summaryrefslogtreecommitdiffstats
path: root/netwerk/base/nsILoadInfo.idl
blob: 79fdcc5e4da3e86eb0ce7dfe1deb863241fc58ce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 * vim: ft=cpp tw=78 sw=2 et ts=2 sts=2 cin
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"
#include "nsIContentPolicy.idl"
#include "nsIScriptSecurityManager.idl"
#include "nsIInterceptionInfo.idl"

interface nsIChannel;
interface nsIContentSecurityPolicy;
interface nsICookieJarSettings;
interface nsICSPEventListener;
interface nsINode;
interface nsIPrincipal;
interface nsIRedirectHistoryEntry;
interface nsIURI;
webidl Document;
webidl BrowsingContext;
native LoadContextRef(already_AddRefed<nsISupports>);
%{C++
#include "nsTArray.h"
#include "mozilla/LoadTainting.h"
#include "mozilla/OriginAttributes.h"
#include "mozilla/UniquePtr.h"
#include "nsStringFwd.h"

namespace mozilla {
namespace dom {
class ClientInfo;
class ClientSource;
class PerformanceStorage;
class ServiceWorkerDescriptor;
} // namespace dom
} // namespace mozilla
%}

[ref] native nsIRedirectHistoryEntryArray(const nsTArray<nsCOMPtr<nsIRedirectHistoryEntry>>);
native OriginAttributes(mozilla::OriginAttributes);
[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);
[ref] native CStringArrayRef(const nsTArray<nsCString>);
[ref] native StringArrayRef(const nsTArray<nsString>);
[ref] native Uint64ArrayRef(const nsTArray<uint64_t>);
[ref] native PrincipalArrayRef(const nsTArray<nsCOMPtr<nsIPrincipal>>);
[ref] native const_ClientInfoRef(const mozilla::dom::ClientInfo);
      native UniqueClientSource(mozilla::UniquePtr<mozilla::dom::ClientSource>);
      native UniqueClientSourceMove(mozilla::UniquePtr<mozilla::dom::ClientSource>&&);
[ref] native const_MaybeClientInfoRef(const mozilla::Maybe<mozilla::dom::ClientInfo>);
[ref] native const_ServiceWorkerDescriptorRef(const mozilla::dom::ServiceWorkerDescriptor);
[ref] native const_MaybeServiceWorkerDescriptorRef(const mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor>);
[ptr] native PerformanceStoragePtr(mozilla::dom::PerformanceStorage);
      native LoadTainting(mozilla::LoadTainting);
      native CSPRef(already_AddRefed<nsIContentSecurityPolicy>);

typedef unsigned long nsSecurityFlags;

/**
 * The LoadInfo object contains information about a network load, why it
 * was started, and how we plan on using the resulting response.
 * If a network request is redirected, the new channel will receive a new
 * LoadInfo object. The new object will contain mostly the same
 * information as the pre-redirect one, but updated as appropriate.
 * For detailed information about what parts of LoadInfo are updated on
 * redirect, see documentation on individual properties.
 */
[scriptable, builtinclass, uuid(ddc65bf9-2f60-41ab-b22a-4f1ae9efcd36)]
interface nsILoadInfo : nsISupports
{
  /**
   * The following five flags determine the security mode and hence what kind of
   * security checks should be performed throughout the lifetime of the channel.
   *
   *    * SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT
   *    * SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED
   *    * SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT
   *    * SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL
   *    * SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT
   *
   * Exactly one of these flags are required to be set in order to allow
   * the channel to perform the correct security checks (SOP, CORS, ...) and
   * return the correct result principal. If none or more than one of these
   * flags are set AsyncOpen will fail.
   */

   /**
    * Warning: Never use this flag when creating a new channel!
    * Only use this flag if you have to create a temporary LoadInfo
    * for performing an explicit nsIContentPolicy check, like e.g.
    * when loading something from the cache that needs an explicit
    * nsIContentPolicy check. In all other cases pick one of the
    * security flags underneath.
    */
  const unsigned long SEC_ONLY_FOR_EXPLICIT_CONTENTSEC_CHECK = 0;

  /*
   * Enforce the same origin policy where loads inherit the principal.
   * See the documentation for principalToInherit, which describes exactly what
   * principal is inherited.
   */
  const unsigned long SEC_REQUIRE_SAME_ORIGIN_INHERITS_SEC_CONTEXT = (1<<0);

  /*
   * Enforce the same origin policy and data: loads are blocked.
   */
  const unsigned long SEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKED = (1<<1);

  /**
   * Allow loads from other origins. Loads which inherit the principal should
   * see the documentation for principalToInherit, which describes exactly what
   * principal is inherited.
   *
   * Commonly used by plain <img>, <video>, <link rel=stylesheet> etc.
   */
  const unsigned long SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT = (1 << 2);

  /**
   * Allow loads from other origins. Loads from data: will be allowed,
   * but the resulting resource will get a null principal.
   * Used in blink/webkit for <iframe>s. Likely also the mode
   * that should be used by most Chrome code.
   */
  const unsigned long SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL = (1<<3);

  /**
   * Allow loads from any origin, but require CORS for cross-origin loads.
   * See the documentation for principalToInherit, which describes exactly what
   * principal is inherited.
   *
   * Commonly used by <img crossorigin>, <video crossorigin>,
   * XHR, fetch(), etc.
   */
  const unsigned long SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT = (1<<4);

  /**
   * Choose cookie policy. The default policy is equivalent to "INCLUDE" for
   * SEC_REQUIRE_SAME_ORIGIN_* and SEC_ALLOW_CROSS_ORIGIN_* modes, and
   * equivalent to "SAME_ORIGIN" for SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT mode.
   *
   * This means that if you want to perform a CORS load with credentials, pass
   * SEC_COOKIES_INCLUDE.
   *
   * Note that these flags are still subject to the user's cookie policies.
   * For example, if the user is blocking 3rd party cookies, those cookies
   * will be blocked no matter which of these flags are set.
   */
  const unsigned long SEC_COOKIES_DEFAULT = (0 << 5);
  const unsigned long SEC_COOKIES_INCLUDE = (1 << 5);
  const unsigned long SEC_COOKIES_SAME_ORIGIN = (2 << 5);
  const unsigned long SEC_COOKIES_OMIT = (3 << 5);

  /**
   * Force inheriting of the principal.  See the documentation for
   * principalToInherit, which describes exactly what principal is inherited.
   *
   * Setting this flag will cause GetChannelResultPrincipal to return the
   * principal to be inherited as the channel principal.
   *
   * This will happen independently of the scheme of the URI that the
   * channel is loading.
   *
   * So if the principal that gets inherited is "http://a.com/", and the channel
   * is loading the URI "http://b.com/whatever", GetChannelResultPrincipal
   * will return a principal from "http://a.com/".
   *
   * This flag can not be used together with SANDBOXED_ORIGIN sandbox flag.  If
   * both are passed to the LoadInfo constructor then this flag will be dropped.
   * If you need to know whether this flag would have been present but was dropped
   * due to sandboxing, check for the forceInheritPrincipalDropped flag.
   */
  const unsigned long SEC_FORCE_INHERIT_PRINCIPAL = (1<<7);

  /**
   * Inherit the Principal for about:blank.
   */
  const unsigned long SEC_ABOUT_BLANK_INHERITS = (1<<9);

