diff options
Diffstat (limited to 'dom/interfaces/security/nsIContentSecurityPolicy.idl')
-rw-r--r-- | dom/interfaces/security/nsIContentSecurityPolicy.idl | 373 |
1 files changed, 373 insertions, 0 deletions
diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl new file mode 100644 index 0000000000..bf691ed215 --- /dev/null +++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl @@ -0,0 +1,373 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISerializable.idl" +#include "nsIContentPolicy.idl" + +interface nsIURI; +interface nsIEventTarget; +interface nsILoadInfo; +interface nsIPrincipal; +interface nsICSPEventListener; + +webidl Element; +webidl Document; + +/** + * nsIContentSecurityPolicy + * Describes an XPCOM component used to model and enforce CSPs. Instances of + * this class may have multiple policies within them, but there should only be + * one of these per document/principal. + */ + +%{C++ +class nsCSPPolicy; +%} + +[ptr] native CSPPolicyPtr(const nsCSPPolicy); + +[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)] +interface nsIContentSecurityPolicy : nsISerializable +{ + /** + * Directives supported by Content Security Policy. These are enums for + * the CSPDirective type. + * The NO_DIRECTIVE entry is used for checking default permissions and + * returning failure when asking CSP which directive to check. + * + * NOTE: When implementing a new directive, you will need to add it here but also + * add it to the CSPStrDirectives array in nsCSPUtils.h. + */ + cenum CSPDirective : 8 { + NO_DIRECTIVE = 0, + DEFAULT_SRC_DIRECTIVE = 1, + SCRIPT_SRC_DIRECTIVE = 2, + OBJECT_SRC_DIRECTIVE = 3, + STYLE_SRC_DIRECTIVE = 4, + IMG_SRC_DIRECTIVE = 5, + MEDIA_SRC_DIRECTIVE = 6, + FRAME_SRC_DIRECTIVE = 7, + FONT_SRC_DIRECTIVE = 8, + CONNECT_SRC_DIRECTIVE = 9, + REPORT_URI_DIRECTIVE = 10, + FRAME_ANCESTORS_DIRECTIVE = 11, + REFLECTED_XSS_DIRECTIVE = 12, + BASE_URI_DIRECTIVE = 13, + FORM_ACTION_DIRECTIVE = 14, + WEB_MANIFEST_SRC_DIRECTIVE = 15, + UPGRADE_IF_INSECURE_DIRECTIVE = 16, + CHILD_SRC_DIRECTIVE = 17, + BLOCK_ALL_MIXED_CONTENT = 18, + SANDBOX_DIRECTIVE = 19, + WORKER_SRC_DIRECTIVE = 20, + NAVIGATE_TO_DIRECTIVE = 21, + SCRIPT_SRC_ELEM_DIRECTIVE = 22, + SCRIPT_SRC_ATTR_DIRECTIVE = 23, + STYLE_SRC_ELEM_DIRECTIVE = 24, + STYLE_SRC_ATTR_DIRECTIVE = 25, + }; + + /** + * Accessor method for a read-only string version of the policy at a given + * index. + */ + [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index); + + /** + * Accessor method for a read-only pointer the policy object at a given + * index. Returns a null pointer if the index is larger than the current + * policy count. + */ + [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index); + + /** + * Returns the number of policies attached to this CSP instance. Useful with + * getPolicy(). + */ + readonly attribute unsigned long policyCount; + + /** + * Returns whether this policy uses the directive upgrade-insecure-requests. + * Please note that upgrade-insecure-reqeusts also applies if the parent or + * including document (context) makes use of the directive. + */ + readonly attribute bool upgradeInsecureRequests; + + /** + * Returns whether this policy uses the directive block-all-mixed-content. + * Please note that block-all-mixed-content takes presedence in case the + * directive upgrade-insecure-requests is defined in the same policy and + * will therefore block all mixed content without even trying to perform + * an upgrade. + */ + readonly attribute bool blockAllMixedContent; + + /** + * Returns whether this policy enforces the frame-ancestors directive. + */ + readonly attribute bool enforcesFrameAncestors; + + /** + * Parse and install a CSP policy. + * @param aPolicy + * String representation of the policy + * (e.g., header value, meta content) + * @param reportOnly + * Should this policy affect content, script and style processing or + * just send reports if it is violated? + * @param deliveredViaMetaTag + * Indicates whether the policy was delivered via the meta tag. + */ + void appendPolicy(in AString policyString, + in boolean reportOnly, + in boolean deliveredViaMetaTag); + + /* + * Whether this policy allows inline script or style. + * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or + * STYLE_SRC_(ELEM|ATTR)_DIRECTIVE. + * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is + * also specified. + * @param aNonce The nonce string to check against the policy + * @param aParserCreated If