summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsISiteSecurityService.idl
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/nsISiteSecurityService.idl')
-rw-r--r--security/manager/ssl/nsISiteSecurityService.idl145
1 files changed, 145 insertions, 0 deletions
diff --git a/security/manager/ssl/nsISiteSecurityService.idl b/security/manager/ssl/nsISiteSecurityService.idl
new file mode 100644
index 0000000000..882dbb78ad
--- /dev/null
+++ b/security/manager/ssl/nsISiteSecurityService.idl
@@ -0,0 +1,145 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIURI;
+
+[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);
+
+[scriptable, uuid(275127f8-dbd7-4681-afbf-6df0c6587a01)]
+interface nsISiteSecurityService : nsISupports
+{
+ const uint32_t Success = 0;
+ const uint32_t ERROR_UNKNOWN = 1;
+ // ERROR_UNTRUSTWORTHY_CONNECTION was 2 (the caller is now responsible for
+ // checking this)
+ const uint32_t ERROR_COULD_NOT_PARSE_HEADER = 3;
+ const uint32_t ERROR_NO_MAX_AGE = 4;
+ const uint32_t ERROR_MULTIPLE_MAX_AGES = 5;
+ const uint32_t ERROR_INVALID_MAX_AGE = 6;
+ const uint32_t ERROR_MULTIPLE_INCLUDE_SUBDOMAINS = 7;
+ const uint32_t ERROR_INVALID_INCLUDE_SUBDOMAINS = 8;
+ // The constants that were removed below were used in HPKP processing
+ // (which has been removed entirely).
+ // ERROR_INVALID_PIN was 9
+ // ERROR_MULTIPLE_REPORT_URIS was 10
+ // ERROR_PINSET_DOES_NOT_MATCH_CHAIN was 11
+ // ERROR_NO_BACKUP_PIN was 12
+ const uint32_t ERROR_COULD_NOT_SAVE_STATE = 13;
+ // ERROR_ROOT_NOT_BUILT_IN was 14
+
+ /**
+ * Parses a given HTTP header and records the results internally.
+ * Currently one header type is supported: HSTS (aka STS).
+ * The format of the HSTS header is defined by the HSTS specification:
+ * https://tools.ietf.org/html/rfc6797
+ * and allows a host to specify that future HTTP requests should be
+ * upgraded to HTTPS.
+ * The caller is responsible for first determining that the header was
+ * delivered via a trustworthy connection (namely, https with no errors).
+ *
+ * @param aSourceURI the URI of the resource with the HTTP header.
+ * @param aHeader the HTTP response header specifying security data.
+ * @param aOriginAttributes the origin attributes that isolate this origin,
+ * (note that this implementation does not isolate
+ * by userContextId because of the risk of man-in-
+ * the-middle attacks before trust-on-second-use
+ * happens).
+ * If mPrivateBrowsingId > 0, information gathered
+ * from this header will not be saved persistently.
+ * @param aMaxAge the parsed max-age directive of the header.
+ * @param aIncludeSubdomains the parsed includeSubdomains directive.
+ * @param aFailureResult a more specific failure result if NS_ERROR_FAILURE
+ was returned.
+ * @return NS_OK if it succeeds
+ * NS_ERROR_FAILURE if it can't be parsed
+ * NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA
+ * if there are unrecognized tokens in the header.
+ */
+ [binaryname(ProcessHeader), noscript, must_use]
+ void processHeaderNative(in nsIURI aSourceURI,
+ in ACString aHeader,
+ in const_OriginAttributesRef aOriginAttributes,
+ [optional] out unsigned long long aMaxAge,
+ [optional] out boolean aIncludeSubdomains,
+ [optional] out uint32_t aFailureResult);
+
+ [binaryname(ProcessHeaderScriptable), implicit_jscontext, optional_argc,
+ must_use]
+ void processHeader(in nsIURI aSourceURI,
+ in ACString aHeader,
+ [optional] in jsval aOriginAttributes,
+ [optional] out unsigned long long aMaxAge,
+ [optional] out boolean aIncludeSubdomains,
+ [optional] out uint32_t aFailureResult);
+
+ // Helper enum for use with resetState.
+ cenum ResetStateBy : 8 {
+ // reset state for the exact domain
+ ExactDomain,
+ // reset state for any domain rooted by the given domain
+ // (e.g. foo.example.com if given example.com)
+ RootDomain,
+ // reset all state associated with the given base domain (e.g. data
+ // partitioned by total cookie protection)
+ BaseDomain,
+ };
+
+ /**
+ * Resets HSTS state a host, including the includeSubdomains state that
+ * would affect subdomains. This essentially removes the state for the
+ * domain tree rooted at this host. If any preloaded information is present
+ * for that host, that information will then be used instead of any other
+ * previously existing state.
+ *
+ * @param aURI the URI of the target host
+ * @param aOriginAttributes the origin attributes that isolate this origin,
+ * (note that this implementation does not isolate
+ * by userContextId because of the risk of man-in-
+ * the-middle attacks before trust-on-second-use
+ * happens).
+ * @param aScope The scope of state to reset. See ResetStateBy. Defaults
+ * to ExactDomain.
+ */
+ [implicit_jscontext, optional_argc, must_use]
+ void resetState(in nsIURI aURI,
+ [optional] in jsval aOriginAttributes,
+ [optional] in nsISiteSecurityService_ResetStateBy aScope);
+
+ /**
+ * Checks whether or not the URI's hostname has HSTS set.
+ * For example:
+ * The URI is an HSTS URI if either the host has the HSTS state set, or one
+ * of its super-domains has the HSTS "includeSubdomains" flag set.
+ * NOTE: this function makes decisions based only on the
+ * host contained in the URI, and disregards other portions of the URI
+ * such as path and port.
+ *
+ * @param aURI the URI to query for STS state.
+ * @param aOriginAttributes the origin attributes that isolate this origin,
+ * (note that this implementation does not isolate
+ * by userContextId because of the risk of man-in-
+ * the-middle attacks before trust-on-second-use
+ * happens).
+ */
+ [binaryname(IsSecureURI), noscript, must_use]
+ boolean isSecureURINative(in nsIURI aURI,
+ in const_OriginAttributesRef aOriginAttributes);
+
+ [binaryname(IsSecureURIScriptable), implicit_jscontext, optional_argc,
+ must_use]
+ boolean isSecureURI(in nsIURI aURI, [optional] in jsval aOriginAttributes);
+
+ /**
+ * Removes all non-preloaded HSTS state by resetting to factory-original
+ * settings.
+ */
+ [must_use]
+ void clearAll();
+};
+
+%{C++
+#define NS_SSSERVICE_CONTRACTID "@mozilla.org/ssservice;1"
+%}