diff options
Diffstat (limited to '')
-rw-r--r-- | dom/interfaces/security/moz.build | 16 | ||||
-rw-r--r-- | dom/interfaces/security/nsIContentSecurityManager.idl | 45 | ||||
-rw-r--r-- | dom/interfaces/security/nsIContentSecurityPolicy.idl | 373 | ||||
-rw-r--r-- | dom/interfaces/security/nsIReferrerInfo.idl | 150 |
4 files changed, 584 insertions, 0 deletions
diff --git a/dom/interfaces/security/moz.build b/dom/interfaces/security/moz.build new file mode 100644 index 0000000000..e58715b360 --- /dev/null +++ b/dom/interfaces/security/moz.build @@ -0,0 +1,16 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +with Files("**"): + BUG_COMPONENT = ("Core", "DOM: Security") + +XPIDL_SOURCES += [ + "nsIContentSecurityManager.idl", + "nsIContentSecurityPolicy.idl", + "nsIReferrerInfo.idl", +] + +XPIDL_MODULE = "dom_security" diff --git a/dom/interfaces/security/nsIContentSecurityManager.idl b/dom/interfaces/security/nsIContentSecurityManager.idl new file mode 100644 index 0000000000..5cd2feffad --- /dev/null +++ b/dom/interfaces/security/nsIContentSecurityManager.idl @@ -0,0 +1,45 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIChannel; +interface nsIPrincipal; +interface nsIStreamListener; +interface nsIURI; + +/** + * nsIContentSecurityManager + * Describes an XPCOM component used to perform security checks. + */ + +[scriptable, uuid(3a9a1818-2ae8-4ec5-a340-8b29d31fca3b)] +interface nsIContentSecurityManager : nsISupports +{ + /** + * Checks whether a channel is allowed to access the given URI and + * whether the channel should be openend or should be blocked consulting + * internal security checks like Same Origin Policy, Content Security + * Policy, Mixed Content Blocker, etc. + * + * If security checks within performSecurityCheck fail, the function + * throws an exception. + * + * @param aChannel + * The channel about to be openend + * @param aStreamListener + * The Streamlistener of the channel potentially wrapped + * into CORSListenerProxy. + * @return + * The StreamListener of the channel wrapped into CORSListenerProxy. + * + * @throws NS_ERROR_DOM_BAD_URI + * If accessing the URI is not allowed (e.g. prohibted by SOP) + * @throws NS_ERROR_CONTENT_BLOCKED + * If any of the security policies (CSP, Mixed content) is violated + */ + nsIStreamListener performSecurityCheck(in nsIChannel aChannel, + in nsIStreamListener aStreamListener); + +}; diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl new file mode 100644 index 0000000000..bf691ed215 --- /dev/null +++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl @@ -0,0 +1,373 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISerializable.idl" +#include "nsIContentPolicy.idl" + +interface nsIURI; +interface nsIEventTarget; +interface nsILoadInfo; +interface nsIPrincipal; +interface nsICSPEventListener; + +webidl Element; +webidl Document; + +/** + * nsIContentSecurityPolicy + * Describes an XPCOM component used to model and enforce CSPs. Instances of + * this class may have multiple policies within them, but there should only be + * one of these per document/principal. + */ + +%{C++ +class nsCSPPolicy; +%} + +[ptr] native CSPPolicyPtr(const nsCSPPolicy); + +[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)] +interface nsIContentSecurityPolicy : nsISerializable +{ + /** + * Directives supported by Content Security Policy. These are enums for + * the CSPDirective type. + * The NO_DIRECTIVE entry is used for checking default permissions and + * returning failure when asking CSP which directive to check. + * + * NOTE: When implementing a new directive, you will need to add it here but also + * add it to the CSPStrDirectives array in nsCSPUtils.h. + */ + cenum CSPDirective : 8 { + NO_DIRECTIVE = 0, + DEFAULT_SRC_DIRECTIVE = 1, + SCRIPT_SRC_DIRECTIVE = 2, + OBJECT_SRC_DIRECTIVE = 3, + STYLE_SRC_DIRECTIVE = 4, + IMG_SRC_DIRECTIVE = 5, + MEDIA_SRC_DIRECTIVE = 6, + FRAME_SRC_DIRECTIVE = 7, + FONT_SRC_DIRECTIVE = 8, + CONNECT_SRC_DIRECTIVE = 9, + REPORT_URI_DIRECTIVE = 10, + FRAME_ANCESTORS_DIRECTIVE = 11, + REFLECTED_XSS_DIRECTIVE = 12, + BASE_URI_DIRECTIVE = 13, + FORM_ACTION_DIRECTIVE = 14, + WEB_MANIFEST_SRC_DIRECTIVE = 15, + UPGRADE_IF_INSECURE_DIRECTIVE = 16, + CHILD_SRC_DIRECTIVE = 17, + BLOCK_ALL_MIXED_CONTENT = 18, + SANDBOX_DIRECTIVE = 19, + WORKER_SRC_DIRECTIVE = 20, + NAVIGATE_TO_DIRECTIVE = 21, + SCRIPT_SRC_ELEM_DIRECTIVE = 22, + SCRIPT_SRC_ATTR_DIRECTIVE = 23, + STYLE_SRC_ELEM_DIRECTIVE = 24, + STYLE_SRC_ATTR_DIRECTIVE = 25, + }; + + /** + * Accessor method for a read-only string version of the policy at a given + * index. + */ + [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index); + + /** + * Accessor method for a read-only pointer the policy object at a given + * index. Returns a null pointer if the index is larger than the current + * policy count. + */ + [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index); + + /** + * Returns the number of policies attached to this CSP instance. Useful with + * getPolicy(). + */ + readonly attribute unsigned long policyCount; + + /** + * Returns whether this policy uses the directive upgrade-insecure-requests. + * Please note that upgrade-insecure-reqeusts also applies if the parent or + * including document (context) makes use of the directive. + */ + readonly attribute bool upgradeInsecureRequests; + + /** + * Returns whether this policy uses the directive block-all-mixed-content. + * Please note that block-all-mixed-content takes presedence in case the + * directive upgrade-insecure-requests is defined in the same policy and + * will therefore block all mixed content without even trying to perform + * an upgrade. + */ + readonly attribute bool blockAllMixedContent; + + /** + * Returns whether this policy enforces the frame-ancestors directive. + */ + readonly attribute bool enforcesFrameAncestors; + + /** + * Parse and install a CSP policy. + * @param aPolicy + * String representation of the policy + * (e.g., header value, meta content) + * @param reportOnly + * Should this policy affect content, script and style processing or + * just send reports if it is violated? + * @param deliveredViaMetaTag + * Indicates whether the policy was delivered via the meta tag. + */ + void appendPolicy(in AString policyString, + in boolean reportOnly, + in boolean deliveredViaMetaTag); + + /* + * Whether this policy allows inline script or style. + * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or + * STYLE_SRC_(ELEM|ATTR)_DIRECTIVE. + * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is + * also specified. + * @param aNonce The nonce string to check against the policy + * @param aParserCreated If the script element was created by the HTML Parser + * @param aTriggeringElement The script element of the inline resource to + * hash. It can be null. + * @param aContentOfPseudoScript The content of the psuedo-script to compare + * to hash (and compare to the hashes listed in + * the policy) + * @param aLineNumber The line number of the inline resource + * (used for reporting) + * @param aColumnNumber The column number of the inline resource + * (used for reporting) + * @return + * Whether or not the effects of the inline style should be allowed + * (block the rules if false). + */ + boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective, + in bool aHasUnsafeHash, + in AString aNonce, + in boolean aParserCreated, + in Element aTriggeringElement, + in nsICSPEventListener aCSPEventListener, + in AString aContentOfPseudoScript, + in unsigned long aLineNumber, + in unsigned long aColumnNumber); + + /* + * Whether this policy allows a navigation subject to the navigate-to + * policy. + * @param aURI The target URI + * @param aIsFormSubmission True if the navigation was initiated by a form submission. This + * is important since the form-action directive overrides navigate-to in that case. + * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity. + * @param aEnforceAllowlist True if the allowlist of allowed targets must be enforced. If + * this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is + * used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced + * @return + * Whether or not the effects