDocument or LoadingNode + * and not this context only available for TYPE_DOCUMENT loads. + * Please note that except for loads of TYPE_DOCUMENT, this + * ContextForTopLevelLoad will always return null. + */ + [noscript, notxpcom, nostdcall, binaryname(ContextForTopLevelLoad)] + LoadContextRef binaryContextForTopLevelLoad(); + + /** + * For all loads except loads of TYPE_DOCUMENT, the loadingContext + * simply returns the loadingNode. For loads of TYPE_DOCUMENT this + * will return the context available for top-level loads which + * do not have a loadingNode. + */ + [binaryname(LoadingContextXPCOM)] + readonly attribute nsISupports loadingContext; + + /** + * A C++ friendly version of the loadingContext. + */ + [noscript, notxpcom, nostdcall, binaryname(GetLoadingContext)] + LoadContextRef binaryGetLoadingContext(); + + /** + * The securityFlags of that channel. + */ + readonly attribute nsSecurityFlags securityFlags; + +%{C++ + inline nsSecurityFlags GetSecurityFlags() + { + nsSecurityFlags result; + mozilla::DebugOnly<nsresult> rv = GetSecurityFlags(&result); + MOZ_ASSERT(NS_SUCCEEDED(rv)); + return result; + } +%} + + /** + * The sandboxFlags of that channel. + */ + [infallible] readonly attribute unsigned long sandboxFlags; + + /** + * The TriggingSandboxFlags are the SandboxFlags of the entity + * responsible for causing the load to occur. + */ + [infallible] attribute unsigned long triggeringSandboxFlags; + + + /** + * The window id and storage access status of the window of the + * context that triggered the load. This is used to allow self-initiated + * same-origin navigations to propogate their "has storage access" bit + * to the next Document. + */ + [infallible] attribute unsigned long long triggeringWindowId; + [infallible] attribute boolean triggeringStorageAccess; + + /** + * Allows to query only the security mode bits from above. + */ + [infallible] readonly attribute unsigned long securityMode; + + /** + * This flag is used for any browsing context where we should not sniff + * the content type. E.g if an iframe has the XCTO nosniff header, then + * that flag is set to true so we skip content sniffing for that browsing + * context. + */ + [infallible] attribute boolean skipContentSniffing; + + /** + * (default) If this flag is set, it has not yet been determined if the + * HTTPS-Only mode will upgrade the request. + */ + const unsigned long HTTPS_ONLY_UNINITIALIZED = (1 << 0); + + /** + * Indicates that this is the first time the request gets upgraded, and thus + * the HTTPS-Only StreamListener hasn't been registered yet. Even though there + * might be multiple channels per request that have to be upgraded (e.g., + * because of redirects), the StreamListener only has to be attached to one + * channel. + */ + const unsigned long HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED = (1 << 1); + + /** + * Indicates that the request will get upgraded, and the HTTPS-Only + * StreamListener got registered. + */ + const unsigned long HTTPS_ONLY_UPGRADED_LISTENER_REGISTERED = (1 << 2); + + /** + * This flag can be manually set if the HTTPS-Only mode should exempt the + * request and not upgrade it. (e.g in the case of OCSP. + */ + const unsigned long HTTPS_ONLY_EXEMPT = (1 << 3); + + /** + * This flag can only ever be set on top-level loads. It indicates + * that the top-level https connection succeeded. This flag is mostly + * used to counter time-outs which allows to cancel the channel + * if the https load has not started. + */ + const unsigned long HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS = (1 << 4); + + /** + * This flag can only ever be set on downloads. It indicates + * that the download https connection succeeded. This flag is mostly + * used to counter time-outs which allows to cancel the channel + * if the https load has not started. + */ + const unsigned long HTTPS_ONLY_DOWNLOAD_IN_PROGRESS = (1 << 5); + + /** + * This flag indicates that the request should not be logged to the + * console. + */ + const unsigned long HTTPS_ONLY_DO_NOT_LOG_TO_CONSOLE = (1 << 6); + + /** + * This flag indicates that the request was upgraded by https-first mode. + */ + const unsigned long HTTPS_ONLY_UPGRADED_HTTPS_FIRST = (1 << 7); + + /** + * This flag indicates that the request should not be blocked by ORB. + */ + const unsigned long HTTPS_ONLY_BYPASS_ORB = (1 << 8); + + /** + * This flag indicates that HTTPS_ONLY_EXEMPT should be + * set the next time HTTPS-Only exemptions are checked + * and HTTPS-First is enabled. + */ + const unsigned long HTTPS_FIRST_EXEMPT_NEXT_LOAD = (1 << 9); + + /** + * Upgrade state of HTTPS-Only Mode. The flag HTTPS_ONLY_EXEMPT can get + * set on requests that should be excempt from an upgrade. + */ + [infallible] attribute unsigned long httpsOnlyStatus; + + /** + * Reflects whetehr this is an HTTP Strict Transport Security host + */ +[infallible] attribute boolean hstsStatus; + + /** + * Returns true if at the time of the loadinfo construction the document + * that triggered this load has the bit hasValidTransientUserGestureActivation + * set or the load was triggered from External. (Mostly this bool is used + * in the context of Sec-Fetch-User.) + */ + [infallible] attribute boolean hasValidUserGestureActivation; + + /** + * We disallow the SystemPrincipal to initiate requests to + * the public web. This flag is to allow exceptions. + */ + [infallible] attribute boolean allowDeprecatedSystemRequests; + + /** + * Only