summaryrefslogtreecommitdiffstats
path: root/dom/interfaces/security/nsIContentSecurityPolicy.idl
diff options
context:
space:
mode:
Diffstat (limited to 'dom/interfaces/security/nsIContentSecurityPolicy.idl')
-rw-r--r--dom/interfaces/security/nsIContentSecurityPolicy.idl373
1 files changed, 373 insertions, 0 deletions
diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl
new file mode 100644
index 0000000000..bf691ed215
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -0,0 +1,373 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISerializable.idl"
+#include "nsIContentPolicy.idl"
+
+interface nsIURI;
+interface nsIEventTarget;
+interface nsILoadInfo;
+interface nsIPrincipal;
+interface nsICSPEventListener;
+
+webidl Element;
+webidl Document;
+
+/**
+ * nsIContentSecurityPolicy
+ * Describes an XPCOM component used to model and enforce CSPs. Instances of
+ * this class may have multiple policies within them, but there should only be
+ * one of these per document/principal.
+ */
+
+%{C++
+class nsCSPPolicy;
+%}
+
+[ptr] native CSPPolicyPtr(const nsCSPPolicy);
+
+[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)]
+interface nsIContentSecurityPolicy : nsISerializable
+{
+ /**
+ * Directives supported by Content Security Policy. These are enums for
+ * the CSPDirective type.
+ * The NO_DIRECTIVE entry is used for checking default permissions and
+ * returning failure when asking CSP which directive to check.
+ *
+ * NOTE: When implementing a new directive, you will need to add it here but also
+ * add it to the CSPStrDirectives array in nsCSPUtils.h.
+ */
+ cenum CSPDirective : 8 {
+ NO_DIRECTIVE = 0,
+ DEFAULT_SRC_DIRECTIVE = 1,
+ SCRIPT_SRC_DIRECTIVE = 2,
+ OBJECT_SRC_DIRECTIVE = 3,
+ STYLE_SRC_DIRECTIVE = 4,
+ IMG_SRC_DIRECTIVE = 5,
+ MEDIA_SRC_DIRECTIVE = 6,
+ FRAME_SRC_DIRECTIVE = 7,
+ FONT_SRC_DIRECTIVE = 8,
+ CONNECT_SRC_DIRECTIVE = 9,
+ REPORT_URI_DIRECTIVE = 10,
+ FRAME_ANCESTORS_DIRECTIVE = 11,
+ REFLECTED_XSS_DIRECTIVE = 12,
+ BASE_URI_DIRECTIVE = 13,
+ FORM_ACTION_DIRECTIVE = 14,
+ WEB_MANIFEST_SRC_DIRECTIVE = 15,
+ UPGRADE_IF_INSECURE_DIRECTIVE = 16,
+ CHILD_SRC_DIRECTIVE = 17,
+ BLOCK_ALL_MIXED_CONTENT = 18,
+ SANDBOX_DIRECTIVE = 19,
+ WORKER_SRC_DIRECTIVE = 20,
+ NAVIGATE_TO_DIRECTIVE = 21,
+ SCRIPT_SRC_ELEM_DIRECTIVE = 22,
+ SCRIPT_SRC_ATTR_DIRECTIVE = 23,
+ STYLE_SRC_ELEM_DIRECTIVE = 24,
+ STYLE_SRC_ATTR_DIRECTIVE = 25,
+ };
+
+ /**
+ * Accessor method for a read-only string version of the policy at a given
+ * index.
+ */
+ [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
+
+ /**
+ * Accessor method for a read-only pointer the policy object at a given
+ * index. Returns a null pointer if the index is larger than the current
+ * policy count.
+ */
+ [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
+
+ /**
+ * Returns the number of policies attached to this CSP instance. Useful with
+ * getPolicy().
+ */
+ readonly attribute unsigned long policyCount;
+
+ /**
+ * Returns whether this policy uses the directive upgrade-insecure-requests.
+ * Please note that upgrade-insecure-reqeusts also applies if the parent or
+ * including document (context) makes use of the directive.
+ */
+ readonly attribute bool upgradeInsecureRequests;
+
+ /**
+ * Returns whether this policy uses the directive block-all-mixed-content.
+ * Please note that block-all-mixed-content takes presedence in case the
+ * directive upgrade-insecure-requests is defined in the same policy and
+ * will therefore block all mixed content without even trying to perform
+ * an upgrade.
+ */
+ readonly attribute bool blockAllMixedContent;
+
+ /**
+ * Returns whether this policy enforces the frame-ancestors directive.
