summaryrefslogtreecommitdiffstats
path: root/dom/interfaces/security
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--dom/interfaces/security/moz.build16
-rw-r--r--dom/interfaces/security/nsIContentSecurityManager.idl45
-rw-r--r--dom/interfaces/security/nsIContentSecurityPolicy.idl373
-rw-r--r--dom/interfaces/security/nsIReferrerInfo.idl150
4 files changed, 584 insertions, 0 deletions
diff --git a/dom/interfaces/security/moz.build b/dom/interfaces/security/moz.build
new file mode 100644
index 0000000000..e58715b360
--- /dev/null
+++ b/dom/interfaces/security/moz.build
@@ -0,0 +1,16 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+ BUG_COMPONENT = ("Core", "DOM: Security")
+
+XPIDL_SOURCES += [
+ "nsIContentSecurityManager.idl",
+ "nsIContentSecurityPolicy.idl",
+ "nsIReferrerInfo.idl",
+]
+
+XPIDL_MODULE = "dom_security"
diff --git a/dom/interfaces/security/nsIContentSecurityManager.idl b/dom/interfaces/security/nsIContentSecurityManager.idl
new file mode 100644
index 0000000000..5cd2feffad
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityManager.idl
@@ -0,0 +1,45 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIChannel;
+interface nsIPrincipal;
+interface nsIStreamListener;
+interface nsIURI;
+
+/**
+ * nsIContentSecurityManager
+ * Describes an XPCOM component used to perform security checks.
+ */
+
+[scriptable, uuid(3a9a1818-2ae8-4ec5-a340-8b29d31fca3b)]
+interface nsIContentSecurityManager : nsISupports
+{
+ /**
+ * Checks whether a channel is allowed to access the given URI and
+ * whether the channel should be openend or should be blocked consulting
+ * internal security checks like Same Origin Policy, Content Security
+ * Policy, Mixed Content Blocker, etc.
+ *
+ * If security checks within performSecurityCheck fail, the function
+ * throws an exception.
+ *
+ * @param aChannel
+ * The channel about to be openend
+ * @param aStreamListener
+ * The Streamlistener of the channel potentially wrapped
+ * into CORSListenerProxy.
+ * @return
+ * The StreamListener of the channel wrapped into CORSListenerProxy.
+ *
+ * @throws NS_ERROR_DOM_BAD_URI
+ * If accessing the URI is not allowed (e.g. prohibted by SOP)
+ * @throws NS_ERROR_CONTENT_BLOCKED
+ * If any of the security policies (CSP, Mixed content) is violated
+ */
+ nsIStreamListener performSecurityCheck(in nsIChannel aChannel,
+ in nsIStreamListener aStreamListener);
+
+};
diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl
new file mode 100644
index 0000000000..bf691ed215
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -0,0 +1,373 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISerializable.idl"
+#include "nsIContentPolicy.idl"
+
+interface nsIURI;
+interface nsIEventTarget;
+interface nsILoadInfo;
+interface nsIPrincipal;
+interface nsICSPEventListener;
+
+webidl Element;
+webidl Document;
+
+/**
+ * nsIContentSecurityPolicy
+ * Describes an XPCOM component used to model and enforce CSPs. Instances of
+ * this class may have multiple policies within them, but there should only be
+ * one of these per document/principal.
+ */
+
+%{C++
+class nsCSPPolicy;
+%}
+
+[ptr] native CSPPolicyPtr(const nsCSPPolicy);
+
+[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)]
+interface nsIContentSecurityPolicy : nsISerializable
+{
+ /**
+ * Directives supported by Content Security Policy. These are enums for
+ * the CSPDirective type.
+ * The NO_DIRECTIVE entry is used for checking default permissions and
+ * returning failure when asking CSP which directive to check.
+ *
+ * NOTE: When implementing a new directive, you will need to add it here but also
+ * add it to the CSPStrDirectives array in nsCSPUtils.h.