  /**
   * Allow access to chrome: packages that are content accessible.
   */
  const unsigned long SEC_ALLOW_CHROME = (1<<10);

  /**
   * Disallow access to javascript: uris.
   */
  const unsigned long SEC_DISALLOW_SCRIPT = (1<<11);

  /**
   * Don't follow redirects. Instead the redirect response is returned
   * as a successful response for the channel.
   *
   * Redirects not initiated by a server response, i.e. REDIRECT_INTERNAL and
   * REDIRECT_STS_UPGRADE, are still followed.
   *
   * Note: If this flag is set and the channel response is a redirect, then
   * the response body might not be available.
   * This can happen if the redirect was cached.
   */
  const unsigned long SEC_DONT_FOLLOW_REDIRECTS = (1<<12);

  /**
   * Load an error page, it should be one of following : about:neterror,
   * about:certerror, about:blocked, about:tabcrashed or about:restartrequired.
   */
  const unsigned long SEC_LOAD_ERROR_PAGE = (1<<13);

  /**
   * Force inheriting of the principal, overruling any owner that might be set
   * on the channel. (Please note that channel.owner is deprecated and will be
   * removed within Bug 1286838).  See the documentation for principalToInherit,
   * which describes exactly what principal is inherited.
   *
   * Setting this flag will cause GetChannelResultPrincipal to return the
   * principal to be inherited as the channel principal.
   *
   * This will happen independently of the scheme of the URI that the
   * channel is loading.
   */
  const unsigned long SEC_FORCE_INHERIT_PRINCIPAL_OVERRULE_OWNER = (1<<14);

  /**
   * This is the principal of the network request's caller/requester where
   * the resulting resource will be used. I.e. it is the principal which
   * will get access to the result of the request. (Where "get access to"
   * might simply mean "embed" depending on the type of resource that is
   * loaded).
   *
   * For example for an image, it is the principal of the document where
   * the image is rendered. For a stylesheet it is the principal of the
   * document where the stylesheet will be applied.
   *
   * So if document at http://a.com/page.html loads an image from
   * http://b.com/pic.jpg, then loadingPrincipal will be
   * http://a.com/page.html.
   *
   * For <iframe> and <frame> loads, the LoadingPrincipal is the
   * principal of the parent document. For top-level loads, the
   * LoadingPrincipal is null. For all loads except top-level loads
   * the LoadingPrincipal is never null.
   *
   * If the loadingPrincipal is the system principal, no security checks
   * will be done at all. There will be no security checks on the initial
   * load or any subsequent redirects. This means there will be no
   * nsIContentPolicy checks or any CheckLoadURI checks. Because of
   * this, never set the loadingPrincipal to the system principal when
   * the URI to be loaded is controlled by a webpage.
   * If the loadingPrincipal and triggeringPrincipal are both
   * content principals, then we will always call into
   * nsIContentPolicies and CheckLoadURI. The call to nsIContentPolicies
   * and CheckLoadURI happen even if the URI to be loaded is same-origin
   * with the loadingPrincipal or triggeringPrincipal.
   */
  readonly attribute nsIPrincipal loadingPrincipal;

  /**
   * A C++-friendly version of triggeringPrincipal.
   *
   * This is a bit awkward because we can't use
   * binaryname(GetLoadingPrincipal).
   */
  [noscript, notxpcom, nostdcall]
  nsIPrincipal virtualGetLoadingPrincipal();

%{C++
  nsIPrincipal* GetLoadingPrincipal() {
    return VirtualGetLoadingPrincipal();
  }
%}

  /**
   * This is the principal which caused the network load to start. I.e.
   * this is the principal which provided the URL to be loaded. This is
   * often the same as the LoadingPrincipal, but there are a few cases
   * where that's not true.
   *
   * For example for loads into an <iframe>, the LoadingPrincipal is always
   * the principal of the parent document. However the triggeringPrincipal
   * is the principal of the document which provided the URL that the
   * <iframe> is navigating to. This could be the previous document inside
   * the <iframe> which set document.location. Or a document elsewhere in
   * the frame tree which contained a <a target="..."> which targetted the
   * <iframe>.
   *
   * If a stylesheet links to a sub-resource, like an @imported stylesheet,
   * or a background image, then the triggeringPrincipal is the principal
   * of the stylesheet, while the LoadingPrincipal is the principal of the
   * document being styled.
   *
   * The triggeringPrincipal is never null.
   *
   * If the triggeringPrincipal is the system principal, no security checks
   * will be done at all. There will be no security checks on the initial
   * load or any subsequent redirects. This means there will be no
   * nsIContentPolicy checks or any CheckLoadURI checks. Because of
   * this, never set the triggeringPrincipal to the system principal when
   * the URI to be loaded is controlled by a webpage.
   * If the loadingPrincipal and triggeringPrincipal are both
   * content principals, then we will always call into
   * nsIContentPolicies and CheckLoadURI. The call to nsIContentPolicies
   * and CheckLoadURI happen even if the URI to be loaded is same-origin
   * with the loadingPrincipal or triggeringPrincipal.
   */
  readonly attribute nsIPrincipal triggeringPrincipal;

  /**
   * A C++-friendly version of triggeringPrincipal.
   */
  [noscript, notxpcom, nostdcall, binaryname(TriggeringPrincipal)]
  nsIPrincipal binaryTriggeringPrincipal();

  /**
   * The remote type of the process which caused the network load to start. I.e.
   * this is the remote type of the process which provided the URL to be loaded.
   *
   * For subresource loads, this should be the same as the process which will
   * handle the response, however for document loads this may both be different
   * than the final process, as well as different from the process which starts
   * the navigation.
   *
   * This field is intentionally not perfectly preserved over IPC, and will be
   * reset to the remote type of the sending process when sent from a content
   * process to the parent process.
   */
  attribute AUTF8String triggeringRemoteType;

  /**
   * For non-document loads the principalToInherit is always null. For
   * loads of type TYPE_DOCUMENT or TYPE_SUBDOCUMENT the principalToInherit
   * might be null. If it's non null, then this is the principal that is
   * inherited if a principal needs to be inherited. If the principalToInherit
   * is null but the inherit flag is set, then the triggeringPrincipal is
   * the principal that is inherited.
   */
  attribute nsIPrincipal principalToInherit;

  /**
   * A C++-friendly version of principalToInherit.
   */
  [noscript, notxpcom, nostdcall, binaryname(PrincipalToInherit)]
  nsIPrincipal binaryPrincipalToInherit();

  /**
   * Finds the correct principal to inherit for the given channel, based on
   * the values of PrincipalToInherit and TriggeringPrincipal.
   */
  [noscript, notxpcom, nostdcall]
  nsIPrincipal FindPrincipalToInherit(in nsIChannel aChannel);

  /**
   * This is the ownerDocument of the LoadingNode. Unless the LoadingNode
   * is a Document, in which case the LoadingDocument is the same as the
   * LoadingNode.
   *
   * For top-level loads, and for loads originating from workers, the
   * LoadingDocument is null. When the LoadingDocument is not null, the
   * LoadingPrincipal is set to the principal of the LoadingDocument.
   */
  readonly attribute Document loadingDocument;

