Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

4 files changed, 584 insertions, 0 deletions

diff --git a/dom/interfaces/security/moz.build b/dom/interfaces/security/moz.build
new file mode 100644
index 0000000000..e58715b360
--- /dev/null
+++ b/dom/interfaces/security/moz.build
@@ -0,0 +1,16 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+    BUG_COMPONENT = ("Core", "DOM: Security")
+
+XPIDL_SOURCES += [
+    "nsIContentSecurityManager.idl",
+    "nsIContentSecurityPolicy.idl",
+    "nsIReferrerInfo.idl",
+]
+
+XPIDL_MODULE = "dom_security"
diff --git a/dom/interfaces/security/nsIContentSecurityManager.idl b/dom/interfaces/security/nsIContentSecurityManager.idl
new file mode 100644
index 0000000000..5cd2feffad
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityManager.idl
@@ -0,0 +1,45 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIChannel;
+interface nsIPrincipal;
+interface nsIStreamListener;
+interface nsIURI;
+
+/**
+ * nsIContentSecurityManager
+ * Describes an XPCOM component used to perform security checks.
+ */
+
+[scriptable, uuid(3a9a1818-2ae8-4ec5-a340-8b29d31fca3b)]
+interface nsIContentSecurityManager : nsISupports
+{
+  /**
+   * Checks whether a channel is allowed to access the given URI and
+   * whether the channel should be openend or should be blocked consulting
+   * internal security checks like Same Origin Policy, Content Security
+   * Policy, Mixed Content Blocker, etc.
+   *
+   * If security checks within performSecurityCheck fail, the function
+   * throws an exception.
+   *
+   * @param aChannel
+   *     The channel about to be openend
+   * @param aStreamListener
+   *     The Streamlistener of the channel potentially wrapped
+   *     into CORSListenerProxy.
+   * @return
+   *     The StreamListener of the channel wrapped into CORSListenerProxy.
+   *
+   * @throws NS_ERROR_DOM_BAD_URI
+   *     If accessing the URI is not allowed (e.g. prohibted by SOP)
+   * @throws NS_ERROR_CONTENT_BLOCKED
+   *     If any of the security policies (CSP, Mixed content) is violated
+   */
+   nsIStreamListener performSecurityCheck(in nsIChannel aChannel,
+                                          in nsIStreamListener aStreamListener);
+
+};
diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl
new file mode 100644
index 0000000000..bf691ed215
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -0,0 +1,373 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISerializable.idl"
+#include "nsIContentPolicy.idl"
+
+interface nsIURI;
+interface nsIEventTarget;
+interface nsILoadInfo;
+interface nsIPrincipal;
+interface nsICSPEventListener;
+
+webidl Element;
+webidl Document;
+
+/**
+ * nsIContentSecurityPolicy
+ * Describes an XPCOM component used to model and enforce CSPs.  Instances of
+ * this class may have multiple policies within them, but there should only be
+ * one of these per document/principal.
+ */
+
+%{C++
+class nsCSPPolicy;
+%}
+
+[ptr] native CSPPolicyPtr(const nsCSPPolicy);
+
+[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)]
+interface nsIContentSecurityPolicy : nsISerializable
+{
+  /**
+   * Directives supported by Content Security Policy.  These are enums for
+   * the CSPDirective type.
+   * The NO_DIRECTIVE entry is  used for checking default permissions and
+   * returning failure when asking CSP which directive to check.
+   *
+   * NOTE: When implementing a new directive, you will need to add it here but also
+   * add it to the CSPStrDirectives array in nsCSPUtils.h.
