summaryrefslogtreecommitdiffstats
path: root/dom/interfaces/security/nsIContentSecurityPolicy.idl
blob: bf691ed215c659e06ce294866dd213364170570f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISerializable.idl"
#include "nsIContentPolicy.idl"

interface nsIURI;
interface nsIEventTarget;
interface nsILoadInfo;
interface nsIPrincipal;
interface nsICSPEventListener;

webidl Element;
webidl Document;

/**
 * nsIContentSecurityPolicy
 * Describes an XPCOM component used to model and enforce CSPs.  Instances of
 * this class may have multiple policies within them, but there should only be
 * one of these per document/principal.
 */

%{C++
class nsCSPPolicy;
%}

[ptr] native CSPPolicyPtr(const nsCSPPolicy);

[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)]
interface nsIContentSecurityPolicy : nsISerializable
{
  /**
   * Directives supported by Content Security Policy.  These are enums for
   * the CSPDirective type.
   * The NO_DIRECTIVE entry is  used for checking default permissions and
   * returning failure when asking CSP which directive to check.
   *
   * NOTE: When implementing a new directive, you will need to add it here but also
   * add it to the CSPStrDirectives array in nsCSPUtils.h.
   */
  cenum CSPDirective : 8 {
    NO_DIRECTIVE                   = 0,
    DEFAULT_SRC_DIRECTIVE          = 1,
    SCRIPT_SRC_DIRECTIVE           = 2,
    OBJECT_SRC_DIRECTIVE           = 3,
    STYLE_SRC_DIRECTIVE            = 4,
    IMG_SRC_DIRECTIVE              = 5,
    MEDIA_SRC_DIRECTIVE            = 6,
    FRAME_SRC_DIRECTIVE            = 7,
    FONT_SRC_DIRECTIVE             = 8,
    CONNECT_SRC_DIRECTIVE          = 9,
    REPORT_URI_DIRECTIVE           = 10,
    FRAME_ANCESTORS_DIRECTIVE      = 11,
    REFLECTED_XSS_DIRECTIVE        = 12,
    BASE_URI_DIRECTIVE             = 13,
    FORM_ACTION_DIRECTIVE          = 14,
    WEB_MANIFEST_SRC_DIRECTIVE     = 15,
    UPGRADE_IF_INSECURE_DIRECTIVE  = 16,
    CHILD_SRC_DIRECTIVE            = 17,
    BLOCK_ALL_MIXED_CONTENT        = 18,
    SANDBOX_DIRECTIVE              = 19,
    WORKER_SRC_DIRECTIVE           = 20,
    NAVIGATE_TO_DIRECTIVE          = 21,
    SCRIPT_SRC_ELEM_DIRECTIVE      = 22,
    SCRIPT_SRC_ATTR_DIRECTIVE      = 23,
    STYLE_SRC_ELEM_DIRECTIVE       = 24,
    STYLE_SRC_ATTR_DIRECTIVE       = 25,
  };

  /**
   * Accessor method for a read-only string version of the policy at a given
   * index.
   */
  [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);

  /**
   * Accessor method for a read-only pointer the policy object at a given
   * index. Returns a null pointer if the index is larger than the current
   * policy count.
   */
  [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);

  /**
   * Returns the number of policies attached to this CSP instance.  Useful with
   * getPolicy().
   */
  readonly attribute unsigned long policyCount;

  /**
   * Returns whether this policy uses the directive upgrade-insecure-requests.
   * Please note that upgrade-insecure-reqeusts also applies if the parent or
   * including document (context) makes use of the directive.
   */
  readonly attribute bool upgradeInsecureRequests;

  /**
   * Returns whether this policy uses the directive block-all-mixed-content.
   * Please note that block-all-mixed-content takes presedence in case the
   * directive upgrade-insecure-requests is defined in the same policy and
   * will therefore block all mixed content without even trying to perform
   * an upgrade.
   */
  readonly attribute bool blockAllMixedContent;

  /**
   * Returns whether this policy enforces the frame-ancestors directive.
   */
  readonly attribute bool enforcesFrameAncestors;