  /**
   * A C++-friendly version of loadingDocument (loadingNode).
   * This is the Node where the resulting resource will be used. I.e. it is
   * the Node which will get access to the result of the request. (Where
   * "get access to" might simply mean "embed" depending on the type of
   * resource that is loaded).
   *
   * For example for an <img>/<video> it is the image/video element. For
   * document loads inside <iframe> and <frame>s, the LoadingNode is the
   * <iframe>/<frame> element. For an XMLHttpRequest, it is the Document
   * which contained the JS which initiated the XHR. For a stylesheet, it
   * is the Document that contains <link rel=stylesheet>.
   *
   * For loads triggered by the HTML pre-parser, the LoadingNode is the
   * Document which is currently being parsed.
   *
   * For top-level loads, and for loads originating from workers, the
   * LoadingNode is null. If the LoadingNode is non-null, then the
   * LoadingPrincipal is the principal of the LoadingNode.
   */
  [noscript, notxpcom, nostdcall, binaryname(LoadingNode)]
  nsINode binaryLoadingNode();

  /**
   * A C++ friendly version of the loadingContext for toplevel loads.
   * Most likely you want to query the ownerDocument or LoadingNode
   * and not this context only available for TYPE_DOCUMENT loads.
   * Please note that except for loads of TYPE_DOCUMENT, this
   * ContextForTopLevelLoad will always return null.
   */
  [noscript, notxpcom, nostdcall, binaryname(ContextForTopLevelLoad)]
  LoadContextRef binaryContextForTopLevelLoad();

  /**
   * For all loads except loads of TYPE_DOCUMENT, the loadingContext
   * simply returns the loadingNode. For loads of TYPE_DOCUMENT this
   * will return the context available for top-level loads which
   * do not have a loadingNode.
   */
  [binaryname(LoadingContextXPCOM)]
  readonly attribute nsISupports loadingContext;

  /**
   * A C++ friendly version of the loadingContext.
   */
  [noscript, notxpcom, nostdcall, binaryname(GetLoadingContext)]
  LoadContextRef binaryGetLoadingContext();

  /**
   * The securityFlags of that channel.
   */
  readonly attribute nsSecurityFlags securityFlags;

%{C++
  inline nsSecurityFlags GetSecurityFlags()
  {
    nsSecurityFlags result;
    mozilla::DebugOnly<nsresult> rv = GetSecurityFlags(&result);
    MOZ_ASSERT(NS_SUCCEEDED(rv));
    return result;
  }
%}

  /**
   * The sandboxFlags of that channel.
   */
  [infallible] readonly attribute unsigned long sandboxFlags;

  /**
  *   The TriggingSandboxFlags are the SandboxFlags of the entity
  *   responsible for causing the load to occur.
  */
  [infallible] attribute unsigned long triggeringSandboxFlags;

  /**
   * Allows to query only the security mode bits from above.
   */
  [infallible] readonly attribute unsigned long securityMode;

  /**
   * This flag is used for any browsing context where we should not sniff
   * the content type. E.g if an iframe has the XCTO nosniff header, then
   * that flag is set to true so we skip content sniffing for that browsing
   * context.
   */
  [infallible] attribute boolean skipContentSniffing;

  /**
   * (default) If this flag is set, it has not yet been determined if the
   * HTTPS-Only mode will upgrade the request.
   */
  const unsigned long HTTPS_ONLY_UNINITIALIZED = (1 << 0);

  /**
   * Indicates that the request will get upgraded, and the HTTPS-Only
   * StreamListener got registered.
   */
  const unsigned long HTTPS_ONLY_UPGRADED_LISTENER_NOT_REGISTERED = (1 << 1);

  /**
   * Indicates that this is the first time the request gets upgraded, and thus
   * the HTTPS-Only StreamListener hasn't been registered yet. Even though there
   * might be multiple channels per request that have to be upgraded (e.g.,
   * because of redirects), the StreamListener only has to be attached to one
   * channel.
   */
  const unsigned long HTTPS_ONLY_UPGRADED_LISTENER_REGISTERED = (1 << 2);

  /**
   * This flag can be manually set if the HTTPS-Only mode should exempt the
   * request and not upgrade it. (e.g in the case of OCSP.
   */
  const unsigned long HTTPS_ONLY_EXEMPT = (1 << 3);

  /**
   * This flag can only ever be set on top-level loads. It indicates
   * that the top-level https connection succeeded. This flag is mostly
   * used to counter time-outs which allows to cancel the channel
   * if the https load has not started.
   */
  const unsigned long HTTPS_ONLY_TOP_LEVEL_LOAD_IN_PROGRESS = (1 << 4);

   /**
   * This flag can only ever be set on downloads. It indicates
   * that the download https connection succeeded. This flag is mostly
   * used to counter time-outs which allows to cancel the channel
   * if the https load has not started.
   */
  const unsigned long HTTPS_ONLY_DOWNLOAD_IN_PROGRESS = (1 << 5);

  /**
   * This flag indicates that the request should not be logged to the
   * console.
   */
  const unsigned long HTTPS_ONLY_DO_NOT_LOG_TO_CONSOLE = (1 << 6);

  /**
   * This flag indicates that the request was upgraded by https-first mode.
   */
  const unsigned long HTTPS_ONLY_UPGRADED_HTTPS_FIRST = (1 << 7);

  /**
   * This flag indicates that the request should not be blocked by ORB.
   */
  const unsigned long HTTPS_ONLY_BYPASS_ORB = (1 << 8);

  /**
   * Upgrade state of HTTPS-Only Mode. The flag HTTPS_ONLY_EXEMPT can get
   * set on requests that should be excempt from an upgrade.
   */
  [infallible] attribute unsigned long httpsOnlyStatus;

  /**
   * Reflects whetehr this is an HTTP Strict Transport Security host
   */
[infallible] attribute boolean hstsStatus;

  /**
   * Returns true if at the time of the loadinfo construction the document
   * that triggered this load has the bit hasValidTransientUserGestureActivation
   * set or the load was triggered from External. (Mostly this bool is used
   * in the context of Sec-Fetch-User.)
   */
  [infallible] attribute boolean hasValidUserGestureActivation;

  /**
   * We disallow the SystemPrincipal to initiate requests to
   * the public web. This flag is to allow exceptions.
   */
  [infallible] attribute boolean allowDeprecatedSystemRequests;

  /**
   * Only ever returns true if the loadinfo is of TYPE_SCRIPT and
   * the script was created by the HTML parser.
   */
  [infallible] attribute boolean parserCreatedScript;

  /**
   * True if this request is known to have been triggered by a user
   * manually requesting the URI to be saved.
   */
  [infallible] attribute boolean isUserTriggeredSave;

  /**
   * True if this request is from DevTools.
   */
  [infallible] attribute boolean isInDevToolsContext;

  /**
   * True if this request is embedded in a context that can't be third-party
   * (i.e. an iframe embedded in a cross-origin parent window). If this is
   * false, then this request may be third-party if it's a third-party to
   * loadingPrincipal.
   */
  [infallible] attribute boolean isInThirdPartyContext;

  /**
   * True if this request is a third party in respect to the top-level window.
   *
   * Note that this doesn't consider the parent window. I.e. It will still
   * return false even in the case that the parent is cross-origin but the
   * top-level is same-origin.
   *
   * This value would be set during opening the channel in parent and propagate
   * to the channel in the content.
   */
  [infallible] attribute boolean isThirdPartyContextToTopWindow;