+ */
+ cenum CSPDirective : 8 {
+ NO_DIRECTIVE = 0,
+ DEFAULT_SRC_DIRECTIVE = 1,
+ SCRIPT_SRC_DIRECTIVE = 2,
+ OBJECT_SRC_DIRECTIVE = 3,
+ STYLE_SRC_DIRECTIVE = 4,
+ IMG_SRC_DIRECTIVE = 5,
+ MEDIA_SRC_DIRECTIVE = 6,
+ FRAME_SRC_DIRECTIVE = 7,
+ FONT_SRC_DIRECTIVE = 8,
+ CONNECT_SRC_DIRECTIVE = 9,
+ REPORT_URI_DIRECTIVE = 10,
+ FRAME_ANCESTORS_DIRECTIVE = 11,
+ REFLECTED_XSS_DIRECTIVE = 12,
+ BASE_URI_DIRECTIVE = 13,
+ FORM_ACTION_DIRECTIVE = 14,
+ WEB_MANIFEST_SRC_DIRECTIVE = 15,
+ UPGRADE_IF_INSECURE_DIRECTIVE = 16,
+ CHILD_SRC_DIRECTIVE = 17,
+ BLOCK_ALL_MIXED_CONTENT = 18,
+ SANDBOX_DIRECTIVE = 19,
+ WORKER_SRC_DIRECTIVE = 20,
+ NAVIGATE_TO_DIRECTIVE = 21,
+ SCRIPT_SRC_ELEM_DIRECTIVE = 22,
+ SCRIPT_SRC_ATTR_DIRECTIVE = 23,
+ STYLE_SRC_ELEM_DIRECTIVE = 24,
+ STYLE_SRC_ATTR_DIRECTIVE = 25,
+ };
+
+ /**
+ * Accessor method for a read-only string version of the policy at a given
+ * index.
+ */
+ [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
+
+ /**
+ * Accessor method for a read-only pointer the policy object at a given
+ * index. Returns a null pointer if the index is larger than the current
+ * policy count.
+ */
+ [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
+
+ /**
+ * Returns the number of policies attached to this CSP instance. Useful with
+ * getPolicy().
+ */
+ readonly attribute unsigned long policyCount;
+
+ /**
+ * Returns whether this policy uses the directive upgrade-insecure-requests.
+ * Please note that upgrade-insecure-reqeusts also applies if the parent or
+ * including document (context) makes use of the directive.
+ */
+ readonly attribute bool upgradeInsecureRequests;
+
+ /**
+ * Returns whether this policy uses the directive block-all-mixed-content.
+ * Please note that block-all-mixed-content takes presedence in case the
+ * directive upgrade-insecure-requests is defined in the same policy and
+ * will therefore block all mixed content without even trying to perform
+ * an upgrade.
+ */
+ readonly attribute bool blockAllMixedContent;
+
+ /**
+ * Returns whether this policy enforces the frame-ancestors directive.
+ */
+ readonly attribute bool enforcesFrameAncestors;
+
+ /**
+ * Parse and install a CSP policy.
+ * @param aPolicy
+ * String representation of the policy
+ * (e.g., header value, meta content)
+ * @param reportOnly
+ * Should this policy affect content, script and style processing or
+ * just send reports if it is violated?
+ * @param deliveredViaMetaTag
+ * Indicates whether the policy was delivered via the meta tag.
+ */
+ void appendPolicy(in AString policyString,
+ in boolean reportOnly,
+ in boolean deliveredViaMetaTag);
+
+ /*
+ * Whether this policy allows inline script or style.
+ * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
+ * STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
+ * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
+ * also specified.
+ * @param aNonce The nonce string to check against the policy
+ * @param aParserCreated If the script element was created by the HTML Parser
+ * @param aTriggeringElement The script element of the inline resource to
+ * hash. It can be null.
+ * @param aContentOfPseudoScript The content of the psuedo-script to compare
+ * to hash (and compare to the hashes listed in
+ * the policy)
+ * @param aLineNumber The line number of the inline resource
+ * (used for reporting)
+ * @param aColumnNumber The column number of the inline resource
+ * (used for reporting)
+ * @return
+ * Whether or not the effects of the inline style should be allowed
+ * (block the rules if false).
+ */
+ boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective,
+ in bool aHasUnsafeHash,
+ in AString aNonce,
+ in boolean aParserCreated,
+ in Element aTriggeringElement,
+ in nsICSPEventListener aCSPEventListener,
+ in AString aContentOfPseudoScript,
+ in unsigned long aLineNumber,
+ in unsigned long aColumnNumber);
+
+ /*
+ * Whether this policy allows a navigation subject to the navigate-to
+ * policy.