  /**
   * Parse and install a CSP policy.
   * @param aPolicy
   *        String representation of the policy
   *        (e.g., header value, meta content)
   * @param reportOnly
   *        Should this policy affect content, script and style processing or
   *        just send reports if it is violated?
   * @param deliveredViaMetaTag
   *        Indicates whether the policy was delivered via the meta tag.
   */
  void appendPolicy(in AString policyString,
                    in boolean reportOnly,
                    in boolean deliveredViaMetaTag);

  /*
   * Whether this policy allows inline script or style.
   * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
   *                           STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
   * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
   *                       also specified.
   * @param aNonce The nonce string to check against the policy
   * @param aParserCreated If the script element was created by the HTML Parser
   * @param aTriggeringElement The script element of the inline resource to
   *        hash. It can be null.
   * @param aContentOfPseudoScript The content of the psuedo-script to compare
   *                               to hash (and compare to the hashes listed in
   *                               the policy)
   * @param aLineNumber The line number of the inline resource
   *        (used for reporting)
   * @param aColumnNumber The column number of the inline resource
   *        (used for reporting)
   * @return
   *     Whether or not the effects of the inline style should be allowed
   *     (block the rules if false).
   */
  boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective,
                          in bool aHasUnsafeHash,
                          in AString aNonce,
                          in boolean aParserCreated,
                          in Element aTriggeringElement,
                          in nsICSPEventListener aCSPEventListener,
                          in AString aContentOfPseudoScript,
                          in unsigned long aLineNumber,
                          in unsigned long aColumnNumber);

  /*
   * Whether this policy allows a navigation subject to the navigate-to
   * policy.
   * @param aURI The target URI
   * @param aIsFormSubmission True if the navigation was initiated by a form submission. This
   *        is important since the form-action directive overrides navigate-to in that case.
   * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity.
   * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If
   *        this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is
   *        used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced
   * @return
   *     Whether or not the effects of the navigation is allowed
   */
  boolean getAllowsNavigateTo(in nsIURI aURI,
                              in boolean aIsFormSubmission,
                              in boolean aWasRedirected,
                              in boolean aEnforceAllowlist);

  /**
   * Whether this policy allows eval and eval-like functions
   * such as setTimeout("code string", time).
   * @param shouldReportViolations
   *     Whether or not the use of eval should be reported.
   *     This function returns "true" when violating report-only policies, but
   *     when any policy (report-only or otherwise) is violated,
   *     shouldReportViolations is true as well.
   * @return
   *     Whether or not the effects of the eval call should be allowed
   *     (block the call if false).
   */
  boolean getAllowsEval(out boolean shouldReportViolations);

  /**
   * Whether this policy allows the evaluation (and compilation) of
   * WASM code from functions like `WebAssembly.compile`.
  * @param shouldReportViolations
   *     Whether or not the use of WASM evaluation should be reported.
   *     This function returns "true" when violating report-only policies, but
   *     when any policy (report-only or otherwise) is violated,
   *     shouldReportViolations is true as well.
   * @return
   *     Whether or not the effects of the WASM evaluation should be allowed
   *     (block the call if false).
   */
  boolean getAllowsWasmEval(out boolean shouldReportViolations);

  /**
   * Delegate method called by the service when the protected document is loaded.
   * Returns the union of all the sandbox flags contained in CSP policies. This is the most
   * restrictive interpretation of flags set in multiple policies.
   * See nsSandboxFlags.h for the possible flags.
   *
   * @return
   *    sandbox flags or SANDBOXED_NONE if no sandbox directive exists
   */
  uint32_t getCSPSandboxFlags();

  /**
   * For each violated policy (of type violationType), log policy violation on
   * the Error Console and send a report to report-uris present in the violated
   * policies.
   *
   * @param violationType
   *     one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
   * @param triggeringElement
   *     the element that triggers this CSP violation. It can be null.
   * @param sourceFile
   *     name of the source file containing the violation (if available)
   * @param contentSample
   *     sample of the violating content (to aid debugging)
   * @param lineNum
   *     source line number of the violation (if available)
   * @param columnNum
   *     source column number of the violation (if available)
   * @param aNonce
   *     (optional) If this is a nonce violation, include the nonce so we can
   *     recheck to determine which policies were violated and send the
   *     appropriate reports.
   * @param aContent
   *     (optional) If this is a hash violation, include contents of the inline
   *     resource in the question so we can recheck the hash in order to
   *     determine which policies were violated and send the appropriate
   *     reports.
   */
  void logViolationDetails(in unsigned short violationType,
                           in Element triggeringElement,
                           in nsICSPEventListener aCSPEventListener,
                           in AString sourceFile,
                           in AString scriptSample,
                           in int32_t lineNum,
                           in int32_t columnNum,
                           [optional] in AString nonce,
                           [optional] in AString content);

  const unsigned short VIOLATION_TYPE_EVAL                   = 1;
  const unsigned short VIOLATION_TYPE_WASM_EVAL              = 2;