  /**
   * See the SEC_COOKIES_* flags above. This attribute will never return
   * SEC_COOKIES_DEFAULT, but will instead return what the policy resolves to.
   * I.e. SEC_COOKIES_SAME_ORIGIN for CORS mode, and SEC_COOKIES_INCLUDE
   * otherwise.
   */
  [infallible] readonly attribute unsigned long cookiePolicy;

  /**
   * The cookie jar settings inherited from the top-level document's loadInfo.
   * It cannot be null.
   */
  attribute nsICookieJarSettings cookieJarSettings;

  cenum StoragePermissionState : 8 {
    NoStoragePermission = 0,
    HasStoragePermission = 1,
    StoragePermissionAllowListed = 2,
  };

  /**
   * The result of the storage permission check of the loading document. This
   * value would be set during opening the channel.
   */
  [infallible] attribute nsILoadInfo_StoragePermissionState
        storagePermission;

  /**
   * True if the load was triggered by a meta refresh.
   */
  [infallible] attribute boolean isMetaRefresh;

  /**
   * If forceInheritPrincipal is true, the data coming from the channel should
   * inherit its principal, even when the data is loaded over http:// or another
   * protocol that would normally use a URI-based principal.
   *
   * See the documentation for principalToInherit, which describes exactly what
   * principal is inherited.
   *
   * This attribute will never be true when loadingSandboxed is true.
   */
  [infallible] readonly attribute boolean forceInheritPrincipal;

  /**
   * If forceInheritPrincipalOverruleOwner is true, the data coming from the
   * channel should inherit the principal, even when the data is loaded over
   * http:// or another protocol that would normally use a URI-based principal
   * and even if the channel's .owner is not null.  This last is the difference
   * between forceInheritPrincipalOverruleOwner and forceInheritPrincipal: the
   * latter does _not_ overrule the .owner setting.
   *
   * See the documentation for principalToInherit, which describes exactly what
   * principal is inherited.
   */
  [infallible] readonly attribute boolean forceInheritPrincipalOverruleOwner;

  /**
   * If loadingSandboxed is true, the data coming from the channel is
   * being loaded sandboxed, so it should have a nonce origin and
   * hence should use a NullPrincipal.
   */
  [infallible] readonly attribute boolean loadingSandboxed;

  /**
   * If aboutBlankInherits is true, then about:blank should inherit
   * the principal.
   */
  [infallible] readonly attribute boolean aboutBlankInherits;

  /**
   * If allowChrome is true, then use nsIScriptSecurityManager::ALLOW_CHROME
   * when calling CheckLoadURIWithPrincipal().
   */
  [infallible] readonly attribute boolean allowChrome;

  /**
   * If disallowScript is true, then use nsIScriptSecurityManager::DISALLOW_SCRIPT
   * when calling CheckLoadURIWithPrincipal().
   */
  [infallible] readonly attribute boolean disallowScript;

%{C++
  uint32_t CheckLoadURIFlags() {
    uint32_t flags = nsIScriptSecurityManager::STANDARD;
    if (GetAllowChrome()) {
      flags |= nsIScriptSecurityManager::ALLOW_CHROME;
    }
    if (GetDisallowScript()) {
      flags |= nsIScriptSecurityManager::DISALLOW_SCRIPT;
    }
    return flags;
  }
%}

  /**
   * Returns true if SEC_DONT_FOLLOW_REDIRECTS is set.
   */
  [infallible] readonly attribute boolean dontFollowRedirects;

  /**
   * Returns true if SEC_LOAD_ERROR_PAGE is set.
   */
  [infallible] readonly attribute boolean loadErrorPage;

  /**
   * True if the load was initiated by a form request.
   * This is important to know to handle the CSP directive navigate-to.
   */
  [infallible] attribute boolean isFormSubmission;

  /**
   * The external contentPolicyType of the channel, used for security checks
   * like Mixed Content Blocking and Content Security Policy.
   *
   * Specifically, content policy types with _INTERNAL_ in their name will
   * never get returned from this attribute.
   */
  readonly attribute nsContentPolicyType externalContentPolicyType;

  /**
   * CSP uses this parameter to send or not CSP violation events.
   * Default value: true.
   */
  [infallible] attribute boolean sendCSPViolationEvents;

%{ C++
  inline ExtContentPolicyType GetExternalContentPolicyType()
  {
    nsContentPolicyType result;
    mozilla::DebugOnly<nsresult> rv = GetExternalContentPolicyType(&result);
    MOZ_ASSERT(NS_SUCCEEDED(rv));
    return static_cast<ExtContentPolicyType>(result);
  }

%}


  /**
   * The internal contentPolicyType of the channel, used for constructing
   * RequestContext values when creating a fetch event for an intercepted
   * channel.
   *
   * This should not be used for the purposes of security checks, since
   * the content policy implementations cannot be expected to deal with
   * _INTERNAL_ values.  Please use the contentPolicyType attribute above
   * for that purpose.
   */
  [noscript, notxpcom, nostdcall, binaryname(InternalContentPolicyType)]
  nsContentPolicyType binaryInternalContentPolicyType();

  readonly attribute nsContentPolicyType internalContentPolicyType;

  /**
   * Returns true if document or any of the documents ancestors
   * up to the toplevel document make use of the CSP directive
   * 'block-all-mixed-content'.
   *
   * Warning: If the loadingDocument is null, then the
   * blockAllMixedContent is false.
   */
  [infallible] readonly attribute boolean blockAllMixedContent;

  /**
   * Returns true if document or any of the documents ancestors
   * up to the toplevel document make use of the CSP directive
   * 'upgrade-insecure-requests'.
   *
   * Warning: If the loadingDocument is null, then the
   * upgradeInsecureRequests is false.
   */
  [infallible] readonly attribute boolean upgradeInsecureRequests;

  /**
   * Returns true if the the page is https and the content is upgradable from http
   * requires 'security.mixed_content.upgrade_display_content' pref to be true.
   * Currently this only upgrades display content but might be expanded to other loads.
   * This is very similar in implementation to upgradeInsecureRequests but browser set.
   */
  [infallible] readonly attribute boolean browserUpgradeInsecureRequests;

  /**
   * Returns true if the display content was or will get upgraded from http to https.
   * Requires 'security.mixed_content.upgrade_display_content' pref to be true.
   * Flag is set purely to collect telemetry.
   */
  [infallible] attribute boolean browserDidUpgradeInsecureRequests;

  /**
   * Returns true if the the page is https and the content is upgradable from http
   * requires 'security.mixed_content.upgrade_display_content' pref to be false.
   * See browserUpgradeInsecureRequests for more details, this only happens
   * when *not* upgrading purely for telemetry.
   */
  [infallible] readonly attribute boolean browserWouldUpgradeInsecureRequests;

  /**
   * If true, toplevel data: URI navigation is allowed
   */
  [infallible] attribute boolean forceAllowDataURI;

  /**
   * If true, insecure redirects to a data: URI are allowed.
   */
  [infallible] attribute boolean allowInsecureRedirectToDataURI;

  /**
   * If true, the content policy security check is excluded from web requests.
   */
  [infallible] attribute boolean skipContentPolicyCheckForWebRequest;

  /**
   * If true, this is the load of a frame's original src attribute
   */
  [infallible] attribute boolean originalFrameSrcLoad;