+   */
+  cenum CSPDirective : 8 {
+    NO_DIRECTIVE                   = 0,
+    DEFAULT_SRC_DIRECTIVE          = 1,
+    SCRIPT_SRC_DIRECTIVE           = 2,
+    OBJECT_SRC_DIRECTIVE           = 3,
+    STYLE_SRC_DIRECTIVE            = 4,
+    IMG_SRC_DIRECTIVE              = 5,
+    MEDIA_SRC_DIRECTIVE            = 6,
+    FRAME_SRC_DIRECTIVE            = 7,
+    FONT_SRC_DIRECTIVE             = 8,
+    CONNECT_SRC_DIRECTIVE          = 9,
+    REPORT_URI_DIRECTIVE           = 10,
+    FRAME_ANCESTORS_DIRECTIVE      = 11,
+    REFLECTED_XSS_DIRECTIVE        = 12,
+    BASE_URI_DIRECTIVE             = 13,
+    FORM_ACTION_DIRECTIVE          = 14,
+    WEB_MANIFEST_SRC_DIRECTIVE     = 15,
+    UPGRADE_IF_INSECURE_DIRECTIVE  = 16,
+    CHILD_SRC_DIRECTIVE            = 17,
+    BLOCK_ALL_MIXED_CONTENT        = 18,
+    SANDBOX_DIRECTIVE              = 19,
+    WORKER_SRC_DIRECTIVE           = 20,
+    NAVIGATE_TO_DIRECTIVE          = 21,
+    SCRIPT_SRC_ELEM_DIRECTIVE      = 22,
+    SCRIPT_SRC_ATTR_DIRECTIVE      = 23,
+    STYLE_SRC_ELEM_DIRECTIVE       = 24,
+    STYLE_SRC_ATTR_DIRECTIVE       = 25,
+  };
+
+  /**
+   * Accessor method for a read-only string version of the policy at a given
+   * index.
+   */
+  [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
+
+  /**
+   * Accessor method for a read-only pointer the policy object at a given
+   * index. Returns a null pointer if the index is larger than the current
+   * policy count.
+   */
+  [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
+
+  /**
+   * Returns the number of policies attached to this CSP instance.  Useful with
+   * getPolicy().
+   */
+  readonly attribute unsigned long policyCount;
+
+  /**
+   * Returns whether this policy uses the directive upgrade-insecure-requests.
+   * Please note that upgrade-insecure-reqeusts also applies if the parent or
+   * including document (context) makes use of the directive.
+   */
+  readonly attribute bool upgradeInsecureRequests;
+
+  /**
+   * Returns whether this policy uses the directive block-all-mixed-content.
+   * Please note that block-all-mixed-content takes presedence in case the
+   * directive upgrade-insecure-requests is defined in the same policy and
+   * will therefore block all mixed content without even trying to perform
+   * an upgrade.
+   */
+  readonly attribute bool blockAllMixedContent;
+
+  /**
+   * Returns whether this policy enforces the frame-ancestors directive.
+   */
+  readonly attribute bool enforcesFrameAncestors;
+
+  /**
+   * Parse and install a CSP policy.
+   * @param aPolicy
+   *        String representation of the policy
+   *        (e.g., header value, meta content)
+   * @param reportOnly
+   *        Should this policy affect content, script and style processing or
+   *        just send reports if it is violated?
+   * @param deliveredViaMetaTag
+   *        Indicates whether the policy was delivered via the meta tag.
+   */
+  void appendPolicy(in AString policyString,
+                    in boolean reportOnly,
+                    in boolean deliveredViaMetaTag);
+
+  /*
+   * Whether this policy allows inline script or style.
+   * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
+   *                           STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
+   * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
+   *                       also specified.
+   * @param aNonce The nonce string to check against the policy
+   * @param aParserCreated If the script element was created by the HTML Parser
+   * @param aTriggeringElement The script element of the inline resource to
+   *        hash. It can be null.
+   * @param aContentOfPseudoScript The content of the psuedo-script to compare
+   *                               to hash (and compare to the hashes listed in
+   *                               the policy)
+   * @param aLineNumber The line number of the inline resource
+   *        (used for reporting)
+   * @param aColumnNumber The column number of the inline resource
+   *        (used for reporting)
+   * @return
+   *     Whether or not the effects of the inline style should be allowed
+   *     (block the rules if false).
+   */
+  boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective,
+                          in bool aHasUnsafeHash,
+                          in AString aNonce,
+                          in boolean aParserCreated,
+                          in Element aTriggeringElement,
+                          in nsICSPEventListener aCSPEventListener,
+                          in AString aContentOfPseudoScript,
+                          in unsigned long aLineNumber,
+                          in unsigned long aColumnNumber);
+
+  /*
+   * Whether this policy allows a navigation subject to the navigate-to
+   * policy.
+   * @param aURI The target URI
+   * @param aIsFormSubmission True if the navigation was initiated by a form submission. This
+   *        is important since the form-action directive overrides navigate-to in that case.
+   * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity.