+ * @param aURI The target URI
+ * @param aIsFormSubmission True if the navigation was initiated by a form submission. This
+ * is important since the form-action directive overrides navigate-to in that case.
+ * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity.
+ * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If
+ * this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is
+ * used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced
+ * @return
+ * Whether or not the effects of the navigation is allowed
+ */
+ boolean getAllowsNavigateTo(in nsIURI aURI,
+ in boolean aIsFormSubmission,
+ in boolean aWasRedirected,
+ in boolean aEnforceAllowlist);
+
+ /**
+ * Whether this policy allows eval and eval-like functions
+ * such as setTimeout("code string", time).
+ * @param shouldReportViolations
+ * Whether or not the use of eval should be reported.
+ * This function returns "true" when violating report-only policies, but
+ * when any policy (report-only or otherwise) is violated,
+ * shouldReportViolations is true as well.
+ * @return
+ * Whether or not the effects of the eval call should be allowed
+ * (block the call if false).
+ */
+ boolean getAllowsEval(out boolean shouldReportViolations);
+
+ /**
+ * Whether this policy allows the evaluation (and compilation) of
+ * WASM code from functions like `WebAssembly.compile`.
+ * @param shouldReportViolations
+ * Whether or not the use of WASM evaluation should be reported.
+ * This function returns "true" when violating report-only policies, but
+ * when any policy (report-only or otherwise) is violated,
+ * shouldReportViolations is true as well.
+ * @return
+ * Whether or not the effects of the WASM evaluation should be allowed
+ * (block the call if false).
+ */
+ boolean getAllowsWasmEval(out boolean shouldReportViolations);
+
+ /**
+ * Delegate method called by the service when the protected document is loaded.
+ * Returns the union of all the sandbox flags contained in CSP policies. This is the most
+ * restrictive interpretation of flags set in multiple policies.
+ * See nsSandboxFlags.h for the possible flags.
+ *
+ * @return
+ * sandbox flags or SANDBOXED_NONE if no sandbox directive exists
+ */
+ uint32_t getCSPSandboxFlags();
+
+ /**
+ * For each violated policy (of type violationType), log policy violation on
+ * the Error Console and send a report to report-uris present in the violated
+ * policies.
+ *
+ * @param violationType
+ * one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
+ * @param triggeringElement
+ * the element that triggers this CSP violation. It can be null.
+ * @param sourceFile
+ * name of the source file containing the violation (if available)
+ * @param contentSample
+ * sample of the violating content (to aid debugging)
+ * @param lineNum
+ * source line number of the violation (if available)
+ * @param columnNum
+ * source column number of the violation (if available)
+ * @param aNonce
+ * (optional) If this is a nonce violation, include the nonce so we can
+ * recheck to determine which policies were violated and send the
+ * appropriate reports.
+ * @param aContent
+ * (optional) If this is a hash violation, include contents of the inline
+ * resource in the question so we can recheck the hash in order to
+ * determine which policies were violated and send the appropriate
+ * reports.
+ */
+ void logViolationDetails(in unsigned short violationType,
+ in Element triggeringElement,
+ in nsICSPEventListener aCSPEventListener,
+ in AString sourceFile,
+ in AString scriptSample,
+ in int32_t lineNum,
+ in int32_t columnNum,
+ [optional] in AString nonce,
+ [optional] in AString content);
+
+ const unsigned short VIOLATION_TYPE_EVAL = 1;
+ const unsigned short VIOLATION_TYPE_WASM_EVAL = 2;
+
+ /**
+ * Called after the CSP object is created to fill in appropriate request
+ * context. Either use
+ * * aDocument (preferred), or if no document is available, then provide
+ * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
+ */
+ [must_use] void setRequestContextWithDocument(in Document aDocument);
+ [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal,
+ in nsIURI aSelfURI,
+ in AString aReferrer,
+ in unsigned long long aInnerWindowId);
+
+ /**
+ * Get the various arguments needed to create a new request context for a CSP.
+ */
+ [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal;
+ [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI;
+ [noscript] readonly attribute AString referrer;
+ [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID;
+
+ /**
+ * Warning: Do not set that attribute unless you know exactly what you are doing!
+ *
+ * Primarily used to allow Devtools to edit inline styles!