+ */
+ readonly attribute bool enforcesFrameAncestors;
+
+ /**
+ * Parse and install a CSP policy.
+ * @param aPolicy
+ * String representation of the policy
+ * (e.g., header value, meta content)
+ * @param reportOnly
+ * Should this policy affect content, script and style processing or
+ * just send reports if it is violated?
+ * @param deliveredViaMetaTag
+ * Indicates whether the policy was delivered via the meta tag.
+ */
+ void appendPolicy(in AString policyString,
+ in boolean reportOnly,
+ in boolean deliveredViaMetaTag);
+
+ /*
+ * Whether this policy allows inline script or style.
+ * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
+ * STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
+ * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
+ * also specified.
+ * @param aNonce The nonce string to check against the policy
+ * @param aParserCreated If the script element was created by the HTML Parser
+ * @param aTriggeringElement The script element of the inline resource to
+ * hash. It can be null.
+ * @param aContentOfPseudoScript The content of the psuedo-script to compare
+ * to hash (and compare to the hashes listed in
+ * the policy)
+ * @param aLineNumber The line number of the inline resource
+ * (used for reporting)
+ * @param aColumnNumber The column number of the inline resource
+ * (used for reporting)
+ * @return
+ * Whether or not the effects of the inline style should be allowed
+ * (block the rules if false).
+ */
+ boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective,
+ in bool aHasUnsafeHash,
+ in AString aNonce,
+ in boolean aParserCreated,
+ in Element aTriggeringElement,
+ in nsICSPEventListener aCSPEventListener,
+ in AString aContentOfPseudoScript,
+ in unsigned long aLineNumber,
+ in unsigned long aColumnNumber);
+
+ /*
+ * Whether this policy allows a navigation subject to the navigate-to
+ * policy.
+ * @param aURI The target URI
+ * @param aIsFormSubmission True if the navigation was initiated by a form submission. This
+ * is important since the form-action directive overrides navigate-to in that case.
+ * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity.
+ * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If
+ * this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is
+ * used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced
+ * @return
+ * Whether or not the effects of the navigation is allowed
+ */
+ boolean getAllowsNavigateTo(in nsIURI aURI,
+ in boolean aIsFormSubmission,
+ in boolean aWasRedirected,
+ in boolean aEnforceAllowlist);
+
+ /**
+ * Whether this policy allows eval and eval-like functions
+ * such as setTimeout("code string", time).
+ * @param shouldReportViolations
+ * Whether or not the use of eval should be reported.
+ * This function returns "true" when violating report-only policies, but
+ * when any policy (report-only or otherwise) is violated,
+ * shouldReportViolations is true as well.
+ * @return
+ * Whether or not the effects of the eval call should be allowed
+ * (block the call if false).
+ */
+ boolean getAllowsEval(out boolean shouldReportViolations);
+
+ /**
+ * Whether this policy allows the evaluation (and compilation) of
+ * WASM code from functions like `WebAssembly.compile`.
+ * @param shouldReportViolations
+ * Whether or not the use of WASM evaluation should be reported.
+ * This function returns "true" when violating report-only policies, but
+ * when any policy (report-only or otherwise) is violated,
+ * shouldReportViolations is true as well.
+ * @return
+ * Whether or not the effects of the WASM evaluation should be allowed
+ * (block the call if false).
+ */
+ boolean getAllowsWasmEval(out boolean shouldReportViolations);
+
+ /**
+ * Delegate method called by the service when the protected document is loaded.
+ * Returns the union of all the sandbox flags contained in CSP policies. This is the most
+ * restrictive interpretation of flags set in multiple policies.
+ * See nsSandboxFlags.h for the possible flags.
+ *
+ * @return
+ * sandbox flags or SANDBOXED_NONE if no sandbox directive exists
+ */
+ uint32_t getCSPSandboxFlags();
+
+ /**
+ * For each violated policy (of type violationType), log policy violation on
+ * the Error Console and send a report to report-uris present in the violated
+ * policies.
+ *
+ * @param violationType
+ * one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
+ * @param triggeringElement
+ * the element that triggers this CSP violation. It can be null.
+ * @param sourceFile
+ * name of the source file containing the violation (if available)
+ * @param contentSample
+ * sample of the violating content (to aid debugging)
+ * @param lineNum
+ * source line number of the violation (if available)
+ * @param columnNum
+ * source column number of the violation (if available)
+ * @param aNonce
+ * (optional) If this is a nonce violation, include the nonce so we can
+ * recheck to determine which policies were violated and send the
+ * appropriate reports.