of the navigation is allowed + */ + boolean getAllowsNavigateTo(in nsIURI aURI, + in boolean aIsFormSubmission, + in boolean aWasRedirected, + in boolean aEnforceAllowlist); + + /** + * Whether this policy allows eval and eval-like functions + * such as setTimeout("code string", time). + * @param shouldReportViolations + * Whether or not the use of eval should be reported. + * This function returns "true" when violating report-only policies, but + * when any policy (report-only or otherwise) is violated, + * shouldReportViolations is true as well. + * @return + * Whether or not the effects of the eval call should be allowed + * (block the call if false). + */ + boolean getAllowsEval(out boolean shouldReportViolations); + + /** + * Whether this policy allows the evaluation (and compilation) of + * WASM code from functions like `WebAssembly.compile`. + * @param shouldReportViolations + * Whether or not the use of WASM evaluation should be reported. + * This function returns "true" when violating report-only policies, but + * when any policy (report-only or otherwise) is violated, + * shouldReportViolations is true as well. + * @return + * Whether or not the effects of the WASM evaluation should be allowed + * (block the call if false). + */ + boolean getAllowsWasmEval(out boolean shouldReportViolations); + + /** + * Delegate method called by the service when the protected document is loaded. + * Returns the union of all the sandbox flags contained in CSP policies. This is the most + * restrictive interpretation of flags set in multiple policies. + * See nsSandboxFlags.h for the possible flags. + * + * @return + * sandbox flags or SANDBOXED_NONE if no sandbox directive exists + */ + uint32_t getCSPSandboxFlags(); + + /** + * For each violated policy (of type violationType), log policy violation on + * the Error Console and send a report to report-uris present in the violated + * policies. + * + * @param violationType + * one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval + * @param triggeringElement + * the element that triggers this CSP violation. It can be null. + * @param sourceFile + * name of the source file containing the violation (if available) + * @param contentSample + * sample of the violating content (to aid debugging) + * @param lineNum + * source line number of the violation (if available) + * @param columnNum + * source column number of the violation (if available) + * @param aNonce + * (optional) If this is a nonce violation, include the nonce so we can + * recheck to determine which policies were violated and send the + * appropriate reports. + * @param aContent + * (optional) If this is a hash violation, include contents of the inline + * resource in the question so we can recheck the hash in order to + * determine which policies were violated and send the appropriate + * reports. + */ + void logViolationDetails(in unsigned short violationType, + in Element triggeringElement, + in nsICSPEventListener aCSPEventListener, + in AString sourceFile, + in AString scriptSample, + in int32_t lineNum, + in int32_t columnNum, + [optional] in AString nonce, + [optional] in AString content); + + const unsigned short VIOLATION_TYPE_EVAL = 1; + const unsigned short VIOLATION_TYPE_WASM_EVAL = 2; + + /** + * Called after the CSP object is created to fill in appropriate request + * context. Either use + * * aDocument (preferred), or if no document is available, then provide + * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly. + */ + [must_use] void setRequestContextWithDocument(in Document aDocument); + [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal, + in nsIURI aSelfURI, + in AString aReferrer, + in unsigned long long aInnerWindowId); + + /** + * Get the various arguments needed to create a new request context for a CSP. + */ + [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal; + [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI; + [noscript] readonly attribute AString referrer; + [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID; + + /** + * Warning: Do not set that