ever returns true if the loadinfo is of TYPE_SCRIPT and + * the script was created by the HTML parser. + */ + [infallible] attribute boolean parserCreatedScript; + + /** + * True if this request is known to have been triggered by a user + * manually requesting the URI to be saved. + */ + [infallible] attribute boolean isUserTriggeredSave; + + /** + * True if this request is from DevTools. + */ + [infallible] attribute boolean isInDevToolsContext; + + /** + * True if this request is embedded in a context that can't be third-party + * (i.e. an iframe embedded in a cross-origin parent window). If this is + * false, then this request may be third-party if it's a third-party to + * loadingPrincipal. + */ + [infallible] attribute boolean isInThirdPartyContext; + + /** + * True if this request is a third party in respect to the top-level window. + * + * Note that this doesn't consider the parent window. I.e. It will still + * return false even in the case that the parent is cross-origin but the + * top-level is same-origin. + * + * This value would be set during opening the channel in parent and propagate + * to the channel in the content. + */ + [infallible] attribute boolean isThirdPartyContextToTopWindow; + + /** + * See the SEC_COOKIES_* flags above. This attribute will never return + * SEC_COOKIES_DEFAULT, but will instead return what the policy resolves to. + * I.e. SEC_COOKIES_SAME_ORIGIN for CORS mode, and SEC_COOKIES_INCLUDE + * otherwise. + */ + [infallible] readonly attribute unsigned long cookiePolicy; + + /** + * The cookie jar settings inherited from the top-level document's loadInfo. + * It cannot be null. + */ + attribute nsICookieJarSettings cookieJarSettings; + + cenum StoragePermissionState : 8 { + NoStoragePermission = 0, + HasStoragePermission = 1, + StoragePermissionAllowListed = 2, + }; + + /** + * The result of the storage permission check of the loading document. This + * value would be set during opening the channel. + */ + [infallible] attribute nsILoadInfo_StoragePermissionState + storagePermission; + + /** + * Get the granular overrides of fingerprinting protections associated to the + * channel, the value will override the default fingerprinting protection + * settings. This field will only get populated if these is one that comes + * from the local granular overrides pref or WebCompat. Otherwise, a value of + * Nothing() indicates no granular overrides are present for this channel. + * + * The RFPTarget defined in the RFPTargets.inc. + */ + [noscript, nostdcall, notxpcom] + const_MaybeRFPTarget GetOverriddenFingerprintingSettings(); + + /** + * Set the granular overrides of fingerprinting protections for the channel. + */ + [noscript, nostdcall, notxpcom] + void SetOverriddenFingerprintingSettings(in RFPTarget aTargets); + + /** + * True if the load was triggered by a meta refresh. + */ + [infallible] attribute boolean isMetaRefresh; + + /** + * If forceInheritPrincipal is true, the data coming from the channel should + * inherit its principal, even when the data is loaded over http:// or another + * protocol that would normally use a URI-based principal. + * + * See the documentation for principalToInherit, which describes exactly what + * principal is inherited. + * + * This attribute will never be true when loadingSandboxed is true. + */ + [infallible] readonly attribute boolean forceInheritPrincipal; + + /** + * If forceInheritPrincipalOverruleOwner is true, the data coming from the + * channel should inherit the principal, even when the data is loaded over + * http:// or another protocol that would normally use a URI-based principal + * and even if the channel's .owner is not null. This last is the difference + * between forceInheritPrincipalOverruleOwner and forceInheritPrincipal: the + * latter does _not_ overrule the .owner setting. + * + * See the documentation for principalToInherit, which describes exactly what + * principal is inherited. + */ + [infallible] readonly attribute boolean forceInheritPrincipalOverruleOwner; + + /** + * If loadingSandboxed is true, the data coming from the channel is + * being loaded sandboxed, so it should have a nonce origin and + * hence should use a NullPrincipal. + */ + [infallible] readonly attribute boolean loadingSandboxed; + + /** + * If aboutBlankInherits is true, then about:blank should inherit + * the principal. + */ + [infallible] readonly attribute boolean aboutBlankInherits; + + /** + * If allowChrome is true, then use nsIScriptSecurityManager::ALLOW_CHROME + * when calling CheckLoadURIWithPrincipal(). + */ + [infallible] readonly attribute boolean allowChrome; + + /** + * If disallowScript is true, then use nsIScriptSecurityManager::DISALLOW_SCRIPT + * when calling CheckLoadURIWithPrincipal(). + */ + [infallible] readonly attribute boolean disallowScript; + +%{C++ + uint32_t CheckLoadURIFlags() { + uint32_t flags = nsIScriptSecurityManager::STANDARD; + if (GetAllowChrome()) { + flags |= nsIScriptSecurityManager::ALLOW_CHROME; + } + if (GetDisallowScript()) { + flags |= nsIScriptSecurityManager::DISALLOW_SCRIPT; + } + return flags; + } +%} + + /** + * Returns true if SEC_DONT_FOLLOW_REDIRECTS is set. + */ + [infallible] readonly attribute boolean dontFollowRedirects; + + /** + * Returns true if SEC_LOAD_ERROR_PAGE is set. + */ + [infallible] readonly attribute boolean loadErrorPage; + + /** + * True if the load was initiated by a form request. + */ + [infallible] attribute boolean isFormSubmission; + + /** + * The external contentPolicyType of the channel, used for security checks + * like Mixed Content Blocking and Content Security Policy. + * + * Specifically, content policy types with _INTERNAL_ in their name will + * never get returned from this attribute. + */ + readonly attribute nsContentPolicyType externalContentPolicyType; + + /** + * CSP uses this parameter to send or not CSP violation events. + * Default value: true. + */ + [infallible] attribute boolean sendCSPViolationEvents; + +%{ C++ + inline ExtContentPolicyType GetExternalContentPolicyType() + { + nsContentPolicyType result; + mozilla::DebugOnly<nsresult> rv = GetExternalContentPolicyType(&result); + MOZ_ASSERT(NS_SUCCEEDED(rv)); + return static_cast<ExtContentPolicyType>(result); + } + +%} + + + /** + * The internal contentPolicyType of the channel, used for constructing + * RequestContext values when creating a fetch event for an intercepted + * channel. + * + * This should not be used for the purposes of security checks, since + * the content policy implementations cannot be expected to deal with + * _INTERNAL_ values. Please use the contentPolicyType attribute above + * for that purpose. + */ + [noscript, notxpcom, nostdcall, binaryname(InternalContentPolicyType)] + nsContentPolicyType binaryInternalContentPolicyType(); + + readonly attribute nsContentPolicyType internalContentPolicyType; + + /** + * Returns true if document or any of the documents ancestors + * up to the toplevel document make use of the CSP directive + * 'block-all-mixed-content'. + * + * Warning: If the loadingDocument is null, then the + * blockAllMixedContent is false. + */ + [infallible] readonly attribute boolean blockAllMixedContent; + + /** + * Returns true if document or any of the documents ancestors + * up to the toplevel document make use of the CSP directive + * 'upgrade-insecure-requests'. + * + * Warning: If the loadingDocument is null, then the + * upgradeInsecureRequests is false. + */ + [infallible] readonly attribute boolean upgradeInsecureRequests; + + /** + * Returns true if the the page is https and the content is upgradable from http + * requires 'security.mixed_content.upgrade_display_content' pref to be true. + * Currently this only upgrades display content but might be expanded to other loads. + * This is very similar in implementation to upgradeInsecureRequests but browser set. + */ + [infallible] readonly attribute boolean browserUpgradeInsecureRequests; + + /** + * Returns true if the display content was or will get upgraded from http to https. + * Requires 'security.mixed_content.upgrade_display_content' pref to be true. + * Flag is set purely to collect telemetry. + */ + [infallible] attribute boolean browserDidUpgradeInsecureRequests; + + /** + * Returns true if the the page is https and the content is upgradable from http + * requires 'security.mixed_content.upgrade_display_content' pref to be false. + * See browserUpgradeInsecureRequests for more details, this only happens + * when *not* upgrading purely for telemetry. + */ + [infallible] readonly attribute boolean browserWouldUpgradeInsecureRequests; + + /** + * If true, toplevel data: URI navigation is allowed + */ + [infallible] attribute boolean forceAllowDataURI; + + /** + * If true, insecure redirects to a data: URI are allowed. + */ + [infallible] attribute boolean allowInsecureRedirectToDataURI; + + /** + * If true, the content policy security check is excluded from web requests. + */ + [infallible] attribute boolean skipContentPolicyCheckForWebRequest; + + /** + * If true, this is the load of a frame's original src attribute + */ + [infallible] attribute boolean originalFrameSrcLoad; + + /** + * The SEC_FORCE_INHERIT_PRINCIPAL flag may be dropped when a load info + * object is created. Specifically, it will be dropped if the SANDBOXED_ORIGIN + * sandbox flag is also present. This flag is set if SEC_FORCE_INHERIT_PRINCIPAL + * was dropped. + */ + [infallible] readonly attribute boolean forceInheritPrincipalDropped; + + /** + * This is the inner window ID of the window in which the element being + * loaded lives. + * + * Note that this window ID can be 0 if the window is not + * available. + */ + [infallible] readonly attribute unsigned long long innerWindowID; + + /** + * The BrowsingContext performing the load for this nsILoadInfo object. + */ + [infallible] readonly attribute unsigned long long browsingContextID; + [infallible] readonly attribute BrowsingContext browsingContext; + + /** + * The BrowsingContext which the worker is associated. + * + * Note that this could be 0 if the load is not triggered in a WorkerScope. + * This value is only set and used in the parent process for some sitautions + * the channel is created in the parent process for Workers. Such as fetch(). + * In content process, it is always 0. + * This value would not be propagated through IPC. + */ + [infallible] attribute unsigned long long workerAssociatedBrowsingContextID; + [infallible] readonly attribute BrowsingContext workerAssociatedBrowsingContext; + + /** + * Only when the element being loaded is <frame src="foo.html"> + * (or, more generally, if the element QIs to nsFrameLoaderOwner), + * the frameBrowsingContext is the browsing context containing the + * foo.html document. + * + * Note: For other cases, frameBrowsingContextID is 0. + */ + [infallible] readonly attribute