  /**
   * The SEC_FORCE_INHERIT_PRINCIPAL flag may be dropped when a load info
   * object is created.  Specifically, it will be dropped if the SANDBOXED_ORIGIN
   * sandbox flag is also present.  This flag is set if SEC_FORCE_INHERIT_PRINCIPAL
   * was dropped.
   */
  [infallible] readonly attribute boolean forceInheritPrincipalDropped;

  /**
   * This is the inner window ID of the window in which the element being
   * loaded lives.
   *
   * Note that this window ID can be 0 if the window is not
   * available.
   */
  [infallible] readonly attribute unsigned long long innerWindowID;

  /**
   * The BrowsingContext performing the load for this nsILoadInfo object.
   */
  [infallible] readonly attribute unsigned long long browsingContextID;
  [infallible] readonly attribute BrowsingContext browsingContext;

  /**
   * The BrowsingContext which the worker is associated.
   *
   * Note that this could be 0 if the load is not triggered in a WorkerScope.
   * This value is only set and used in the parent process for some sitautions
   * the channel is created in the parent process for Workers. Such as fetch().
   * In content process, it is always 0.
   * This value would not be propagated through IPC.
   */
  [infallible] attribute unsigned long long workerAssociatedBrowsingContextID;
  [infallible] readonly attribute BrowsingContext workerAssociatedBrowsingContext;

  /**
   * Only when the element being loaded is <frame src="foo.html">
   * (or, more generally, if the element QIs to nsFrameLoaderOwner),
   * the frameBrowsingContext is the browsing context containing the
   * foo.html document.
   *
   * Note: For other cases, frameBrowsingContextID is 0.
   */
  [infallible] readonly attribute unsigned long long frameBrowsingContextID;
  [infallible] readonly attribute BrowsingContext frameBrowsingContext;

  /**
   * If the element being loaded is a nsFrameLoaderOwner,
   * `targetBrowsingContext` is the Browsing Context which will contain the
   * loading document (see `frameBrowsingContext`). Otherwise, it is the
   * Browsing Context performing the load (see `browsingContext`).
   */
  [infallible] readonly attribute unsigned long long targetBrowsingContextID;
  [infallible] readonly attribute BrowsingContext targetBrowsingContext;

  /**
   * Resets the PrincipalToInherit to a freshly created NullPrincipal
   * which inherits the origin attributes from the loadInfo.
   *
   * WARNING: Please only use that function if you know exactly what
   * you are doing!!!
   */
  void resetPrincipalToInheritToNullPrincipal();

  /**
   * Customized OriginAttributes within LoadInfo to allow overwriting of the
   * default originAttributes from the loadingPrincipal.
   *
   * In chrome side, originAttributes.privateBrowsingId will always be 0 even if
   * the usePrivateBrowsing is true, because chrome docshell won't set
   * privateBrowsingId on origin attributes (See bug 1278664). This is to make
   * sure nsILoadInfo and nsILoadContext have the same origin attributes.
   */
  [implicit_jscontext, binaryname(ScriptableOriginAttributes)]
  attribute jsval originAttributes;

  [noscript, nostdcall, binaryname(GetOriginAttributes)]
  OriginAttributes binaryGetOriginAttributes();

  [noscript, nostdcall, binaryname(SetOriginAttributes)]
  void binarySetOriginAttributes(in const_OriginAttributesRef aOriginAttrs);

%{ C++
  inline mozilla::OriginAttributes GetOriginAttributes()
  {
    mozilla::OriginAttributes result;
    mozilla::DebugOnly<nsresult> rv = GetOriginAttributes(&result);
    MOZ_ASSERT(NS_SUCCEEDED(rv));
    return result;
  }
%}

  /**
   * Whenever a channel is evaluated by the ContentSecurityManager
   * the first time, we set this flag to true to indicate that
   * subsequent calls of AsyncOpen() do not have to enforce all
   * security checks again. E.g., after a redirect there is no
   * need to set up CORS again. We need this separate flag
   * because the redirectChain might also contain internal
   * redirects which might pollute the redirectChain so we can't
   * rely on the size of the redirectChain-array to query whether
   * a channel got redirected or not.
   *
   * Please note, once the flag is set to true it must remain true
   * throughout the lifetime of the channel. Trying to set it
   * to anything else than true will be discarded.
   *
   */
  [infallible] attribute boolean initialSecurityCheckDone;

  /**
   * Returns true if the load was triggered from an external application
   * (e.g. Thunderbird). Please note that this flag will only ever be true
   * if the load is of TYPE_DOCUMENT.
   */
  [infallible] attribute boolean loadTriggeredFromExternal;

  /**
   * True if the tainting has been set by the service worker.
   */
  [noscript, infallible] readonly attribute boolean serviceWorkerTaintingSynthesized;

  /**
   * Whenever a channel gets redirected, append the redirect history entry of
   * the channel which contains principal referrer and remote address [before
   * the channels got redirected] to the loadinfo, so that at every point this
   * array provides us information about all the redirects this channel went
   * through.
   * @param channelToDeriveFrom the channel being redirected
   * @param aIsInternalRedirect should be true if the channel is going
   *        through an internal redirect, otherwise false.
   */
  void appendRedirectHistoryEntry(in nsIChannel channelToDeriveFrom,
                                  in boolean isInternalRedirect);

  /**
   * An array of nsIRedirectHistoryEntry which stores redirects associated
   * with this channel. This array is filled whether or not the channel has
   * ever been opened. The last element of the array is associated with the
   * most recent redirect. Please note, that this array *includes* internal
   * redirects.
   */
  [implicit_jscontext]
  readonly attribute jsval redirectChainIncludingInternalRedirects;

  /**
   * A C++-friendly version of redirectChain.
   * Please note that this array has the same lifetime as the
   * loadInfo object - use with caution!
   */
  [noscript, notxpcom, nostdcall, binaryname(RedirectChainIncludingInternalRedirects)]
  nsIRedirectHistoryEntryArray binaryRedirectChainIncludingInternalRedirects();

  /**
   * Same as RedirectChain but does *not* include internal redirects.
   */
  [implicit_jscontext]
  readonly attribute jsval redirectChain;

  /**
   * A C++-friendly version of redirectChain.
   * Please note that this array has the same lifetime as the
   * loadInfo object - use with caution!
   */
  [noscript, notxpcom, nostdcall, binaryname(RedirectChain)]
  nsIRedirectHistoryEntryArray binaryRedirectChain();

  /**
   * This array is only filled out when we are in the parent process and we are
   * creating a loadInfo object or deserializing LoadInfoArgs into LoadInfo,
   * as we ever only need in the parent process.
   *
   * The array is meant to be a list of principals of the documents that the
   * browsing context, corresponding to this loadInfo object, is "nested through" in
   * the sense of
   * <https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-nested-through>.
   * Note that the array does not include the principal corresponding to the frame
   * loading this request. The closest ancestor is at index zero and the top level
   * ancestor is at the last index.
   *
   * If this is a toplevel content browsing context (i.e. toplevel document in spec
   * terms), the list is empty.
   *
   * Otherwise the array is a list for the document we're nested through (again in
   * the spec sense), with the principal of that document prepended. The
   * ancestorPrincipals[0] entry for an iframe load will be the principal of the
   * iframe element's owner document. The ancestorPrincipals[0] entry for an image
   * loaded in an iframe will be the principal of the iframe element's owner
   * document. This matches the ordering specified for Location.ancestorOrigins.
   *
   * Please note that this array has the same lifetime as the loadInfo object - use
   * with caution!
   */
  [noscript, notxpcom, nostdcall]
  PrincipalArrayRef AncestorPrincipals();