attribute unless you know exactly what you are doing! + * + * Primarily used to allow Devtools to edit inline styles! + */ + [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck; + + /** + * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable + */ + [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget); + + + /** + * Verifies ancestry as permitted by the policy. + * + * NOTE: Calls to this may trigger violation reports when queried, so this + * value should not be cached. + * + * @param aLoadInfo + * The loadinfo of the channel containing the protected resource + * @return + * true if the frame's ancestors are all allowed by policy (except for + * report-only policies, which will send reports and then return true + * here when violated). + */ + boolean permitsAncestry(in nsILoadInfo aLoadInfo); + + + /** + * Checks if a specific directive permits loading of a URI. + * + * @param aTriggeringElement + * The element that triggers this CSP check. It can be null. + * @param aURI + * The URI about to be loaded or used. + * @param aDir + * The CSPDirective to query (see above constants *_DIRECTIVE). + * @param aSpecific + * If "true" and the directive is specified to fall back to "default-src" + * when it's not explicitly provided, directivePermits will NOT try + * default-src when the specific directive is not used. Setting this to + * "false" allows CSP to fall back to default-src. This function + * behaves the same for both values of canUseDefault when querying + * directives that don't fall-back. + * @param aSendViolationReports + * If `true` and the uri is not allowed then trigger violation reports. + * This should be `false` for caching or preloads. + * @return + * Whether or not the provided URI is allowed by CSP under the given + * directive. (block the pending operation if false). + */ + boolean permits(in Element aTriggeringElement, + in nsICSPEventListener aCSPEventListener, + in nsIURI aURI, + in nsIContentSecurityPolicy_CSPDirective aDir, + in boolean aSpecific, + in boolean aSendViolationReports); + + /** + * Delegate method called by the service when sub-elements of the protected + * document are being loaded. Given a bit of information about the request, + * decides whether or not the policy is satisfied. + * + * Calls to this may trigger violation reports when queried, so + * this value should not be cached. + * + * aOriginalURIIfRedirect must be passed only if this loading is the result + * of a redirect. In this case, aOriginalURIIfRedirect must be the original + * URL. + */ + short shouldLoad(in nsContentPolicyType aContentType, + in nsICSPEventListener aCSPEventListener, + in nsIURI aContentLocation, + in nsIURI aOriginalURIIfRedirect, + in bool aSendViolationReports, + in AString aNonce, + in boolean aParserCreated); + +%{ C++ +// nsIObserver topic to fire when the policy encounters a violation. +#define CSP_VIOLATION_TOPIC "csp-on-violate-policy" +%} + + /** + * Returns the CSP in JSON notation. + */ + AString toJSON(); + +}; + +typedef nsIContentSecurityPolicy_CSPDirective CSPDirective; + +/* Listener for security policy violation event */ +[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)] +interface nsICSPEventListener : nsISupports +{ + // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary. + void onCSPViolationEvent(in AString aJSON); +}; diff --git a/dom/interfaces/security/nsIReferrerInfo.idl b/dom/interfaces/security/nsIReferrerInfo.idl new file mode 100644 index 0000000000..07e2f603bc --- /dev/null +++ b/dom/interfaces/security/nsIReferrerInfo.idl @@ -0,0 +1,150 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" +#include "nsISerializable.idl" + +%{C++ +namespace mozilla::dom { +enum class ReferrerPolicy : uint8_t; +} +%} + +interface nsIURI; +webidl Document; +webidl Element; + +native ReferrerPolicy(mozilla::dom::ReferrerPolicy); +native URIRef(already_AddRefed<nsIURI>); + +[scriptable, builtinclass, uuid(081cdc36-f2e2-4f94-87bf-78578f06f1eb)] +interface nsIReferrerInfo : nsISerializable +{ + /** + * Unfortunately we can not query the ReferrerPolicy values defined