+ */
+ [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck;
+
+ /**
+ * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
+ */
+ [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget);
+
+
+ /**
+ * Verifies ancestry as permitted by the policy.
+ *
+ * NOTE: Calls to this may trigger violation reports when queried, so this
+ * value should not be cached.
+ *
+ * @param aLoadInfo
+ * The loadinfo of the channel containing the protected resource
+ * @return
+ * true if the frame's ancestors are all allowed by policy (except for
+ * report-only policies, which will send reports and then return true
+ * here when violated).
+ */
+ boolean permitsAncestry(in nsILoadInfo aLoadInfo);
+
+
+ /**
+ * Checks if a specific directive permits loading of a URI.
+ *
+ * @param aTriggeringElement
+ * The element that triggers this CSP check. It can be null.
+ * @param aURI
+ * The URI about to be loaded or used.
+ * @param aDir
+ * The CSPDirective to query (see above constants *_DIRECTIVE).
+ * @param aSpecific
+ * If "true" and the directive is specified to fall back to "default-src"
+ * when it's not explicitly provided, directivePermits will NOT try
+ * default-src when the specific directive is not used. Setting this to
+ * "false" allows CSP to fall back to default-src. This function
+ * behaves the same for both values of canUseDefault when querying
+ * directives that don't fall-back.
+ * @param aSendViolationReports
+ * If `true` and the uri is not allowed then trigger violation reports.
+ * This should be `false` for caching or preloads.
+ * @return
+ * Whether or not the provided URI is allowed by CSP under the given
+ * directive. (block the pending operation if false).
+ */
+ boolean permits(in Element aTriggeringElement,
+ in nsICSPEventListener aCSPEventListener,
+ in nsIURI aURI,
+ in nsIContentSecurityPolicy_CSPDirective aDir,
+ in boolean aSpecific,
+ in boolean aSendViolationReports);
+
+ /**
+ * Delegate method called by the service when sub-elements of the protected
+ * document are being loaded. Given a bit of information about the request,
+ * decides whether or not the policy is satisfied.
+ *
+ * Calls to this may trigger violation reports when queried, so
+ * this value should not be cached.
+ *
+ * aOriginalURIIfRedirect must be passed only if this loading is the result
+ * of a redirect. In this case, aOriginalURIIfRedirect must be the original
+ * URL.
+ */
+ short shouldLoad(in nsContentPolicyType aContentType,
+ in nsICSPEventListener aCSPEventListener,
+ in nsIURI aContentLocation,
+ in nsIURI aOriginalURIIfRedirect,
+ in bool aSendViolationReports,
+ in AString aNonce,
+ in boolean aParserCreated);
+
+%{ C++
+// nsIObserver topic to fire when the policy encounters a violation.
+#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
+%}
+
+ /**
+ * Returns the CSP in JSON notation.
+ */
+ AString toJSON();
+
+};
+
+typedef nsIContentSecurityPolicy_CSPDirective CSPDirective;
+
+/* Listener for security policy violation event */
+[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)]
+interface nsICSPEventListener : nsISupports
+{
+ // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
+ void onCSPViolationEvent(in AString aJSON);
+};
diff --git a/dom/interfaces/security/nsIReferrerInfo.idl b/dom/interfaces/security/nsIReferrerInfo.idl
new file mode 100644
index 0000000000..07e2f603bc
--- /dev/null
+++ b/dom/interfaces/security/nsIReferrerInfo.idl
@@ -0,0 +1,150 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+#include "nsISerializable.idl"
+
+%{C++
+namespace mozilla::dom {
+enum class ReferrerPolicy : uint8_t;
+}
+%}
+
+interface nsIURI;
+webidl Document;
+webidl Element;
+
+native ReferrerPolicy(mozilla::dom::ReferrerPolicy);
+native URIRef(already_AddRefed<nsIURI>);
+
+[scriptable, builtinclass, uuid(081cdc36-f2e2-4f94-87bf-78578f06f1eb)]
+interface nsIReferrerInfo : nsISerializable
+{
+ /**
+ * Unfortunately we can not query the ReferrerPolicy values defined within
+ * ReferrerPolicy.webidl directly from xpidl. Hence we define the enum value
+ * ReferrerPolicyIDL to set up the ReferrerInfo object from JS. If you need
+ * ReferrerPolicy in native code, please directly query it from
+ * ReferrerPolicy.webidl.