+   * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If
+   *        this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is
+   *        used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced
+   * @return
+   *     Whether or not the effects of the navigation is allowed
+   */
+  boolean getAllowsNavigateTo(in nsIURI aURI,
+                              in boolean aIsFormSubmission,
+                              in boolean aWasRedirected,
+                              in boolean aEnforceAllowlist);
+
+  /**
+   * Whether this policy allows eval and eval-like functions
+   * such as setTimeout("code string", time).
+   * @param shouldReportViolations
+   *     Whether or not the use of eval should be reported.
+   *     This function returns "true" when violating report-only policies, but
+   *     when any policy (report-only or otherwise) is violated,
+   *     shouldReportViolations is true as well.
+   * @return
+   *     Whether or not the effects of the eval call should be allowed
+   *     (block the call if false).
+   */
+  boolean getAllowsEval(out boolean shouldReportViolations);
+
+  /**
+   * Whether this policy allows the evaluation (and compilation) of
+   * WASM code from functions like `WebAssembly.compile`.
+  * @param shouldReportViolations
+   *     Whether or not the use of WASM evaluation should be reported.
+   *     This function returns "true" when violating report-only policies, but
+   *     when any policy (report-only or otherwise) is violated,
+   *     shouldReportViolations is true as well.
+   * @return
+   *     Whether or not the effects of the WASM evaluation should be allowed
+   *     (block the call if false).
+   */
+  boolean getAllowsWasmEval(out boolean shouldReportViolations);
+
+  /**
+   * Delegate method called by the service when the protected document is loaded.
+   * Returns the union of all the sandbox flags contained in CSP policies. This is the most
+   * restrictive interpretation of flags set in multiple policies.
+   * See nsSandboxFlags.h for the possible flags.
+   *
+   * @return
+   *    sandbox flags or SANDBOXED_NONE if no sandbox directive exists
+   */
+  uint32_t getCSPSandboxFlags();
+
+  /**
+   * For each violated policy (of type violationType), log policy violation on
+   * the Error Console and send a report to report-uris present in the violated
+   * policies.
+   *
+   * @param violationType
+   *     one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
+   * @param triggeringElement
+   *     the element that triggers this CSP violation. It can be null.
+   * @param sourceFile
+   *     name of the source file containing the violation (if available)
+   * @param contentSample
+   *     sample of the violating content (to aid debugging)
+   * @param lineNum
+   *     source line number of the violation (if available)
+   * @param columnNum
+   *     source column number of the violation (if available)
+   * @param aNonce
+   *     (optional) If this is a nonce violation, include the nonce so we can
+   *     recheck to determine which policies were violated and send the
+   *     appropriate reports.
+   * @param aContent
+   *     (optional) If this is a hash violation, include contents of the inline
+   *     resource in the question so we can recheck the hash in order to
+   *     determine which policies were violated and send the appropriate
+   *     reports.
+   */
+  void logViolationDetails(in unsigned short violationType,
+                           in Element triggeringElement,
+                           in nsICSPEventListener aCSPEventListener,
+                           in AString sourceFile,
+                           in AString scriptSample,
+                           in int32_t lineNum,
+                           in int32_t columnNum,
+                           [optional] in AString nonce,
+                           [optional] in AString content);
+
+  const unsigned short VIOLATION_TYPE_EVAL                   = 1;
+  const unsigned short VIOLATION_TYPE_WASM_EVAL              = 2;
+
+  /**
+   * Called after the CSP object is created to fill in appropriate request
+   * context. Either use
+   *  * aDocument (preferred), or if no document is available, then provide
+   *  * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
+   */
+  [must_use] void setRequestContextWithDocument(in Document aDocument);
+  [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal,
+                                                 in nsIURI aSelfURI,
+                                                 in AString aReferrer,
+                                                 in unsigned long long aInnerWindowId);
+
+  /**
+   * Get the various arguments needed to create a new request context for a CSP.
+   */
+  [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal;
+  [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI;
+  [noscript] readonly attribute AString referrer;
+  [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID;
+
+  /**
+   * Warning: Do not set that attribute unless you know exactly what you are doing!
+   *
+   * Primarily used to allow Devtools to edit inline styles!
+   */
+  [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck;
+
+  /**
+   *  Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
+   */
+  [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget);
+
+
+  /**
+   * Verifies ancestry as permitted by the policy.