within + * ReferrerPolicy.webidl directly from xpidl. Hence we define the enum value + * ReferrerPolicyIDL to set up the ReferrerInfo object from JS. If you need + * ReferrerPolicy in native code, please directly query it from + * ReferrerPolicy.webidl. + * + * Note that the deserialization code assumes that the ReferrerPolicyIDL only + * uses one byte. If we would need to change the format here, we should also + * update the deserialization code. + */ + cenum ReferrerPolicyIDL : 8 { + /** + * The undefined state, or no referrer policy, usually causing a fallback to a + * referrer policy definded in higher level policy. For example: request by + * clicking <a> element with empty referrer policy will be sent with the + * referrer policy of the a element’s node document. + * If there is no higher-level policy available, we fall back to the default + * value, which usually is "no-referrer-when-downgrade". + */ + EMPTY = 0, + /** + * Do not send referrer from https->http + */ + NO_REFERRER_WHEN_DOWNGRADE = 1, + /** + * Do not send referrer at all. + */ + NO_REFERRER = 2, + /** + * Only send the origin of the referring URL + */ + ORIGIN = 3, + /** + * Send origin when cross-origin. + */ + ORIGIN_WHEN_CROSS_ORIGIN = 4, + /** + * Always sends the referrer, even on downgrade. + */ + UNSAFE_URL = 5, + /** + * Send referrer when same-origin, no referrer when cross-origin + */ + SAME_ORIGIN = 6, + /** + * Send origin when request from https->https or http->http(s). No referrer + * when request from https->http. + */ + STRICT_ORIGIN = 7, + /** + * Send referrer when same-origin, send origin when cross-origin from + * https->https or http->http(s). No referrer when request from https->http. + */ + STRICT_ORIGIN_WHEN_CROSS_ORIGIN = 8, + }; + + /** + * The original referrer URI which indicates the full referrer before applying + * referrer policy + */ + [infallible] readonly attribute nsIURI originalReferrer; + + /** + * Referrer policy which is applied to the referrer + */ + [implicit_jscontext] readonly attribute nsIReferrerInfo_ReferrerPolicyIDL referrerPolicy; + + /** + * C++ friendly version of referrerPolicy getter + */ + [noscript, notxpcom, nostdcall, binaryname(ReferrerPolicy)] + ReferrerPolicy binaryReferrerPolicy(); + + /** + * Get referrer policy as string + */ + ACString getReferrerPolicyString(); + + /** + * Indicates if the referrer should not be sent or not even when it's available. + */ + [infallible] readonly attribute boolean sendReferrer; + + /** + * Indicates if the referrer should not be sent or not even when it's available. + */ + readonly attribute AString computedReferrerSpec; + + /** + * Get the computed referrer, if one has been set. The computed referrer is + * the original referrer manipulated by the referrer-policy. Use the result of + * this function as the actual referrer value for the channel. + */ + [must_use, noscript, nostdcall, notxpcom] + URIRef GetComputedReferrer(); + + /** + * Returns whether the other referrerInfo is equivalent to this referrerInfo. + */ + boolean equals(in nsIReferrerInfo other); + + /** + * Initialize method to create ReferrerInfo object from JS + * @param aReferrerPolicy referrer policy of the created object + * @param aSendReferrer sendReferrer of the created object, defaults to false + * @param aOriginalReferrer the original referrer, defaults to null. + */ + void init(in nsIReferrerInfo_ReferrerPolicyIDL aReferrerPolicy, + [optional] in boolean aSendReferrer, + [optional] in nsIURI aOriginalReferrer); + + /** + * Initialize with a given document. + * @param aDocument the document to init referrerInfo object + */ + void initWithDocument([const] in Document aDocument); + + /** + * Initialize with a given node. It you are working with node which supports + * referrerpolicy attribute: <a>, <img>, <area>, <script>, <iframe>, please + * try to use this init instead of initWithDocument, because referrer policy + * from rel and attribute has a higher priority. + * @param aNode the element to init referrerInfo object + */ + void initWithElement([const] in Element aNode); +}; |