unsigned long long frameBrowsingContextID; + [infallible] readonly attribute BrowsingContext frameBrowsingContext; + + /** + * If the element being loaded is a nsFrameLoaderOwner, + * `targetBrowsingContext` is the Browsing Context which will contain the + * loading document (see `frameBrowsingContext`). Otherwise, it is the + * Browsing Context performing the load (see `browsingContext`). + */ + [infallible] readonly attribute unsigned long long targetBrowsingContextID; + [infallible] readonly attribute BrowsingContext targetBrowsingContext; + + /** + * Resets the PrincipalToInherit to a freshly created NullPrincipal + * which inherits the origin attributes from the loadInfo. + * + * WARNING: Please only use that function if you know exactly what + * you are doing!!! + */ + void resetPrincipalToInheritToNullPrincipal(); + + /** + * Customized OriginAttributes within LoadInfo to allow overwriting of the + * default originAttributes from the loadingPrincipal. + * + * In chrome side, originAttributes.privateBrowsingId will always be 0 even if + * the usePrivateBrowsing is true, because chrome docshell won't set + * privateBrowsingId on origin attributes (See bug 1278664). This is to make + * sure nsILoadInfo and nsILoadContext have the same origin attributes. + */ + [implicit_jscontext, binaryname(ScriptableOriginAttributes)] + attribute jsval originAttributes; + + [noscript, nostdcall, binaryname(GetOriginAttributes)] + OriginAttributes binaryGetOriginAttributes(); + + [noscript, nostdcall, binaryname(SetOriginAttributes)] + void binarySetOriginAttributes(in const_OriginAttributesRef aOriginAttrs); + +%{ C++ + inline mozilla::OriginAttributes GetOriginAttributes() + { + mozilla::OriginAttributes result; + mozilla::DebugOnly<nsresult> rv = GetOriginAttributes(&result); + MOZ_ASSERT(NS_SUCCEEDED(rv)); + return result; + } +%} + + /** + * Whenever a channel is evaluated by the ContentSecurityManager + * the first time, we set this flag to true to indicate that + * subsequent calls of AsyncOpen() do not have to enforce all + * security checks again. E.g., after a redirect there is no + * need to set up CORS again. We need this separate flag + * because the redirectChain might also contain internal + * redirects which might pollute the redirectChain so we can't + * rely on the size of the redirectChain-array to query whether + * a channel got redirected or not. + * + * Please note, once the flag is set to true it must remain true + * throughout the lifetime of the channel. Trying to set it + * to anything else than true will be discarded. + * + */ + [infallible] attribute boolean initialSecurityCheckDone; + + /** + * Returns true if the load was triggered from an external application + * (e.g. Thunderbird). Please note that this flag will only ever be true + * if the load is of TYPE_DOCUMENT. + */ + [infallible] attribute boolean loadTriggeredFromExternal; + + /** + * True if the tainting has been set by the service worker. + */ + [noscript, infallible] readonly attribute boolean serviceWorkerTaintingSynthesized; + + /** + * Whenever a channel gets redirected, append the redirect history entry of + * the channel which contains principal referrer and remote address [before + * the channels got redirected] to the loadinfo, so that at every point this + * array provides us information about all the redirects this channel went + * through. + * @param channelToDeriveFrom the channel being redirected + * @param aIsInternalRedirect should be true if the channel is going + * through an internal redirect, otherwise false. + */ + void appendRedirectHistoryEntry(in nsIChannel channelToDeriveFrom, + in boolean isInternalRedirect); + + /** + * An array of nsIRedirectHistoryEntry which stores redirects associated + * with this channel. This array is filled whether or not the channel has + * ever been opened. The last element of the array is associated with the + * most recent redirect. Please note, that this array *includes* internal + * redirects. + */ + [implicit_jscontext] + readonly attribute jsval redirectChainIncludingInternalRedirects; + + /** + * A C++-friendly version of redirectChain. + * Please note that this array has the same lifetime as the + * loadInfo object - use with caution! + */ + [noscript, notxpcom, nostdcall, binaryname(RedirectChainIncludingInternalRedirects)] + nsIRedirectHistoryEntryArray binaryRedirectChainIncludingInternalRedirects(); + + /** + * Same as RedirectChain but does *not* include internal redirects. + */ + [implicit_jscontext] + readonly attribute jsval redirectChain; + + /** + * A C++-friendly version of redirectChain. + * Please note that this array has the same lifetime as the + * loadInfo object - use with caution! + */ + [noscript, notxpcom, nostdcall, binaryname(RedirectChain)] + nsIRedirectHistoryEntryArray binaryRedirectChain(); + + /** + * This array is only filled out when we are in the parent process and we are + * creating a loadInfo object or deserializing LoadInfoArgs into LoadInfo, + * as we ever only need in the parent process. + * + * The array is meant to be a list of principals of the documents that the + * browsing context, corresponding to this loadInfo object, is "nested through" in + * the sense of + * <https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-nested-through>. + * Note that the array does not include the principal corresponding to the frame + * loading this request. The closest ancestor