1/* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5#include "nsISerializable.idl" 6#include "nsIContentPolicy.idl" 7 8interface nsIURI; 9interface nsIEventTarget; 10interface nsILoadInfo; 11interface nsIPrincipal; 12interface nsICSPEventListener; 13 14webidl Element; 15webidl Document; 16 17/** 18 * nsIContentSecurityPolicy 19 * Describes an XPCOM component used to model and enforce CSPs. Instances of 20 * this class may have multiple policies within them, but there should only be 21 * one of these per document/principal. 22 */ 23 24typedef unsigned short CSPDirective; 25 26%{C++ 27class nsCSPPolicy; 28%} 29 30[ptr] native CSPPolicyPtr(const nsCSPPolicy); 31 32[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)] 33interface nsIContentSecurityPolicy : nsISerializable 34{ 35 /** 36 * Directives supported by Content Security Policy. These are enums for 37 * the CSPDirective type. 38 * The NO_DIRECTIVE entry is used for checking default permissions and 39 * returning failure when asking CSP which directive to check. 40 * 41 * NOTE: When implementing a new directive, you will need to add it here but also 42 * add it to the CSPStrDirectives array in nsCSPUtils.h. 43 */ 44 const unsigned short NO_DIRECTIVE = 0; 45 const unsigned short DEFAULT_SRC_DIRECTIVE = 1; 46 const unsigned short SCRIPT_SRC_DIRECTIVE = 2; 47 const unsigned short OBJECT_SRC_DIRECTIVE = 3; 48 const unsigned short STYLE_SRC_DIRECTIVE = 4; 49 const unsigned short IMG_SRC_DIRECTIVE = 5; 50 const unsigned short MEDIA_SRC_DIRECTIVE = 6; 51 const unsigned short FRAME_SRC_DIRECTIVE = 7; 52 const unsigned short FONT_SRC_DIRECTIVE = 8; 53 const unsigned short CONNECT_SRC_DIRECTIVE = 9; 54 const unsigned short REPORT_URI_DIRECTIVE = 10; 55 const unsigned short FRAME_ANCESTORS_DIRECTIVE = 11; 56 const unsigned short REFLECTED_XSS_DIRECTIVE = 12; 57 const unsigned short BASE_URI_DIRECTIVE = 13; 58 const unsigned short FORM_ACTION_DIRECTIVE = 14; 59 const unsigned short WEB_MANIFEST_SRC_DIRECTIVE = 15; 60 const unsigned short UPGRADE_IF_INSECURE_DIRECTIVE = 16; 61 const unsigned short CHILD_SRC_DIRECTIVE = 17; 62 const unsigned short BLOCK_ALL_MIXED_CONTENT = 18; 63 const unsigned short SANDBOX_DIRECTIVE = 19; 64 const unsigned short WORKER_SRC_DIRECTIVE = 20; 65 const unsigned short NAVIGATE_TO_DIRECTIVE = 21; 66 67 /** 68 * Accessor method for a read-only string version of the policy at a given 69 * index. 70 */ 71 [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index); 72 73 /** 74 * Accessor method for a read-only pointer the policy object at a given 75 * index. Returns a null pointer if the index is larger than the current 76 * policy count. 77 */ 78 [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index); 79 80 /** 81 * Returns the number of policies attached to this CSP instance. Useful with 82 * getPolicy(). 83 */ 84 readonly attribute unsigned long policyCount; 85 86 /** 87 * Returns whether this policy uses the directive upgrade-insecure-requests. 88 * Please note that upgrade-insecure-reqeusts also applies if the parent or 89 * including document (context) makes use of the directive. 90 */ 91 readonly attribute bool upgradeInsecureRequests; 92 93 /** 94 * Returns whether this policy uses the directive block-all-mixed-content. 95 * Please note that block-all-mixed-content takes presedence in case the 96 * directive upgrade-insecure-requests is defined in the same policy and 97 * will therefore block all mixed content without even trying to perform 98 * an upgrade. 99 */ 100 readonly attribute bool blockAllMixedContent; 101 102 /** 103 * Returns whether this policy enforces the frame-ancestors directive. 104 */ 105 readonly attribute bool enforcesFrameAncestors; 106 107 /** 108 * Parse and install a CSP policy. 109 * @param aPolicy 110 * String representation of the policy 111 * (e.g., header value, meta content) 112 * @param reportOnly 113 * Should this policy affect content, script and style processing or 114 * just send reports if it is violated? 115 * @param deliveredViaMetaTag 116 * Indicates whether the policy was delivered via the meta tag. 117 */ 118 void appendPolicy(in AString policyString, 119 in boolean reportOnly, 120 in boolean deliveredViaMetaTag); 121 122 /* 123 * Whether this policy allows inline script or style. 