the script element was created by the HTML Parser + * @param aTriggeringElement The script element of the inline resource to + * hash. It can be null. + * @param aContentOfPseudoScript The content of the psuedo-script to compare + * to hash (and compare to the hashes listed in + * the policy) + * @param aLineNumber The line number of the inline resource + * (used for reporting) + * @param aColumnNumber The column number of the inline resource + * (used for reporting) + * @return + * Whether or not the effects of the inline style should be allowed + * (block the rules if false). + */ + boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective, + in bool aHasUnsafeHash, + in AString aNonce, + in boolean aParserCreated, + in Element aTriggeringElement, + in nsICSPEventListener aCSPEventListener, + in AString aContentOfPseudoScript, + in unsigned long aLineNumber, + in unsigned long aColumnNumber); + + /* + * Whether this policy allows a navigation subject to the navigate-to + * policy. + * @param aURI The target URI + * @param aIsFormSubmission True if the navigation was initiated by a form submission. This + * is important since the form-action directive overrides navigate-to in that case. + * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity. + * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If + * this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is + * used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced + * @return + * Whether or not the effects of the navigation is allowed + */ + boolean getAllowsNavigateTo(in nsIURI aURI, + in boolean aIsFormSubmission, + in boolean aWasRedirected, + in boolean aEnforceAllowlist); + + /** + * Whether this policy allows eval and eval-like functions + * such as setTimeout("code string", time). + * @param shouldReportViolations + * Whether or not the use of eval should be reported. + * This function returns "true" when violating report-only policies, but + * when any policy (report-only or otherwise) is violated, + * shouldReportViolations is true as well. + * @return + * Whether or not the effects of the eval call should be allowed + * (block the call if false). + */ + boolean getAllowsEval(out boolean shouldReportViolations); + + /** + * Whether this policy allows the evaluation (and compilation) of + * WASM code from functions like `WebAssembly.compile`. + * @param shouldReportViolations + * Whether or not the use of WASM evaluation should be reported. + * This function returns "true" when violating report-only policies, but + * when any policy (report-only or otherwise) is violated, + * shouldReportViolations is true as well. + * @return + * Whether or not the effects of the WASM evaluation should be allowed + * (block the call if false). + */ + boolean getAllowsWasmEval(out boolean shouldReportViolations); + + /** + * Delegate method called by the service when the protected document is loaded. + * Returns the union of all the sandbox flags contained in CSP policies. This is the most + * restrictive interpretation of flags set in multiple policies. + * See nsSandboxFlags.h for the possible flags. + * + * @return + * sandbox flags or SANDBOXED_NONE if no sandbox directive exists + */ + uint32_t getCSPSandboxFlags(); + + /** + * For each violated policy (of type violationType), log policy violation on + * the Error Console and send a report to report-uris present in the violated + * policies. + * + * @param violationType + * one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval + * @param triggeringElement + * the element that triggers this CSP violation. It can be null. + * @param sourceFile + * name of the source file containing the violation (if available) + * @param contentSample + * sample of the violating content (to aid debugging) + * @param lineNum + * source line number of the violation (if available) + * @param columnNum + * source column number of the violation (if available) + * @param aNonce + * (optional) If this is a nonce violation, include the nonce so we can + * recheck to determine which policies were violated and send the + * appropriate reports. + * @param aContent + * (optional) If this is a hash violation, include contents of the inline + * resource in the question so we can recheck the hash in order to + * determine which policies were violated and send the appropriate + * reports. + */ + void logViolationDetails(in unsigned short violationType, + in Element triggeringElement, + in