/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at
http://mozilla.org/MPL/2.0/. */
#include "nsISerializable.idl"
#include "nsIContentPolicy.idl"
interface nsIURI;
interface nsIEventTarget;
interface nsILoadInfo;
interface nsIPrincipal;
interface nsICSPEventListener;
webidl Element;
webidl Document;
/**
* nsIContentSecurityPolicy
* Describes an XPCOM component used to model and enforce CSPs. Instances of
* this class may have multiple policies within them, but there should only be
* one of these per document/principal.
*/
%{C++
class nsCSPPolicy;
namespace mozilla::dom {
struct CSPViolationData;
}
%}
[ptr] native CSPPolicyPtr(const nsCSPPolicy);
native CSPViolationData(mozilla::dom::CSPViolationData&&);
[scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)]
interface nsIContentSecurityPolicy : nsISerializable
{
/**
* Directives supported by Content Security Policy. These are enums for
* the CSPDirective type.
* The NO_DIRECTIVE entry is used for checking default permissions and
* returning failure when asking CSP which directive to check.
*
* NOTE: When implementing a new directive, you will need to add it here but also
* add it to the CSPStrDirectives array in nsCSPUtils.h.
*/
cenum CSPDirective : 8 {
NO_DIRECTIVE = 0,
DEFAULT_SRC_DIRECTIVE = 1,
SCRIPT_SRC_DIRECTIVE = 2,
OBJECT_SRC_DIRECTIVE = 3,
STYLE_SRC_DIRECTIVE = 4,
IMG_SRC_DIRECTIVE = 5,
MEDIA_SRC_DIRECTIVE = 6,
FRAME_SRC_DIRECTIVE = 7,
FONT_SRC_DIRECTIVE = 8,
CONNECT_SRC_DIRECTIVE = 9,
REPORT_URI_DIRECTIVE = 10,
FRAME_ANCESTORS_DIRECTIVE = 11,
REFLECTED_XSS_DIRECTIVE = 12,
BASE_URI_DIRECTIVE = 13,
FORM_ACTION_DIRECTIVE = 14,
WEB_MANIFEST_SRC_DIRECTIVE = 15,
UPGRADE_IF_INSECURE_DIRECTIVE = 16,
CHILD_SRC_DIRECTIVE = 17,
BLOCK_ALL_MIXED_CONTENT = 18,
SANDBOX_DIRECTIVE = 19,
WORKER_SRC_DIRECTIVE = 20,
SCRIPT_SRC_ELEM_DIRECTIVE = 21,
SCRIPT_SRC_ATTR_DIRECTIVE = 22,
STYLE_SRC_ELEM_DIRECTIVE = 23,
STYLE_SRC_ATTR_DIRECTIVE = 24,
REQUIRE_TRUSTED_TYPES_FOR_DIRECTIVE = 25,
TRUSTED_TYPES_DIRECTIVE = 26,
REPORT_TO_DIRECTIVE = 27,
};
cenum RequireTrustedTypesForDirectiveState : 8 {
NONE = 0,
REPORT_ONLY = 1,
ENFORCE = 2,
};
/**
* Accessor method for a read-only string version of the policy at a given
* index.
*/
[binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
/**
* Accessor method for a read-only pointer the policy object at a given
* index. Returns a null pointer if the index is larger than the current
* policy count.
*/
[noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
/**
* Returns the number of policies attached to this CSP instance. Useful with
* getPolicy().
*/
readonly attribute unsigned long policyCount;
/**
* Returns whether this policy uses the directive upgrade-insecure-requests.
* Please note that upgrade-insecure-reqeusts also applies if the parent or
* including document (context) makes use of the directive.
*/
readonly attribute boolean upgradeInsecureRequests;
/**
* Returns whether this policy uses the directive block-all-mixed-content.
* Please note that block-all-mixed-content takes presedence in case the
* directive upgrade-insecure-requests is defined in the same policy and
* will therefore block all mixed content without even trying to perform
* an upgrade.
*/
readonly attribute boolean blockAllMixedContent;
/**
* Returns whether this policy enforces the frame-ancestors directive.
*/
readonly attribute boolean enforcesFrameAncestors;
/**
* Parse and install a CSP policy.
* @param aPolicy
* String representation of the policy
* (e.g., header value, meta content)
* @param reportOnly
* Should this policy affect content, script and style processing or
* just send reports if it is violated?