  /**
   * An array of BrowsingContext IDs which correspond to nsILoadInfo::AncestorPrincipals
   * above.  AncestorBrowsingContextIDs[0] is the BrowsingContext ID of the frame
   * associated with the principal at ancestorPrincipals[0], and so forth.
   *
   * Please note that this array has the same lifetime as the
   * loadInfo object - use with caution!
   */
  [noscript, notxpcom, nostdcall]
  Uint64ArrayRef AncestorBrowsingContextIDs();

  /**
   * Sets the list of unsafe headers according to CORS spec, as well as
   * potentially forces a preflight.
   * Note that you do not need to set the Content-Type header. That will be
   * automatically detected as needed.
   *
   * Only call this function when using the SEC_REQUIRE_CORS_INHERITS_SEC_CONTEXT mode.
   */
  [noscript, notxpcom, nostdcall]
  void setCorsPreflightInfo(in CStringArrayRef unsafeHeaders,
                            in boolean forcePreflight);

  /**
   * A C++-friendly getter for the list of cors-unsafe headers.
   * Please note that this array has the same lifetime as the
   * loadInfo object - use with caution!
   */
  [noscript, notxpcom, nostdcall, binaryname(CorsUnsafeHeaders)]
  CStringArrayRef corsUnsafeHeaders();

  /**
   * Returns value set through setCorsPreflightInfo.
   */
  [infallible] readonly attribute boolean forcePreflight;

  /**
   * A C++ friendly getter for the forcePreflight flag.
   */
  [infallible] readonly attribute boolean isPreflight;

  /**
  * Constants reflecting the channel tainting.  These are mainly defined here
  * for script.  Internal C++ code should use the enum defined in LoadTainting.h.
  * See LoadTainting.h for documentation.
  */
  const unsigned long TAINTING_BASIC = 0;
  const unsigned long TAINTING_CORS = 1;
  const unsigned long TAINTING_OPAQUE = 2;

  /**
   * Determine the associated channel's current tainting.  Note, this can
   * change due to a service worker intercept, so it should be checked after
   * OnStartRequest() fires.
   */
  readonly attribute unsigned long tainting;

  /**
   * Note a new tainting level and possibly increase the current tainting
   * to match.  If the tainting level is already greater than the given
   * value, then there is no effect.  It is not possible to reduce the tainting
   * level on an existing channel/loadinfo.
   */
  void maybeIncreaseTainting(in unsigned long aTainting);

  /**
   * Various helper code to provide more convenient C++ access to the tainting
   * attribute and maybeIncreaseTainting().
   */
%{C++
  static_assert(TAINTING_BASIC == static_cast<uint32_t>(mozilla::LoadTainting::Basic),
                "basic tainting enums should match");
  static_assert(TAINTING_CORS == static_cast<uint32_t>(mozilla::LoadTainting::CORS),
                "cors tainting enums should match");
  static_assert(TAINTING_OPAQUE == static_cast<uint32_t>(mozilla::LoadTainting::Opaque),
                "opaque tainting enums should match");

  mozilla::LoadTainting GetTainting()
  {
    uint32_t tainting = TAINTING_BASIC;
    MOZ_ALWAYS_SUCCEEDS(GetTainting(&tainting));
    return static_cast<mozilla::LoadTainting>(tainting);
  }

  void MaybeIncreaseTainting(mozilla::LoadTainting aTainting)
  {
    uint32_t tainting = static_cast<uint32_t>(aTainting);
    MOZ_ALWAYS_SUCCEEDS(MaybeIncreaseTainting(tainting));
  }
%}

  /**
   * Returns true if this load is for top level document.
   * Note that the load for a sub-frame's document will return false here.
   */
  [infallible] readonly attribute boolean isTopLevelLoad;

  /**
   * If this is non-null, this property represents two things: (1) the
   * URI to be used for the principal if the channel with this loadinfo
   * gets a principal based on URI and (2) the URI to use for a document
   * created from the channel with this loadinfo.
   */
  attribute nsIURI resultPrincipalURI;

  /**
   * This is the URI used to create the most recent channel in the load's
   * redirect chain, if it's different from channel's `originalURI`.
   * This is always null for loads not handled by DocumentLoadListener. If
   * non-null, channelCreationOriginalURI will be used instead of channel's
   * originalURI to re-create the channel in the final content process selected
   * to perform the load.
   */
  attribute nsIURI channelCreationOriginalURI;

  /**
   * Returns a unique nsID used to construct the null principal for the
   * resulting resource if the SANDBOXED_ORIGIN flag is set.  This is used by
   * GetChannelResultPrincipal() to ensure that the same null principal is
   * returned every time.
   */
  [noscript, nostdcall, notxpcom]
  nsIDRef GetSandboxedNullPrincipalID();

  /**
   * Generates a new nsID to be returned by a future call to
   * `GetSandboxedNullPrincipalID()`.
   */
  [noscript, nostdcall, notxpcom]
  void ResetSandboxedNullPrincipalID();

  /**
   * Return the top-level principal, which is the principal of the top-level
   * window.
   */
  [notxpcom, nostdcall] readonly attribute nsIPrincipal topLevelPrincipal;

  /**
   * Note which client (i.e. global) initiated this network request.  All
   * nsGlobalWindow and WorkerPrivate can be converted to a ClientInfo to
   * be set here.  While this is being added to support service worker
   * FetchEvent, it can also be used to communicate other information about
   * the source global context in the future.
   */
  [noscript, nostdcall, notxpcom]
  void SetClientInfo(in const_ClientInfoRef aClientInfo);

  /**
   * Get the ClientInfo for the global that initiated the network request,
   * if it has been set.
   */
  [noscript, nostdcall, notxpcom]
  const_MaybeClientInfoRef GetClientInfo();

  /**
   * Give a pre-allocated ClientSource to the channel LoadInfo.  This is
   * intended to be used by docshell when loading windows without an
   * initial about:blank document.  The docshell will allocate the ClientSource
   * to represent the client that will be created as a result of the navigation
   * network request.  If the channel succeeds and remains same-origin, then
   * the result nsGlobalWindow will take ownership of the reserved ClientSource.
   *
   * This method is also called when a cross-origin redirect occurs.  A new
   * ClientSource with a different UUID must be created in this case.
   *
   * This method automatically calls SetReservedClientInfo() with the
   * ClientSource::Info().
   */
  [noscript, nostdcall, notxpcom]
  void GiveReservedClientSource(in UniqueClientSourceMove aClientSource);

  /**
   * This method takes ownership of the reserved ClientSource previously
   * provided in GiveReservedClientSource().  It may return nullptr if the
   * nsILoadInfo does not own a ClientSource object.
   */
  [noscript, nostdcall, notxpcom]
  UniqueClientSource TakeReservedClientSource();

  /**
   * Note the reserved client that be created if this non-subresource
   * network request succeeds.  Depending on the type of client this
   * may be called directly or indirectly via GiveReservedClientSource().
   * For example, web workers do not call give their ClientSource to
   * the nsILoadInfo, but must still call this method to indicate the
   * reserved client for their main script load.
   */
  [noscript, nostdcall, notxpcom]
  void SetReservedClientInfo(in const_ClientInfoRef aClientInfo);