124 * @param aContentPolicyType Either TYPE_SCRIPT or TYPE_STYLESHEET 125 * @param aNonce The nonce string to check against the policy 126 * @param aParserCreated If the script element was created by the HTML Parser 127 * @param aTriggeringElement The script element of the inline resource to 128 * hash. It can be null. 129 * @param aContentOfPseudoScript The content of the psuedo-script to compare 130 * to hash (and compare to the hashes listed in 131 * the policy) 132 * @param aLineNumber The line number of the inline resource 133 * (used for reporting) 134 * @param aColumnNumber The column number of the inline resource 135 * (used for reporting) 136 * @return 137 * Whether or not the effects of the inline style should be allowed 138 * (block the rules if false). 139 */ 140 boolean getAllowsInline(in nsContentPolicyType aContentPolicyType, 141 in AString aNonce, 142 in boolean aParserCreated, 143 in Element aTriggeringElement, 144 in nsICSPEventListener aCSPEventListener, 145 in AString aContentOfPseudoScript, 146 in unsigned long aLineNumber, 147 in unsigned long aColumnNumber); 148 149 /* 150 * Whether this policy allows a navigation subject to the navigate-to 151 * policy. 152 * @param aURI The target URI 153 * @param aIsFormSubmission True if the navigation was initiated by a form submission. This 154 * is important since the form-action directive overrides navigate-to in that case. 155 * @param aWasRedirect True if a redirect has happened. Important for path-sensitivity. 156 * @param aEnforceWhitelist True if the whitelist of allowed targets must be enforced. If 157 * this is true, the whitelist must be enforced even if 'unsafe-allow-redirects' is 158 * used. If 'unsafe-allow-redirects' is not used then the whitelist is always enforced 159 * @return 160 * Whether or not the effects of the navigation is allowed 161 */ 162 boolean getAllowsNavigateTo(in nsIURI aURI, 163 in boolean aIsFormSubmission, 164 in boolean aWasRedirected, 165 in boolean aEnforceWhitelist); 166 167 /** 168 * whether this policy allows eval and eval-like functions 169 * such as setTimeout("code string", time). 170 * @param shouldReportViolations 171 * Whether or not the use of eval should be reported. 172 * This function returns "true" when violating report-only policies, but 173 * when any policy (report-only or otherwise) is violated, 174 * shouldReportViolations is true as well. 175 * @return 176 * Whether or not the effects of the eval call should be allowed 177 * (block the call if false). 178 */ 179 boolean getAllowsEval(out boolean shouldReportViolations); 180 181 /** 182 * Delegate method called by the service when the protected document is loaded. 183 * Returns the union of all the sandbox flags contained in CSP policies. This is the most 184 * restrictive interpretation of flags set in multiple policies. 185 * See nsSandboxFlags.h for the possible flags. 186 * 187 * @return 188 * sandbox flags or SANDBOXED_NONE if no sandbox directive exists 189 */ 190 uint32_t getCSPSandboxFlags(); 191 192 /** 193 * For each violated policy (of type violationType), log policy violation on 194 * the Error Console and send a report to report-uris present in the violated 195 * policies. 196 * 197 * @param violationType 198 * one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval 199 * @param triggeringElement 200 * the element that triggers this CSP violation. It can be null. 201 * @param sourceFile 202 * name of the source file containing the violation (if available) 203 * @param contentSample 204 * sample of the violating content (to aid debugging) 205 * @param lineNum 206 * source line number of the violation (if available) 207 * @param columnNum 208 * source column number of the violation (if available) 209 * @param aNonce 210 * (optional) If this is a nonce violation, include the nonce so we can 211 * recheck to determine which policies were violated and send the 212 * appropriate reports. 213 * @param aContent 214 * (optional) If this is a hash violation, include contents of the inline 215 * resource in the question so we can recheck the hash in order to 216 * determine which policies were violated and send the appropriate 217 * reports. 