* @param deliveredViaMetaTag
* Indicates whether the policy was delivered via the meta tag.
*/
void appendPolicy(in AString policyString,
in boolean reportOnly,
in boolean deliveredViaMetaTag);
/**
* Indicate the global state for the require-trusted-types-for directives
* - NONE: No require-trusted-types-for directives.
* - REPORT_ONLY: At least one require-trusted-types-for directive, but all
* of them have "report" disposition.
* - ENFORCE: At least one require-trusted-types-for directive with "enforce"
* disposition.
*/
[infallible] readonly attribute nsIContentSecurityPolicy_RequireTrustedTypesForDire
ctiveState requireTrustedTypesForDirectiveState;
/*
* Whether this policy allows inline script or style.
* @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
* STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
* @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
* also specified.
* @param aNonce The nonce string to check against the policy.
* @param aParserCreated If the script element was created by the HTML Parser
* @param aTriggeringElement The script element of the inline resource to
* hash. It can be null.
* @param aContentOfPseudoScript The content of the psuedo-script to compare
* to hash (and compare to the hashes listed in
* the policy)
* @param aLineNumber The line number of the inline resource
* (used for reporting)
* @param aColumnNumber The column number of the inline resource
* (used for reporting)
* @return
* Whether or not the effects of the inline style should be allowed
* (block the rules if false).
*/
boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective,
in boolean aHasUnsafeHash,
in AString aNonce,
in boolean aParserCreated,
in Element aTriggeringElement,
in nsICSPEventListener aCSPEventListener,
in AString aContentOfPseudoScript,
in unsigned long aLineNumber,
in unsigned long aColumnNumber);
/**
* Whether this policy allows eval and eval-like functions
* such as setTimeout("code string", time).
* @param shouldReportViolations
* Whether or not the use of eval should be reported.
* This function returns "true" when violating report-only policies, but
* when any policy (report-only or otherwise) is violated,
* shouldReportViolations is true as well.
* @return
* Whether or not the effects of the eval call should be allowed
* (block the call if false).
*/
boolean getAllowsEval(out boolean shouldReportViolations);
/**
* Whether this policy allows the evaluation (and compilation) of
* WASM code from functions like `WebAssembly.compile`.
* @param shouldReportViolations
* Whether or not the use of WASM evaluation should be reported.
* This function returns "true" when violating report-only policies, but
* when any policy (report-only or otherwise) is violated,
* shouldReportViolations is true as well.
* @return
* Whether or not the effects of the WASM evaluation should be allowed
* (block the call if false).
*/
boolean getAllowsWasmEval(out boolean shouldReportViolations);
/**
* Delegate method called by the service when the protected document is loaded.
* Returns the union of all the sandbox flags contained in CSP policies. This is the most
* restrictive interpretation of flags set in multiple policies.
* See nsSandboxFlags.h for the possible flags.
*
* @return
* sandbox flags or SANDBOXED_NONE if no sandbox directive exists
*/
uint32_t getCSPSandboxFlags();
/**
* For each violated policy (of type violationType), log policy violation on
* the Error Console and send a report to report-uris present in the violated
* policies.
*
* @param violationType
* one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
* @param triggeringElement
* the element that triggers this CSP violation. It can be null.
* @param sourceFile
* name of the source file containing the violation (if available)
* @param contentSample
* sample of the violating content (to aid debugging)
* @param lineNum
* source line number of the violation (if available)
* @param columnNum
* source column number of the violation (if available)
* @param aNonce
* (optional) If this is a nonce violation, include the nonce so we can
* recheck to determine which policies were violated and send the
* appropriate reports.
* @param aContent
* (optional) If this is a hash violation, include contents of the inline
* resource in the question so we can recheck the hash in order to
* determine which policies were violated and send the appropriate
* reports.
*/
void logViolationDetails(in unsigned short violationType,
in Element triggeringElement,
in nsICSPEventListener aCSPEventListener,
in ACString sourceFile,
in AString scriptSample,
in int32_t lineNum,
in int32_t columnNum,
[optional] in AString nonce,
[optional] in AString content);
const unsigned short VIOLATION_TYPE_EVAL = 1;
const unsigned short VIOLATION_TYPE_WASM_EVAL = 2;
/**
* Log violation details for aCSPViolationData's directive. The directive is
* required to:
* - be one of the CSP directives corresponding to Trusted Types.