  /**
   * This will clear any existing reserved or initial client and override
   * it with the given reserved client.  This is similar to calling
   * TakeReservedClientSource() and then GiveReservedClientSource() with
   * a new client as ClientChannelHelper does.  This method is needed,
   * though, to perform this operation in the parent process where
   * the LoadInfo does not have direct access to a ClientSource.
   *
   * If in doubt, do not call this method.  Its really only needed for
   * a specific redirect case where the child has created a new client on
   * redirect and we need to override the parent side's reserved client
   * to match.
   */
  [noscript, nostdcall, notxpcom]
  void OverrideReservedClientInfoInParent(in const_ClientInfoRef aClientInfo);

  /**
   * Return the reserved ClientInfo for this load, if one has been set.
   */
  [noscript, nostdcall, notxpcom]
  const_MaybeClientInfoRef GetReservedClientInfo();

  /**
   * Note that this non-subresource network request will result in
   * re-using an existing "initial" active client.  This mainly only
   * happens when an initial about:blank document is replaced with
   * a real load in a window.  In these cases we need to track this
   * initial client so that we may report its existence in a FetchEvent.
   *
   * Note, an nsILoadInfo may only have a reserved client or an
   * initial client.  It should never have both.
   */
  [noscript, nostdcall, notxpcom]
  void SetInitialClientInfo(in const_ClientInfoRef aClientInfo);

  /**
   * Return the initial ClientInfo for this load, if one has been set.
   */
  [noscript, nostdcall, notxpcom]
  const_MaybeClientInfoRef GetInitialClientInfo();

  /**
   * Note that this network request should be controlled by a service worker.
   * For non-subresource requests this may be set during the load when
   * the first service worker interception occurs.  For subresource requests
   * it may be set by the source client if its already controlled by a
   * service worker.
   */
  [noscript, nostdcall, notxpcom]
  void SetController(in const_ServiceWorkerDescriptorRef aServiceWorker);

  /**
   * Clear the service worker controller for this channel.  This should only
   * be used for window navigation redirects.  By default we want to keep
   * the controller in all other cases.
   */
  [noscript, nostdcall, notxpcom]
  void ClearController();

  /**
   * Get the service worker controlling this network request, if one has
   * been set.
   */
  [noscript, nostdcall, notxpcom]
  const_MaybeServiceWorkerDescriptorRef GetController();

  /**
   * Set a custom performance storage. This is meant to be executed only for
   * workers. If a PerformanceStorage is not set, the loadingDocument->Window
   * Performance object will be returned instead.
   */
  [noscript, nostdcall, notxpcom]
  void SetPerformanceStorage(in PerformanceStoragePtr aPerformanceStorage);

  /**
   * Get the custom PerformanceStorage if set by SetPerformanceStorage.
   * Otherwise the loadingDocument->Window Performance object will be returned
   * instead if all the following conditions are met:
   * - the triggeringPrincipal is the same as the loadingDocument's principal.
   * - if the external content policy type is TYPE_SUBDOCUMENT then loading
   *   wasn't caused by processing the attributes of the browsing context
   *   container.
   */
  [noscript, nostdcall, notxpcom]
  PerformanceStoragePtr GetPerformanceStorage();

  /**
   * Returns the CSP (or Preload CSP for preloads) which should be enforced
   * when fetching the resource this loadinfo belongs to.
   *
   * a) Non-navigations:
   * For non-navigation loads, GetCsp() returns what the spec refers to as the
   * "request's client's global object's CSP list". In practice, if this is the
   * loadinfo of a subresource load (e.g an image load), then GetCsp() or
   * GetPreloadCSP() returns the CSP of the document which embeds the image.
   * The returned CSP includes any policy delivered through the HTTP header or
   * also through the meta tag (modulo the difference for preloads, e.g. image
   * preloads have to query GetPreloadCsp() because at the time of preloading
   * we are not entirely sure if the Meta CSP will be applied to the document
   * in the end or not). Please note that GetCSPToInherit() called on a
   * loadinfo for any non-navigation always returns null.
   *
   * b) Navigations:
   *   * Top-level loads:
   *     For top-level loads (navigations) GetCsp() will return null, unless
   *     the navigation is started by a WebExtension, in which case it will
   *     return the CSP of the webextension, if any.
   *     If you need to query the CSP that potentially should apply to the
   *     new top-level load, you have to query GetCspToInherit(), which is
   *     the CSP of the request's client's global object, just like GetCsp()
   *     is for non-navigation requests.
   *
   *   * Iframe-loads:
   *     For iframe-loads (navigations) GetCsp() will return the CSP of the
   *     parent document, unless the navigation is started by a WebExtension,
   *     in which case it will return the CSP of the webextension, if any.
   *
   * If you need to query the CSP that should potentially be inherited
   * into the new document, you have to query GetCSPToInherit().
   *
   * TODO Bug 1557114:
   * After evaluating what CSP to use for frame navigations we should
   * update the above documentation to match the outcome of Bug 1557114.
   */
  [notxpcom,nostdcall] CSPRef GetCsp();
  [notxpcom,nostdcall] CSPRef GetPreloadCsp();
  [notxpcom,nostdcall] CSPRef GetCspToInherit();

  /**
    * The service worker and fetch specifications require returning the
    * exact tainting level of the Response passed to FetchEvent.respondWith().
    * This method allows us to override the tainting level in that case.
    *
    * NOTE: This should not be used outside of service worker code! Use
    *       nsILoadInfo::MaybeIncreaseTainting() instead.
   */
  [noscript, nostdcall, notxpcom]
  void SynthesizeServiceWorkerTainting(in LoadTainting aTainting);

  /**
    * The top-level document has been user-interacted.
    */
  [infallible] attribute boolean documentHasUserInteracted;

  /**
    * During a top-level document channel redirect from tracking to
    * non-tracking resources, our anti-tracking heuristic, grants the storage
    * access permission for a short amount of seconds (See
    * privacy.restrict3rdpartystorage.expiration_redirect pref).
    * We use this flag to remember this decision even if this channel is part
    * of a chain of redirects.
    */
  [infallible] attribute boolean allowListFutureDocumentsCreatedFromThisRedirectChain;

  /**
   * Indicates that we need to check if we should apply the anti-tracking
   * heuristic after the channel has been classified.
   */
  [infallible] attribute boolean needForCheckingAntiTrackingHeuristic;

  /**
   * A snapshot of the nonce at load start time which is used for CSP
   * checks and only set for:
   *  * TYPE_SCRIPT and
   *  * TYPE_STYLESHEET
   */
  attribute AString cspNonce;