nsICSPEventListener aCSPEventListener, + in AString sourceFile, + in AString scriptSample, + in int32_t lineNum, + in int32_t columnNum, + [optional] in AString nonce, + [optional] in AString content); + + const unsigned short VIOLATION_TYPE_EVAL = 1; + const unsigned short VIOLATION_TYPE_WASM_EVAL = 2; + + /** + * Called after the CSP object is created to fill in appropriate request + * context. Either use + * * aDocument (preferred), or if no document is available, then provide + * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly. + */ + [must_use] void setRequestContextWithDocument(in Document aDocument); + [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal, + in nsIURI aSelfURI, + in AString aReferrer, + in unsigned long long aInnerWindowId); + + /** + * Get the various arguments needed to create a new request context for a CSP. + */ + [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal; + [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI; + [noscript] readonly attribute AString referrer; + [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID; + + /** + * Warning: Do not set that attribute unless you know exactly what you are doing! + * + * Primarily used to allow Devtools to edit inline styles! + */ + [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck; + + /** + * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable + */ + [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget); + + + /** + * Verifies ancestry as permitted by the policy. + * + * NOTE: Calls to this may trigger violation reports when queried, so this + * value should not be cached. + * + * @param aLoadInfo + * The loadinfo of the channel containing the protected resource + * @return + * true if the frame's ancestors are all allowed by policy (except for + * report-only policies, which will send reports and then return true + * here when violated). + */ + boolean permitsAncestry(in nsILoadInfo aLoadInfo); + + + /** + * Checks if a specific directive permits loading of a URI. + * + * @param aTriggeringElement + * The element that triggers this CSP check. It can be null. + * @param aURI + * The URI about to be loaded or used. + * @param aDir + * The CSPDirective to query (see above constants *_DIRECTIVE). + * @param aSpecific + * If "true" and the directive is specified to fall back to "default-src" + * when it's not explicitly provided, directivePermits will NOT try + * default-src when the specific directive is not used. Setting this to + * "false" allows CSP to fall back to default-src. This function + * behaves the same for both values of canUseDefault when querying + * directives that don't fall-back. + * @param aSendViolationReports + * If `true` and the uri is not allowed then trigger violation reports. + * This should be `false` for caching or preloads. + * @return + * Whether or not the provided URI is allowed by CSP under the given + * directive. (block the pending operation if false). + */ + boolean permits(in Element aTriggeringElement, + in nsICSPEventListener aCSPEventListener, + in nsIURI aURI, + in nsIContentSecurityPolicy_CSPDirective aDir, + in boolean aSpecific, + in boolean aSendViolationReports); + + /** + * Delegate method called by the service when sub-elements of the protected + * document are being loaded. Given a bit of information about the request, + * decides whether or not the policy is satisfied. + * + * Calls to this may trigger violation reports when queried, so + * this value should not be cached. + * + * aOriginalURIIfRedirect must be passed only if this loading is the result + * of a redirect. In this case, aOriginalURIIfRedirect must be the original + * URL. + */ + short shouldLoad(in nsContentPolicyType aContentType, + in nsICSPEventListener aCSPEventListener, + in nsIURI aContentLocation, + in nsIURI aOriginalURIIfRedirect, + in bool aSendViolationReports, + in AString aNonce, + in boolean aParserCreated); + +%{ C++ +// nsIObserver topic to fire when the policy encounters a violation. +#define CSP_VIOLATION_TOPIC "csp-on-violate-policy" +%} + + /** + * Returns the CSP in JSON notation. + */ + AString toJSON(); + +}; + +typedef nsIContentSecurityPolicy_CSPDirective CSPDirective; + +/* Listener for security policy violation event */ +[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)] +interface nsICSPEventListener : nsISupports +{ + // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary. + void onCSPViolationEvent(in AString aJSON); +}; |