is at index zero and the top level + * ancestor is at the last index. + * + * If this is a toplevel content browsing context (i.e. toplevel document in spec + * terms), the list is empty. + * + * Otherwise the array is a list for the document we're nested through (again in + * the spec sense), with the principal of that document prepended. The + * ancestorPrincipals[0] entry for an iframe load will be the principal of the + * iframe element's owner document. The ancestorPrincipals[0] entry for an image + * loaded in an iframe will be the principal of the iframe element's owner + * document. This matches the ordering specified for Location.ancestorOrigins. + * + * Please note that this array has the same lifetime as the loadInfo object - use + * with caution! + */ + [noscript, notxpcom, nostdcall] + PrincipalArrayRef AncestorPrincipals(); + + /** + * An array of BrowsingContext IDs which correspond to nsILoadInfo::AncestorPrincipals + * above. AncestorBrowsingContextIDs[0] is the BrowsingContext ID of the frame + * associated with the principal at ancestorPrincipals[0], and so forth. + * + * Please note that this array has the same lifetime as the + * loadInfo object - use with caution! + */ + [noscript, notxpcom, nostdcall] + Uint64ArrayRef AncestorBrowsingContextIDs(); + + /** + * Sets the list of unsafe headers according to CORS spec, as well as + * potentially forces a preflight. + * Note that you do not need to set the Content-Type header. That will be + * automatically detected as needed. + * + * Only call this function when using the SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT mode. + */ + [noscript, notxpcom, nostdcall] + void setCorsPreflightInfo(in CStringArrayRef unsafeHeaders, + in boolean forcePreflight); + + /** + * A C++-friendly getter for the list of cors-unsafe headers. + * Please note that this array has the same lifetime as the + * loadInfo object - use with caution! + */ + [noscript, notxpcom, nostdcall, binaryname(CorsUnsafeHeaders)] + CStringArrayRef corsUnsafeHeaders(); + + /** + * Returns value set through setCorsPreflightInfo. + */ + [infallible] readonly attribute boolean forcePreflight; + + /** + * A C++ friendly getter for the forcePreflight flag. + */ + [infallible] readonly attribute boolean isPreflight; + + /** + * Constants reflecting the channel tainting. These are mainly defined here + * for script. Internal C++ code should use the enum defined in LoadTainting.h. + * See LoadTainting.h for documentation. + */ + const unsigned long TAINTING_BASIC = 0; + const unsigned long TAINTING_CORS = 1; + const unsigned long TAINTING_OPAQUE = 2; + + /** + * Determine the associated channel's current tainting. Note, this can + * change due to a service worker intercept, so it should be checked after + * OnStartRequest() fires. + */ + readonly attribute unsigned long tainting; + + /** + * Note a new tainting level and possibly increase the current tainting + * to match. If the tainting level is already greater than the given + * value, then there is no effect. It is not possible to reduce the tainting + * level on an existing channel/loadinfo. + */ + void maybeIncreaseTainting(in unsigned long aTainting); + + /** + * Various helper code to provide more convenient C++ access to the tainting + * attribute and maybeIncreaseTainting(). + */ +%{C++ + static_assert(TAINTING_BASIC == static_cast<uint32_t>(mozilla::LoadTainting::Basic), + "basic tainting enums should match"); + static_assert(TAINTING_CORS == static_cast<uint32_t>(mozilla::LoadTainting::CORS), + "cors tainting enums should match"); + static_assert(TAINTING_OPAQUE == static_cast<uint32_t>(mozilla::LoadTainting::Opaque), + "opaque tainting enums should match"); + + mozilla::LoadTainting GetTainting() + { + uint32_t tainting = TAINTING_BASIC; + MOZ_ALWAYS_SUCCEEDS(GetTainting(&tainting)); + return static_cast<mozilla::LoadTainting>(tainting); + } + + void MaybeIncreaseTainting(mozilla::LoadTainting aTainting) + { + uint32_t tainting = static_cast<uint32_t>(aTainting); + MOZ_ALWAYS_SUCCEEDS(MaybeIncreaseTainting(tainting)); + } +%} + + /** + * Returns true if this load is for top level document. + * Note that the load for a sub-frame's document will return false here. + */ + [infallible] readonly attribute boolean isTopLevelLoad; + + /** + * If this is non-null, this property represents two things: (1) the + * URI to be used for the principal if the channel with this loadinfo + * gets a principal based on URI and (2) the URI to use for a document + * created from the channel with this loadinfo. + */ + attribute nsIURI resultPrincipalURI; + + /** + * This is the URI used to create the most recent channel in the load's + * redirect chain, if it's different from channel's `originalURI`. + * This is always null for loads not handled by DocumentLoadListener. If + * non-null, channelCreationOriginalURI will be used instead of channel's + * originalURI to re-create the channel in the final content process selected + * to perform the load. + */ + attribute nsIURI channelCreationOriginalURI; + + /** + * Returns a unique nsID used to construct the null principal for the + * resulting resource if the SANDBOXED_ORIGIN flag is set. This is used by + * GetChannelResultPrincipal() to ensure that the same null principal is + * returned every time. + */ + [noscript, nostdcall, notxpcom] + nsIDRef GetSandboxedNullPrincipalID(); + + /** + * Generates a new nsID to be returned by a