  /**
   * List of possible reasons the request associated with this load info
   * may have been blocked, set by various content blocking checkers.
   */
  const uint32_t BLOCKING_REASON_NONE = 0;
  const uint32_t BLOCKING_REASON_CORSDISABLED = 1001;
  const uint32_t BLOCKING_REASON_CORSDIDNOTSUCCEED = 1002;
  const uint32_t BLOCKING_REASON_CORSREQUESTNOTHTTP = 1003;
  const uint32_t BLOCKING_REASON_CORSMULTIPLEALLOWORIGINNOTALLOWED = 1004;
  const uint32_t BLOCKING_REASON_CORSMISSINGALLOWORIGIN = 1005;
  const uint32_t BLOCKING_REASON_CORSNOTSUPPORTINGCREDENTIALS = 1006;
  const uint32_t BLOCKING_REASON_CORSALLOWORIGINNOTMATCHINGORIGIN = 1007;
  const uint32_t BLOCKING_REASON_CORSMISSINGALLOWCREDENTIALS = 1008;
  const uint32_t BLOCKING_REASON_CORSORIGINHEADERNOTADDED = 1009;
  const uint32_t BLOCKING_REASON_CORSEXTERNALREDIRECTNOTALLOWED = 1010;
  const uint32_t BLOCKING_REASON_CORSPREFLIGHTDIDNOTSUCCEED = 1011;
  const uint32_t BLOCKING_REASON_CORSINVALIDALLOWMETHOD = 1012;
  const uint32_t BLOCKING_REASON_CORSMETHODNOTFOUND = 1013;
  const uint32_t BLOCKING_REASON_CORSINVALIDALLOWHEADER = 1014;
  const uint32_t BLOCKING_REASON_CORSMISSINGALLOWHEADERFROMPREFLIGHT = 1015;
  const uint32_t BLOCKING_REASON_CLASSIFY_MALWARE_URI = 2001;
  const uint32_t BLOCKING_REASON_CLASSIFY_PHISHING_URI = 2002;
  const uint32_t BLOCKING_REASON_CLASSIFY_UNWANTED_URI = 2003;
  const uint32_t BLOCKING_REASON_CLASSIFY_TRACKING_URI = 2004;
  const uint32_t BLOCKING_REASON_CLASSIFY_BLOCKED_URI = 2005;
  const uint32_t BLOCKING_REASON_CLASSIFY_HARMFUL_URI = 2006;
  const uint32_t BLOCKING_REASON_CLASSIFY_CRYPTOMINING_URI = 2007;
  const uint32_t BLOCKING_REASON_CLASSIFY_FINGERPRINTING_URI = 2008;
  const uint32_t BLOCKING_REASON_CLASSIFY_SOCIALTRACKING_URI = 2009;
  const uint32_t BLOCKING_REASON_CLASSIFY_EMAILTRACKING_URI = 2010;
  const uint32_t BLOCKING_REASON_MIXED_BLOCKED = 3001;
  // The general reason comes from nsCSPContext::permitsInternal(),
  // which is way too generic to distinguish an exact reason.
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_GENERAL = 4000;
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_NO_DATA_PROTOCOL = 4001;
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_WEBEXT = 4002;
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_CONTENT_BLOCKED = 4003;
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_DATA_DOCUMENT = 4004;
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_WEB_BROWSER = 4005;
  const uint32_t BLOCKING_REASON_CONTENT_POLICY_PRELOAD = 4006;
  // The reason used when SEC_REQUIRE_SAME_ORIGIN_* is set and not satisifed.
  const uint32_t BLOCKING_REASON_NOT_SAME_ORIGIN = 5000;
  // The reason used when an extension cancels the request via the WebRequest api.
  const uint32_t BLOCKING_REASON_EXTENSION_WEBREQUEST = 6000;

  /**
   * If the request associated with this load info was blocked by some of
   * our content or load blockers, the reason can be found here.
   * Note that setting this attribute has NO EFFECT on blocking the request.
   * This attribute is only informative!
   *
   * By default the value is '0' - NONE.
   * Each write rewrites the last value.
   * Can be accessed only on a single thread.
   */
  [infallible] attribute unsigned long requestBlockingReason;

  /**
    * The object in charged to receive CSP violation events. It can be null.
    * This attribute will be merged into the CSP object eventually.
    * See bug 1500908.
    */
  attribute nsICSPEventListener cspEventListener;

  /**
   * This attribute will be true if this is a load triggered by
   * https://html.spec.whatwg.org/multipage/iframe-embed-object.html#process-the-iframe-attributes
   * or https://html.spec.whatwg.org/multipage/obsolete.html#process-the-frame-attributes
   */
  [infallible] readonly attribute boolean isFromProcessingFrameAttributes;

  cenum CrossOriginOpenerPolicy : 8 {
    OPENER_POLICY_UNSAFE_NONE = 0,
    OPENER_POLICY_SAME_ORIGIN = 1,
    OPENER_POLICY_SAME_ORIGIN_ALLOW_POPUPS = 2,
    OPENER_POLICY_EMBEDDER_POLICY_REQUIRE_CORP_FLAG = 0x10,
    OPENER_POLICY_SAME_ORIGIN_EMBEDDER_POLICY_REQUIRE_CORP =
        OPENER_POLICY_SAME_ORIGIN |
        OPENER_POLICY_EMBEDDER_POLICY_REQUIRE_CORP_FLAG
  };

  cenum CrossOriginEmbedderPolicy : 8 {
    EMBEDDER_POLICY_NULL = 0,
    EMBEDDER_POLICY_REQUIRE_CORP = 1,
    EMBEDDER_POLICY_CREDENTIALLESS = 2,
  };

  /**
   * This attribute is the loading context's cross origin embedder policy.
   * The value is initialized with corresponding WindowContext which get by
   * innerWindowIID in the nsILoadInfo.
   * It also could be set by workers when fetch is called under
   * the workers' scope.
   */
  [infallible] attribute nsILoadInfo_CrossOriginEmbedderPolicy
        loadingEmbedderPolicy;

  /**
   * This attribute will be true if the top level document has COEP:
   * credentialless enabled in Origin Trial.
   */
  [infallible] attribute boolean isOriginTrialCoepCredentiallessEnabledForTopLevel;
  /**
   * This attribute will be true if this is a load triggered by a media
   * element.
   */
  [infallible] attribute boolean isMediaRequest;

  /**
   * This attribute will be true if this is a load triggered by a media
   * element and it's an initial request.
   */
  [infallible] attribute boolean isMediaInitialRequest;

  /**
   * This attribute will be true if the fetch request is from object or embed
   * elements
   */
  [infallible] attribute boolean isFromObjectOrEmbed;

  /**
   * This attribute will be true if the URL is known to be possibly broken and
   * CheckForBrokenChromeURL and RecordZeroLengthEvent should be skipped.
   */
  [infallible] readonly attribute boolean shouldSkipCheckForBrokenURLOrZeroSized;

  /**
   * If this is non-null, this property holds the URI as it was before query
   * stripping was performed.
   */
  attribute nsIURI unstrippedURI;

  /**
   * Propagated information from InterceptedHttpChannel
   * It should be null when the channel is not created from FetchEvent.request
   * or ServiceWorker NavigationPreload.
   * nsIFetchEventInfo is C++ only, so it is not an attribute.
   */
  [noscript, notxpcom, nostdcall, binaryname(InterceptionInfo)]
  nsIInterceptionInfo binaryInterceptionInfo();

  [noscript, notxpcom, nostdcall, binaryname(SetInterceptionInfo)]
  void binarySetInterceptionInfo(in nsIInterceptionInfo info);

  /**
   * Whether nsICookieInjector has injected a cookie for this request to
   * handle a cookie banner. This is only done for top-level requests.
   */
  [infallible] attribute boolean hasInjectedCookieForCookieBannerHandling;
};