+ *
+ * Note that the deserialization code assumes that the ReferrerPolicyIDL only
+ * uses one byte. If we would need to change the format here, we should also
+ * update the deserialization code.
+ */
+ cenum ReferrerPolicyIDL : 8 {
+ /**
+ * The undefined state, or no referrer policy, usually causing a fallback to a
+ * referrer policy definded in higher level policy. For example: request by
+ * clicking <a> element with empty referrer policy will be sent with the
+ * referrer policy of the a element’s node document.
+ * If there is no higher-level policy available, we fall back to the default
+ * value, which usually is "no-referrer-when-downgrade".
+ */
+ EMPTY = 0,
+ /**
+ * Do not send referrer from https->http
+ */
+ NO_REFERRER_WHEN_DOWNGRADE = 1,
+ /**
+ * Do not send referrer at all.
+ */
+ NO_REFERRER = 2,
+ /**
+ * Only send the origin of the referring URL
+ */
+ ORIGIN = 3,
+ /**
+ * Send origin when cross-origin.
+ */
+ ORIGIN_WHEN_CROSS_ORIGIN = 4,
+ /**
+ * Always sends the referrer, even on downgrade.
+ */
+ UNSAFE_URL = 5,
+ /**
+ * Send referrer when same-origin, no referrer when cross-origin
+ */
+ SAME_ORIGIN = 6,
+ /**
+ * Send origin when request from https->https or http->http(s). No referrer
+ * when request from https->http.
+ */
+ STRICT_ORIGIN = 7,
+ /**
+ * Send referrer when same-origin, send origin when cross-origin from
+ * https->https or http->http(s). No referrer when request from https->http.
+ */
+ STRICT_ORIGIN_WHEN_CROSS_ORIGIN = 8,
+ };
+
+ /**
+ * The original referrer URI which indicates the full referrer before applying
+ * referrer policy
+ */
+ [infallible] readonly attribute nsIURI originalReferrer;
+
+ /**
+ * Referrer policy which is applied to the referrer
+ */
+ [implicit_jscontext] readonly attribute nsIReferrerInfo_ReferrerPolicyIDL referrerPolicy;
+
+ /**
+ * C++ friendly version of referrerPolicy getter
+ */
+ [noscript, notxpcom, nostdcall, binaryname(ReferrerPolicy)]
+ ReferrerPolicy binaryReferrerPolicy();
+
+ /**
+ * Get referrer policy as string
+ */
+ ACString getReferrerPolicyString();
+
+ /**
+ * Indicates if the referrer should not be sent or not even when it's available.
+ */
+ [infallible] readonly attribute boolean sendReferrer;
+
+ /**
+ * Indicates if the referrer should not be sent or not even when it's available.
+ */
+ readonly attribute AString computedReferrerSpec;
+
+ /**
+ * Get the computed referrer, if one has been set. The computed referrer is
+ * the original referrer manipulated by the referrer-policy. Use the result of
+ * this function as the actual referrer value for the channel.
+ */
+ [must_use, noscript, nostdcall, notxpcom]
+ URIRef GetComputedReferrer();
+
+ /**
+ * Returns whether the other referrerInfo is equivalent to this referrerInfo.
+ */
+ boolean equals(in nsIReferrerInfo other);
+
+ /**
+ * Initialize method to create ReferrerInfo object from JS
+ * @param aReferrerPolicy referrer policy of the created object
+ * @param aSendReferrer sendReferrer of the created object, defaults to false
+ * @param aOriginalReferrer the original referrer, defaults to null.
+ */
+ void init(in nsIReferrerInfo_ReferrerPolicyIDL aReferrerPolicy,
+ [optional] in boolean aSendReferrer,
+ [optional] in nsIURI aOriginalReferrer);
+
+ /**
+ * Initialize with a given document.
+ * @param aDocument the document to init referrerInfo object
+ */
+ void initWithDocument([const] in Document aDocument);
+
+ /**
+ * Initialize with a given node. It you are working with node which supports
+ * referrerpolicy attribute: <a>, <img>, <area>, <script>, <iframe>, please
+ * try to use this init instead of initWithDocument, because referrer policy
+ * from rel and attribute has a higher priority.
+ * @param aNode the element to init referrerInfo object
+ */
+ void initWithElement([const] in Element aNode);
+};