future call to + * `GetSandboxedNullPrincipalID()`. + */ + [noscript, nostdcall, notxpcom] + void ResetSandboxedNullPrincipalID(); + + /** + * Return the top-level principal, which is the principal of the top-level + * window. + */ + [notxpcom, nostdcall] readonly attribute nsIPrincipal topLevelPrincipal; + + /** + * Note which client (i.e. global) initiated this network request. All + * nsGlobalWindow and WorkerPrivate can be converted to a ClientInfo to + * be set here. While this is being added to support service worker + * FetchEvent, it can also be used to communicate other information about + * the source global context in the future. + */ + [noscript, nostdcall, notxpcom] + void SetClientInfo(in const_ClientInfoRef aClientInfo); + + /** + * Get the ClientInfo for the global that initiated the network request, + * if it has been set. + */ + [noscript, nostdcall, notxpcom] + const_MaybeClientInfoRef GetClientInfo(); + + /** + * Give a pre-allocated ClientSource to the channel LoadInfo. This is + * intended to be used by docshell when loading windows without an + * initial about:blank document. The docshell will allocate the ClientSource + * to represent the client that will be created as a result of the navigation + * network request. If the channel succeeds and remains same-origin, then + * the result nsGlobalWindow will take ownership of the reserved ClientSource. + * + * This method is also called when a cross-origin redirect occurs. A new + * ClientSource with a different UUID must be created in this case. + * + * This method automatically calls SetReservedClientInfo() with the + * ClientSource::Info(). + */ + [noscript, nostdcall, notxpcom] + void GiveReservedClientSource(in UniqueClientSourceMove aClientSource); + + /** + * This method takes ownership of the reserved ClientSource previously + * provided in GiveReservedClientSource(). It may return nullptr if the + * nsILoadInfo does not own a ClientSource object. + */ + [noscript, nostdcall, notxpcom] + UniqueClientSource TakeReservedClientSource(); + + /** + * Note the reserved client that be created if this non-subresource + * network request succeeds. Depending on the type of client this + * may be called directly or indirectly via GiveReservedClientSource(). + * For example, web workers do not call give their ClientSource to + * the nsILoadInfo, but must still call this method to indicate the + * reserved client for their main script load. + */ + [noscript, nostdcall, notxpcom] + void SetReservedClientInfo(in const_ClientInfoRef aClientInfo); + + /** + * This will clear any existing reserved or initial client and override + * it with the given reserved client. This is similar to calling + * TakeReservedClientSource() and then GiveReservedClientSource() with + * a new client as ClientChannelHelper does. This method is needed, + * though, to perform this operation in the parent process where + * the LoadInfo does not have direct access to a ClientSource. + * + * If in doubt, do not call this method. Its really only needed for + * a specific redirect case where the child has created a new client on + * redirect and we need to override the parent side's reserved client + * to match. + */ + [noscript, nostdcall, notxpcom] + void OverrideReservedClientInfoInParent(in const_ClientInfoRef aClientInfo); + + /** + * Return the reserved ClientInfo for this load, if one has been set. + */ + [noscript, nostdcall, notxpcom] + const_MaybeClientInfoRef GetReservedClientInfo(); + + /** + * Note that this non-subresource network request will result in + * re-using an existing "initial" active client. This mainly only + * happens when an initial about:blank document is replaced with + * a real load in a window. In these cases we need to track this + * initial client so that we may report its existence in a FetchEvent. + * + * Note, an nsILoadInfo may only have a reserved client or an + * initial client. It should never have both. + */ + [noscript, nostdcall, notxpcom] + void SetInitialClientInfo(in const_ClientInfoRef aClientInfo); + + /** + * Return the initial ClientInfo for this load, if one has been set. + */ + [noscript, nostdcall, notxpcom] + const_MaybeClientInfoRef GetInitialClientInfo(); + + /** + * Note that this network request should be controlled by a service worker. + * For non-subresource requests this may be set during the load when + * the first service worker interception occurs. For subresource requests + * it may be set by the source client if its already controlled by a + * service worker. + */ + [noscript, nostdcall, notxpcom] + void SetController(in const_ServiceWorkerDescriptorRef aServiceWorker); + + /** + * Clear the service worker controller for this channel. This should only + * be used for window navigation redirects. By default we want to keep + * the controller in all other cases. + */ + [noscript, nostdcall, notxpcom] + void ClearController(); + + /** + * Get the service worker controlling this network request, if one has + * been set. + */ + [noscript, nostdcall, notxpcom] + const_MaybeServiceWorkerDescriptorRef GetController(); + + /** + * Set a custom performance storage. This is meant to be executed only for + * workers. If a PerformanceStorage is not set, the loadingDocument->Window + * Performance object will be returned instead. + */ + [noscript, nostdcall, notxpcom] + void SetPerformanceStorage(in PerformanceStoragePtr aPerformanceStorage); + + /** + * Get the