  /**
   * Called after the CSP object is created to fill in appropriate request
   * context. Either use
   *  * aDocument (preferred), or if no document is available, then provide
   *  * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
   */
  [must_use] void setRequestContextWithDocument(in Document aDocument);
  [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal,
                                                 in nsIURI aSelfURI,
                                                 in AString aReferrer,
                                                 in unsigned long long aInnerWindowId);

  /**
   * Get the various arguments needed to create a new request context for a CSP.
   */
  [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal;
  [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI;
  [noscript] readonly attribute AString referrer;
  [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID;

  /**
   * Warning: Do not set that attribute unless you know exactly what you are doing!
   *
   * Primarily used to allow Devtools to edit inline styles!
   */
  [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck;

  /**
   *  Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
   */
  [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget);


  /**
   * Verifies ancestry as permitted by the policy.
   *
   * NOTE: Calls to this may trigger violation reports when queried, so this
   * value should not be cached.
   *
   * @param aLoadInfo
   *    The loadinfo of the channel containing the protected resource
   * @return
   *    true if the frame's ancestors are all allowed by policy (except for
   *    report-only policies, which will send reports and then return true
   *    here when violated).
   */
  boolean permitsAncestry(in nsILoadInfo aLoadInfo);


  /**
   * Checks if a specific directive permits loading of a URI.
   *
   * @param aTriggeringElement
   *    The element that triggers this CSP check. It can be null.
   * @param aURI
   *    The URI about to be loaded or used.
   * @param aDir
   *    The CSPDirective to query (see above constants *_DIRECTIVE).
   * @param aSpecific
   *    If "true" and the directive is specified to fall back to "default-src"
   *    when it's not explicitly provided, directivePermits will NOT try
   *    default-src when the specific directive is not used.  Setting this to
   *    "false" allows CSP to fall back to default-src.  This function
   *    behaves the same for both values of canUseDefault when querying
   *    directives that don't fall-back.
   * @param aSendViolationReports
   *    If `true` and the uri is not allowed then trigger violation reports.
   *    This should be `false` for caching or preloads.
   * @return
   *    Whether or not the provided URI is allowed by CSP under the given
   *    directive. (block the pending operation if false).
   */
  boolean permits(in Element aTriggeringElement,
                  in nsICSPEventListener aCSPEventListener,
                  in nsIURI aURI,
                  in nsIContentSecurityPolicy_CSPDirective aDir,
                  in boolean aSpecific,
                  in boolean aSendViolationReports);

  /**
   * Delegate method called by the service when sub-elements of the protected
   * document are being loaded.  Given a bit of information about the request,
   * decides whether or not the policy is satisfied.
   *
   * Calls to this may trigger violation reports when queried, so
   * this value should not be cached.
   *
   * aOriginalURIIfRedirect must be passed only if this loading is the result
   * of a redirect. In this case, aOriginalURIIfRedirect must be the original
   * URL.
   */
  short shouldLoad(in nsContentPolicyType aContentType,
                   in nsICSPEventListener aCSPEventListener,
                   in nsIURI          aContentLocation,
                   in nsIURI          aOriginalURIIfRedirect,
                   in bool            aSendViolationReports,
                   in AString         aNonce,
                   in boolean         aParserCreated);

%{ C++
// nsIObserver topic to fire when the policy encounters a violation.
#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
%}

  /**
   * Returns the CSP in JSON notation.
   */
  AString toJSON();

};

typedef nsIContentSecurityPolicy_CSPDirective CSPDirective;

/* Listener for security policy violation event */
[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)]
interface nsICSPEventListener : nsISupports
{
  // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
  void onCSPViolationEvent(in AString aJSON);
};