+ * @param aContent
+ * (optional) If this is a hash violation, include contents of the inline
+ * resource in the question so we can recheck the hash in order to
+ * determine which policies were violated and send the appropriate
+ * reports.
+ */
+ void logViolationDetails(in unsigned short violationType,
+ in Element triggeringElement,
+ in nsICSPEventListener aCSPEventListener,
+ in AString sourceFile,
+ in AString scriptSample,
+ in int32_t lineNum,
+ in int32_t columnNum,
+ [optional] in AString nonce,
+ [optional] in AString content);
+
+ const unsigned short VIOLATION_TYPE_EVAL = 1;
+ const unsigned short VIOLATION_TYPE_WASM_EVAL = 2;
+
+ /**
+ * Called after the CSP object is created to fill in appropriate request
+ * context. Either use
+ * * aDocument (preferred), or if no document is available, then provide
+ * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
+ */
+ [must_use] void setRequestContextWithDocument(in Document aDocument);
+ [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal,
+ in nsIURI aSelfURI,
+ in AString aReferrer,
+ in unsigned long long aInnerWindowId);
+
+ /**
+ * Get the various arguments needed to create a new request context for a CSP.
+ */
+ [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal;
+ [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI;
+ [noscript] readonly attribute AString referrer;
+ [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID;
+
+ /**
+ * Warning: Do not set that attribute unless you know exactly what you are doing!
+ *
+ * Primarily used to allow Devtools to edit inline styles!
+ */
+ [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck;
+
+ /**
+ * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
+ */
+ [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget);
+
+
+ /**
+ * Verifies ancestry as permitted by the policy.
+ *
+ * NOTE: Calls to this may trigger violation reports when queried, so this
+ * value should not be cached.
+ *
+ * @param aLoadInfo
+ * The loadinfo of the channel containing the protected resource
+ * @return
+ * true if the frame's ancestors are all allowed by policy (except for
+ * report-only policies, which will send reports and then return true
+ * here when violated).
+ */
+ boolean permitsAncestry(in nsILoadInfo aLoadInfo);
+
+
+ /**
+ * Checks if a specific directive permits loading of a URI.
+ *
+ * @param aTriggeringElement
+ * The element that triggers this CSP check. It can be null.
+ * @param aURI
+ * The URI about to be loaded or used.
+ * @param aDir
+ * The CSPDirective to query (see above constants *_DIRECTIVE).
+ * @param aSpecific
+ * If "true" and the directive is specified to fall back to "default-src"
+ * when it's not explicitly provided, directivePermits will NOT try
+ * default-src when the specific directive is not used. Setting this to
+ * "false" allows CSP to fall back to default-src. This function
+ * behaves the same for both values of canUseDefault when querying
+ * directives that don't fall-back.
+ * @param aSendViolationReports
+ * If `true` and the uri is not allowed then trigger violation reports.
+ * This should be `false` for caching or preloads.
+ * @return
+ * Whether or not the provided URI is allowed by CSP under the given
+ * directive. (block the pending operation if false).
+ */
+ boolean permits(in Element aTriggeringElement,
+ in nsICSPEventListener aCSPEventListener,
+ in nsIURI aURI,
+ in nsIContentSecurityPolicy_CSPDirective aDir,
+ in boolean aSpecific,
+ in boolean aSendViolationReports);
+
+ /**
+ * Delegate method called by the service when sub-elements of the protected
+ * document are being loaded. Given a bit of information about the request,
+ * decides whether or not the policy is satisfied.
+ *
+ * Calls to this may trigger violation reports when queried, so
+ * this value should not be cached.
+ *
+ * aOriginalURIIfRedirect must be passed only if this loading is the result
+ * of a redirect. In this case, aOriginalURIIfRedirect must be the original
+ * URL.
+ */
+ short shouldLoad(in nsContentPolicyType aContentType,
+ in nsICSPEventListener aCSPEventListener,
+ in nsIURI aContentLocation,
+ in nsIURI aOriginalURIIfRedirect,
+ in bool aSendViolationReports,
+ in AString aNonce,
+ in boolean aParserCreated);
+
+%{ C++
+// nsIObserver topic to fire when the policy encounters a violation.
+#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
+%}
+
+ /**
+ * Returns the CSP in JSON notation.
+ */
+ AString toJSON();
+
+};
+
+typedef nsIContentSecurityPolicy_CSPDirective CSPDirective;
+
+/* Listener for security policy violation event */
+[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)]
+interface nsICSPEventListener : nsISupports
+{
+ // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
+ void onCSPViolationEvent(in AString aJSON);
+};