custom PerformanceStorage if set by SetPerformanceStorage. + * Otherwise the loadingDocument->Window Performance object will be returned + * instead if all the following conditions are met: + * - the triggeringPrincipal is the same as the loadingDocument's principal. + * - if the external content policy type is TYPE_SUBDOCUMENT then loading + * wasn't caused by processing the attributes of the browsing context + * container. + */ + [noscript, nostdcall, notxpcom] + PerformanceStoragePtr GetPerformanceStorage(); + + /** + * Returns the CSP (or Preload CSP for preloads) which should be enforced + * when fetching the resource this loadinfo belongs to. + * + * a) Non-navigations: + * For non-navigation loads, GetCsp() returns what the spec refers to as the + * "request's client's global object's CSP list". In practice, if this is the + * loadinfo of a subresource load (e.g an image load), then GetCsp() or + * GetPreloadCSP() returns the CSP of the document which embeds the image. + * The returned CSP includes any policy delivered through the HTTP header or + * also through the meta tag (modulo the difference for preloads, e.g. image + * preloads have to query GetPreloadCsp() because at the time of preloading + * we are not entirely sure if the Meta CSP will be applied to the document + * in the end or not). Please note that GetCSPToInherit() called on a + * loadinfo for any non-navigation always returns null. + * + * b) Navigations: + * * Top-level loads: + * For top-level loads (navigations) GetCsp() will return null, unless + * the navigation is started by a WebExtension, in which case it will + * return the CSP of the webextension, if any. + * If you need to query the CSP that potentially should apply to the + * new top-level load, you have to query GetCspToInherit(), which is + * the CSP of the request's client's global object, just like GetCsp() + * is for non-navigation requests. + * + * * Iframe-loads: + * For iframe-loads (navigations) GetCsp() will return the CSP of the + * parent document, unless the navigation is started by a WebExtension, + * in which case it will return the CSP of the webextension, if any. + * + * If you need to query the CSP that should potentially be inherited + * into the new document, you have to query GetCSPToInherit(). + * + * TODO Bug 1557114: + * After evaluating what CSP to use for frame navigations we should + * update the above documentation to match the outcome of Bug 1557114. + */ + [notxpcom,nostdcall] CSPRef GetCsp(); + [notxpcom,nostdcall] CSPRef GetPreloadCsp(); + [notxpcom,nostdcall] CSPRef GetCspToInherit(); + + /** + * The service worker and fetch specifications require returning the + * exact tainting level of the Response passed to FetchEvent.respondWith(). + * This method allows us to override the tainting level in that case. + * + * NOTE: This should not be used outside of service worker code! Use + * nsILoadInfo::MaybeIncreaseTainting() instead. + */ + [noscript, nostdcall, notxpcom] + void SynthesizeServiceWorkerTainting(in LoadTainting aTainting); + + /** + * The top-level document has been user-interacted. + */ + [infallible] attribute boolean documentHasUserInteracted; + + /** + * During a top-level document channel redirect from tracking to + * non-tracking resources, our anti-tracking heuristic, grants the storage + * access permission for a short amount of seconds (See + * privacy.restrict3rdpartystorage.expiration_redirect pref). + * We use this flag to remember this decision even if this channel is part + * of a chain of redirects. + */ + [infallible] attribute boolean allowListFutureDocumentsCreatedFromThisRedirectChain; + + /** + * Indicates that we need to check if we should apply the anti-tracking + * heuristic after the channel has been classified. + */ + [infallible] attribute boolean needForCheckingAntiTrackingHeuristic; + + /** + * A snapshot of the nonce at load start time which is used for CSP + * checks and only set for: + * * TYPE_SCRIPT and + * * TYPE_STYLESHEET + */ + attribute AString cspNonce; + + // Subresource Integrity (SRI) metadata. + attribute AString integrityMetadata; + + /** + * List of possible reasons the request associated with this load info + * may have been blocked, set by various content blocking checkers. + */ + const uint32_t BLOCKING_REASON_NONE = 0; + const uint32_t BLOCKING_REASON_CORSDISABLED = 1001; + const uint32_t BLOCKING_REASON_CORSDIDNOTSUCCEED = 1002; + const uint32_t BLOCKING_REASON_CORSREQUESTNOTHTTP = 1003; + const uint32_t BLOCKING_REASON_CORSMULTIPLEALLOWORIGINNOTALLOWED = 1004; + const uint32_t BLOCKING_REASON_CORSMISSINGALLOWORIGIN = 1005; + const uint32_t BLOCKING_REASON_CORSNOTSUPPORTINGCREDENTIALS = 1006; + const uint32_t BLOCKING_REASON_CORSALLOWORIGINNOTMATCHINGORIGIN = 1007; + const uint32_t BLOCKING_REASON_CORSMISSINGALLOWCREDENTIALS = 1008; + const uint32_t BLOCKING_REASON_CORSORIGINHEADERNOTADDED = 1009; + const uint32_t BLOCKING_REASON_CORSEXTERNALREDIRECTNOTALLOWED = 1010; + const uint32_t BLOCKING_REASON_CORSPREFLIGHTDIDNOTSUCCEED = 1011; + const uint32_t BLOCKING_REASON_CORSINVALIDALLOWMETHOD = 1012; + const uint32_t BLOCKING_REASON_CORSMETHODNOTFOUND = 1013; + const uint32_t BLOCKING_REASON_CORSINVALIDALLOWHEADER = 1014; + const uint32_t BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT = 1015; + const uint32_t BLOCKING_REASON_CLASSIFY_MALWARE_URI = 2001; + const uint32_t BLOCKING_REASON_CLASSIFY_PHISHING_URI = 