+   *
+   * NOTE: Calls to this may trigger violation reports when queried, so this
+   * value should not be cached.
+   *
+   * @param aLoadInfo
+   *    The loadinfo of the channel containing the protected resource
+   * @return
+   *    true if the frame's ancestors are all allowed by policy (except for
+   *    report-only policies, which will send reports and then return true
+   *    here when violated).
+   */
+  boolean permitsAncestry(in nsILoadInfo aLoadInfo);
+
+
+  /**
+   * Checks if a specific directive permits loading of a URI.
+   *
+   * @param aTriggeringElement
+   *    The element that triggers this CSP check. It can be null.
+   * @param aURI
+   *    The URI about to be loaded or used.
+   * @param aDir
+   *    The CSPDirective to query (see above constants *_DIRECTIVE).
+   * @param aSpecific
+   *    If "true" and the directive is specified to fall back to "default-src"
+   *    when it's not explicitly provided, directivePermits will NOT try
+   *    default-src when the specific directive is not used.  Setting this to
+   *    "false" allows CSP to fall back to default-src.  This function
+   *    behaves the same for both values of canUseDefault when querying
+   *    directives that don't fall-back.
+   * @param aSendViolationReports
+   *    If `true` and the uri is not allowed then trigger violation reports.
+   *    This should be `false` for caching or preloads.
+   * @return
+   *    Whether or not the provided URI is allowed by CSP under the given
+   *    directive. (block the pending operation if false).
+   */
+  boolean permits(in Element aTriggeringElement,
+                  in nsICSPEventListener aCSPEventListener,
+                  in nsIURI aURI,
+                  in nsIContentSecurityPolicy_CSPDirective aDir,
+                  in boolean aSpecific,
+                  in boolean aSendViolationReports);
+
+  /**
+   * Delegate method called by the service when sub-elements of the protected
+   * document are being loaded.  Given a bit of information about the request,
+   * decides whether or not the policy is satisfied.
+   *
+   * Calls to this may trigger violation reports when queried, so
+   * this value should not be cached.
+   *
+   * aOriginalURIIfRedirect must be passed only if this loading is the result
+   * of a redirect. In this case, aOriginalURIIfRedirect must be the original
+   * URL.
+   */
+  short shouldLoad(in nsContentPolicyType aContentType,
+                   in nsICSPEventListener aCSPEventListener,
+                   in nsIURI          aContentLocation,
+                   in nsIURI          aOriginalURIIfRedirect,
+                   in bool            aSendViolationReports,
+                   in AString         aNonce,
+                   in boolean         aParserCreated);
+
+%{ C++
+// nsIObserver topic to fire when the policy encounters a violation.
+#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
+%}
+
+  /**
+   * Returns the CSP in JSON notation.
+   */
+  AString toJSON();
+
+};
+
+typedef nsIContentSecurityPolicy_CSPDirective CSPDirective;
+
+/* Listener for security policy violation event */
+[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)]
+interface nsICSPEventListener : nsISupports
+{
+  // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
+  void onCSPViolationEvent(in AString aJSON);
+};
diff --git a/dom/interfaces/security/nsIReferrerInfo.idl b/dom/interfaces/security/nsIReferrerInfo.idl
new file mode 100644
index 0000000000..07e2f603bc
--- /dev/null
+++ b/dom/interfaces/security/nsIReferrerInfo.idl
@@ -0,0 +1,150 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsISerializable.idl"
+
+%{C++
+namespace mozilla::dom {
+enum class ReferrerPolicy : uint8_t;
+}
+%}
+
+interface nsIURI;
+webidl Document;
+webidl Element;
+
+native ReferrerPolicy(mozilla::dom::ReferrerPolicy);
+native URIRef(already_AddRefed<nsIURI>);
+
+[scriptable, builtinclass, uuid(081cdc36-f2e2-4f94-87bf-78578f06f1eb)]
+interface nsIReferrerInfo : nsISerializable
+{
+  /**
+   * Unfortunately we can not query the ReferrerPolicy values defined within
+   * ReferrerPolicy.webidl directly from xpidl. Hence we define the enum value
+   * ReferrerPolicyIDL to set up the ReferrerInfo object from JS. If you need
+   * ReferrerPolicy in native code, please directly query it from
+   * ReferrerPolicy.webidl.