* - belong to the policy referrenced by aCSPViolationData.
* No check happens that the policy is indeed violated.
*
* Notifies observers, logs on the error console, sends a report (with a code-
* sample) to the directive's report-uris and may fire a violation event.
*
* @param aCSPEventListener Should be null for Windows
* (https://html.spec.whatwg.org/multipage/nav-history-apis.html#window),
* and non-null for Workers.
*/
[noscript] void logTrustedTypesViolationDetailsUnchecked(
in CSPViolationData aCSPViolationData,
in AString aObserverSubject,
in nsICSPEventListener aCSPEventListener);
/**
* Called after the CSP object is created to fill in appropriate request
* context. Either use
* * aDocument (preferred), or if no document is available, then provide
* * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
*/
[must_use] void setRequestContextWithDocument(in Document aDocument);
[must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal,
in nsIURI aSelfURI,
in ACString aReferrer,
in unsigned long long aInnerWindowId);
/**
* Get the various arguments needed to create a new request context for a CSP.
*/
[noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal;
[noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI;
[noscript] readonly attribute ACString referrer;
[noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID;
/**
* Warning: Do not set that attribute unless you know exactly what you are doing!
*
* Primarily used to allow Devtools to edit inline styles!
*/
[noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck;
/**
* Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
*/
[noscript] void ensureEventTarget(in nsIEventTarget aEventTarget);
/**
* Verifies ancestry as permitted by the policy.
*
* NOTE: Calls to this may trigger violation reports when queried, so this
* value should not be cached.
*
* @param aLoadInfo
* The loadinfo of the channel containing the protected resource
* @return
* true if the frame's ancestors are all allowed by policy (except for
* report-only policies, which will send reports and then return true
* here when violated).
*/
boolean permitsAncestry(in nsILoadInfo aLoadInfo);
/**
* Checks if a specific directive permits loading of a URI.
*
* @param aTriggeringElement
* The element that triggers this CSP check. It can be null.
* @param aURI
* The URI about to be loaded or used.
* @param aDir
* The CSPDirective to query (see above constants *_DIRECTIVE).
* @param aSpecific
* If "true" and the directive is specified to fall back to "default-src"
* when it's not explicitly provided, directivePermits will NOT try
* default-src when the specific directive is not used. Setting this to
* "false" allows CSP to fall back to default-src. This function
* behaves the same for both values of canUseDefault when querying
* directives that don't fall-back.
* @param aSendViolationReports
* If `true` and the uri is not allowed then trigger violation reports.
* This should be `false` for caching or preloads.
* @return
* Whether or not the provided URI is allowed by CSP under the given
* directive. (block the pending operation if false).
*/
boolean permits(in Element aTriggeringElement,
in nsICSPEventListener aCSPEventListener,
in nsIURI aURI,
in nsIContentSecurityPolicy_CSPDirective aDir,
in boolean aSpecific,
in boolean aSendViolationReports);
/**
* Delegate method called by the service when sub-elements of the protected
* document are being loaded. Given a bit of information about the request,
* decides whether or not the policy is satisfied.
*
* Calls to this may trigger violation reports when queried, so
* this value should not be cached.
*
* aOriginalURIIfRedirect must be passed only if this loading is the result
* of a redirect. In this case, aOriginalURIIfRedirect must be the original
* URL.
*/
short shouldLoad(in nsContentPolicyType aContentType,
in nsICSPEventListener aCSPEventListener,
in nsILoadInfo aLoadInfo,
in nsIURI aContentLocation,
in nsIURI aOriginalURIIfRedirect,
in boolean aSendViolationReports);
%{ C++
// nsIObserver topic to fire when the policy encounters a violation.
#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
%}
/**
* Returns the CSP in JSON notation.
*/
AString toJSON();
/**
* Ensure policies from IPC are read/parsed.
*/
[noscript] void EnsureIPCPoliciesRead();
};
typedef nsIContentSecurityPolicy_CSPDirective CSPDirective;
typedef nsIContentSecurityPolicy_RequireTrustedTypesForDirectiveState RequireTrustedTypesForDirectiveState;
/* Listener for security policy violation event */
[function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)]
interface nsICSPEventListener : nsISupports
{
// aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
void onCSPViolationEvent(in AString aJSON);
};