2002; + const uint32_t BLOCKING_REASON_CLASSIFY_UNWANTED_URI = 2003; + const uint32_t BLOCKING_REASON_CLASSIFY_TRACKING_URI = 2004; + const uint32_t BLOCKING_REASON_CLASSIFY_BLOCKED_URI = 2005; + const uint32_t BLOCKING_REASON_CLASSIFY_HARMFUL_URI = 2006; + const uint32_t BLOCKING_REASON_CLASSIFY_CRYPTOMINING_URI = 2007; + const uint32_t BLOCKING_REASON_CLASSIFY_FINGERPRINTING_URI = 2008; + const uint32_t BLOCKING_REASON_CLASSIFY_SOCIALTRACKING_URI = 2009; + const uint32_t BLOCKING_REASON_CLASSIFY_EMAILTRACKING_URI = 2010; + const uint32_t BLOCKING_REASON_MIXED_BLOCKED = 3001; + // The general reason comes from nsCSPContext::permitsInternal(), + // which is way too generic to distinguish an exact reason. + const uint32_t BLOCKING_REASON_CONTENT_POLICY_GENERAL = 4000; + const uint32_t BLOCKING_REASON_CONTENT_POLICY_NO_DATA_PROTOCOL = 4001; + // removed 4002 + const uint32_t BLOCKING_REASON_CONTENT_POLICY_CONTENT_BLOCKED = 4003; + const uint32_t BLOCKING_REASON_CONTENT_POLICY_DATA_DOCUMENT = 4004; + const uint32_t BLOCKING_REASON_CONTENT_POLICY_WEB_BROWSER = 4005; + const uint32_t BLOCKING_REASON_CONTENT_POLICY_PRELOAD = 4006; + // The reason used when SEC_REQUIRE_SAME_ORIGIN_* is set and not satisifed. + const uint32_t BLOCKING_REASON_NOT_SAME_ORIGIN = 5000; + // The reason used when an extension cancels the request via the WebRequest api. + const uint32_t BLOCKING_REASON_EXTENSION_WEBREQUEST = 6000; + // The reason used when a request is cancelled via WebDriver BiDi network interception. + const uint32_t BLOCKING_REASON_WEBDRIVER_BIDI = 7000; + + /** + * If the request associated with this load info was blocked by some of + * our content or load blockers, the reason can be found here. + * Note that setting this attribute has NO EFFECT on blocking the request. + * This attribute is only informative! + * + * By default the value is '0' - NONE. + * Each write rewrites the last value. + * Can be accessed only on a single thread. + */ + [infallible] attribute unsigned long requestBlockingReason; + + /** + * The object in charged to receive CSP violation events. It can be null. + * This attribute will be merged into the CSP object eventually. + * See bug 1500908. + */ + attribute nsICSPEventListener cspEventListener; + + /** + * This attribute will be true if this is a load triggered by + * https://html.spec.whatwg.org/multipage/iframe-embed-object.html#process-the-iframe-attributes + * or https://html.spec.whatwg.org/multipage/obsolete.html#process-the-frame-attributes + */ + [infallible] readonly attribute boolean isFromProcessingFrameAttributes; + + cenum CrossOriginOpenerPolicy : 8 { + OPENER_POLICY_UNSAFE_NONE = 0, + OPENER_POLICY_SAME_ORIGIN = 1, + OPENER_POLICY_SAME_ORIGIN_ALLOW_POPUPS = 2, + OPENER_POLICY_EMBEDDER_POLICY_REQUIRE_CORP_FLAG = 0x10, + OPENER_POLICY_SAME_ORIGIN_EMBEDDER_POLICY_REQUIRE_CORP = + OPENER_POLICY_SAME_ORIGIN | + OPENER_POLICY_EMBEDDER_POLICY_REQUIRE_CORP_FLAG + }; + + cenum CrossOriginEmbedderPolicy : 8 { + EMBEDDER_POLICY_NULL = 0, + EMBEDDER_POLICY_REQUIRE_CORP = 1, + EMBEDDER_POLICY_CREDENTIALLESS = 2, + }; + + /** + * This attribute is the loading context's cross origin embedder policy. + * The value is initialized with corresponding WindowContext which get by + * innerWindowIID in the nsILoadInfo. + * It also could be set by workers when fetch is called under + * the workers' scope. + */ + [infallible] attribute nsILoadInfo_CrossOriginEmbedderPolicy + loadingEmbedderPolicy; + + /** + * This attribute will be true if the top level document has COEP: + * credentialless enabled in Origin Trial. + */ + [infallible] attribute boolean isOriginTrialCoepCredentiallessEnabledForTopLevel; + /** + * This attribute will be true if this is a load triggered by a media + * element. + */ + [infallible] attribute boolean isMediaRequest; + + /** + * This attribute will be true if this is a load triggered by a media + * element and it's an initial request. + */ + [infallible] attribute boolean isMediaInitialRequest; + + /** + * This attribute will be true if the fetch request is from object or embed + * elements + */ + [infallible] attribute boolean isFromObjectOrEmbed; + + /** + * This attribute will be true if the URL is known to be possibly broken and + * CheckForBrokenChromeURL and RecordZeroLengthEvent should be skipped. + */ + [infallible] readonly attribute boolean shouldSkipCheckForBrokenURLOrZeroSized; + + /** + * If this is non-null, this property holds the URI as it was before query + * stripping was performed. + */ + attribute nsIURI unstrippedURI; + + /** + * Propagated information from InterceptedHttpChannel + * It should be null when the channel is not created from FetchEvent.request + * or ServiceWorker NavigationPreload. + * nsIFetchEventInfo is C++ only, so it is not an attribute. + */ + [noscript, notxpcom, nostdcall, binaryname(InterceptionInfo)] + nsIInterceptionInfo binaryInterceptionInfo(); + + [noscript, notxpcom, nostdcall, binaryname(SetInterceptionInfo)] + void binarySetInterceptionInfo(in nsIInterceptionInfo info); + + /** + * Whether nsICookieInjector has injected a cookie for this request to + * handle a cookie banner. This is only done for top-level requests. + */ + [infallible] attribute boolean hasInjectedCookieForCookieBannerHandling; + + /** + * Whether the load has gone through the URL bar, where the fixup had to add * the protocol scheme. + */ + [infallible] attribute boolean wasSchemelessInput; +}; |