+   *
+   * Note that the deserialization code assumes that the ReferrerPolicyIDL only
+   * uses one byte. If we would need to change the format here, we should also
+   * update the deserialization code.
+   */
+  cenum ReferrerPolicyIDL : 8 {
+  /**
+   * The undefined state, or no referrer policy, usually causing a fallback to a
+   * referrer policy definded in higher level policy. For example: request by
+   * clicking <a> element with empty referrer policy will be sent with the
+   * referrer policy of the a element’s node document.
+   * If there is no higher-level policy available, we fall back to the default
+   * value, which usually is "no-referrer-when-downgrade".
+   */
+  EMPTY = 0,
+  /**
+   * Do not send referrer from https->http
+   */
+  NO_REFERRER_WHEN_DOWNGRADE = 1,
+  /**
+   * Do not send referrer at all.
+   */
+  NO_REFERRER = 2,
+  /**
+   * Only send the origin of the referring URL
+   */
+  ORIGIN = 3,
+  /**
+   * Send origin when cross-origin.
+   */
+  ORIGIN_WHEN_CROSS_ORIGIN = 4,
+  /**
+   * Always sends the referrer, even on downgrade.
+   */
+  UNSAFE_URL = 5,
+  /**
+   * Send referrer when same-origin, no referrer when cross-origin
+   */
+  SAME_ORIGIN = 6,
+  /**
+   * Send origin when request from https->https or http->http(s). No referrer
+   * when request from https->http.
+   */
+  STRICT_ORIGIN = 7,
+  /**
+   * Send referrer when same-origin, send origin when cross-origin from
+   * https->https or http->http(s). No referrer when request from https->http.
+   */
+  STRICT_ORIGIN_WHEN_CROSS_ORIGIN = 8,
+  };
+
+  /**
+   * The original referrer URI which indicates the full referrer before applying
+   * referrer policy
+   */
+  [infallible] readonly attribute nsIURI originalReferrer;
+
+  /**
+   * Referrer policy which is applied to the referrer
+   */
+  [implicit_jscontext] readonly attribute nsIReferrerInfo_ReferrerPolicyIDL referrerPolicy;
+
+  /**
+   * C++ friendly version of referrerPolicy getter
+   */
+  [noscript, notxpcom, nostdcall, binaryname(ReferrerPolicy)]
+  ReferrerPolicy binaryReferrerPolicy();
+
+  /**
+   * Get referrer policy as string
+   */
+  ACString getReferrerPolicyString();
+
+  /**
+   * Indicates if the referrer should not be sent or not even when it's available.
+   */
+  [infallible] readonly attribute boolean sendReferrer;
+
+  /**
+  * Indicates if the referrer should not be sent or not even when it's available.
+  */
+  readonly attribute AString computedReferrerSpec;
+
+  /**
+   * Get the computed referrer, if one has been set. The computed referrer is
+   * the original referrer manipulated by the referrer-policy. Use the result of
+   * this function as the actual referrer value for the channel.
+   */
+  [must_use, noscript, nostdcall, notxpcom]
+  URIRef GetComputedReferrer();
+
+  /**
+   * Returns whether the other referrerInfo is equivalent to this referrerInfo.
+   */
+  boolean equals(in nsIReferrerInfo other);
+
+  /**
+   * Initialize method to create ReferrerInfo object from JS
+   * @param aReferrerPolicy referrer policy of the created object
+   * @param aSendReferrer sendReferrer of the created object, defaults to false
+   * @param aOriginalReferrer the original referrer, defaults to null.
+   */
+  void init(in nsIReferrerInfo_ReferrerPolicyIDL aReferrerPolicy,
+           [optional] in boolean aSendReferrer,
+           [optional] in nsIURI aOriginalReferrer);
+
+  /**
+   * Initialize with a given document.
+   * @param aDocument the document to init referrerInfo object
+   */
+  void initWithDocument([const] in Document aDocument);
+
+  /**
+   * Initialize with a given node. It you are working with node which supports
+   * referrerpolicy attribute: <a>, <img>, <area>, <script>, <iframe>, please
+   * try to use this init instead of initWithDocument, because referrer policy
+   * from rel and attribute has a higher priority.
+   * @param aNode the element to init referrerInfo object
+   */
+  void initWithElement([const] in Element aNode);
+};