218 */ 219 void logViolationDetails(in unsigned short violationType, 220 in Element triggeringElement, 221 in nsICSPEventListener aCSPEventListener, 222 in AString sourceFile, 223 in AString scriptSample, 224 in int32_t lineNum, 225 in int32_t columnNum, 226 [optional] in AString nonce, 227 [optional] in AString content); 228 229 const unsigned short VIOLATION_TYPE_INLINE_SCRIPT = 1; 230 const unsigned short VIOLATION_TYPE_EVAL = 2; 231 const unsigned short VIOLATION_TYPE_INLINE_STYLE = 3; 232 const unsigned short VIOLATION_TYPE_NONCE_SCRIPT = 4; 233 const unsigned short VIOLATION_TYPE_NONCE_STYLE = 5; 234 const unsigned short VIOLATION_TYPE_HASH_SCRIPT = 6; 235 const unsigned short VIOLATION_TYPE_HASH_STYLE = 7; 236 const unsigned short VIOLATION_TYPE_REQUIRE_SRI_FOR_STYLE = 8; 237 const unsigned short VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT = 9; 238 239 /** 240 * Called after the CSP object is created to fill in appropriate request 241 * context. Either use 242 * * aDocument (preferred), or if no document is available, then provide 243 * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly. 244 */ 245 [must_use] void setRequestContextWithDocument(in Document aDocument); 246 [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal, 247 in nsIURI aSelfURI, 248 in AString aReferrer, 249 in unsigned long long aInnerWindowId); 250 251 /** 252 * Get the various arguments needed to create a new request context for a CSP. 253 */ 254 [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal; 255 [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI; 256 [noscript] readonly attribute AString referrer; 257 [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID; 258 259 /** 260 * Warning: Do not set that attribute unless you know exactly what you are doing! 261 * 262 * Primarily used to allow Devtools to edit inline styles! 263 */ 264 [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck; 265 266 /** 267 * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable 268 */ 269 [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget); 270 271 272 /** 273 * Verifies ancestry as permitted by the policy. 274 * 275 * NOTE: Calls to this may trigger violation reports when queried, so this 276 * value should not be cached. 277 * 278 * @param aLoadInfo 279 * The loadinfo of the channel containing the protected resource 280 * @return 281 * true if the frame's ancestors are all allowed by policy (except for 282 * report-only policies, which will send reports and then return true 283 * here when violated). 284 */ 285 boolean permitsAncestry(in nsILoadInfo aLoadInfo); 286 287 288 /** 289 * Checks if a specific directive permits loading of a URI. 290 * 291 * NOTE: Calls to this may trigger violation reports when queried, so the 292 * return value should not be cached. 293 * 294 * @param aTriggeringElement 295 * The element that triggers this CSP check. It can be null. 296 * @param aURI 297 * The URI about to be loaded or used. 298 * @param aDir 299 * The CSPDirective to query (see above constants *_DIRECTIVE). 300 * @param aSpecific 301 * If "true" and the directive is specified to fall back to "default-src" 302 * when it's not explicitly provided, directivePermits will NOT try 303 * default-src when the specific directive is not used. Setting this to 304 * "false" allows CSP to fall back to default-src. This function 305 * behaves the same for both values of canUseDefault when querying 306 * directives that don't fall-back. 307 * @return 308 * Whether or not the provided URI is allowed by CSP under the given 309 * directive. (block the pending operation if false). 310 */ 311 boolean permits(in Element aTriggeringElement, 312 in nsICSPEventListener aCSPEventListener, 313 in nsIURI aURI, 314 in CSPDirective aDir, 315 in boolean aSpecific); 316 317 /** 318 * Delegate method called by the service when sub-elements of the protected 319 * document are being loaded. Given a bit of information about the request, 320 * decides whether or not the policy is satisfied. 321 * 322 * Calls to this may trigger violation reports when queried, so 323 * this value should not be cached. 324 * 325 * aOriginalURIIfRedirect must be passed only if this loading is the result 326 * of a redirect. In this case, aOriginalURIIfRedirect must be the original 327 * URL. 328 */ 329 short shouldLoad(in nsContentPolicyType aContentType, 330 in nsICSPEventListener aCSPEventListener, 331 in nsIURI aContentLocation, 332 in ACString aMimeTypeGuess, 333 in nsIURI aOriginalURIIfRedirect, 334 in bool aSendViolationReports, 335 in AString aNonce, 336 in boolean aParserCreated); 337 338%{ C++ 339// nsIObserver topic to fire when the policy encounters a violation. 340#define CSP_VIOLATION_TOPIC "csp-on-violate-policy" 341%} 342 343 /** 344 * Returns the CSP in JSON notation. 345 */ 346 AString toJSON(); 347 348}; 349 350/* Listener for security policy violation event */ 351[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)] 352interface nsICSPEventListener : nsISupports 353{ 354 // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary. 355 void onCSPViolationEvent(in AString aJSON); 356}; 357