content/base/public/nsIContentSecurityPolicy.idl@97036ab72558 (annotated)
content/base/public/nsIContentSecurityPolicy.idl
Tue, 06 Jan 2015 21:39:09 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Tue, 06 Jan 2015 21:39:09 +0100
- branch
- TOR_BUG_9701
- changeset 8
- 97036ab72558
- permissions
- -rw-r--r--
Conditionally force memory storage according to privacy.thirdparty.isolate;
This solves Tor bug #9701, complying with disk avoidance documented in
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance.
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | |
| michael@0 | 5 | #include "nsISerializable.idl" |
| michael@0 | 6 | |
| michael@0 | 7 | interface nsIURI; |
| michael@0 | 8 | interface nsIChannel; |
| michael@0 | 9 | interface nsIDocShell; |
| michael@0 | 10 | interface nsIPrincipal; |
| michael@0 | 11 | |
| michael@0 | 12 | /** |
| michael@0 | 13 | * nsIContentSecurityPolicy |
| michael@0 | 14 | * Describes an XPCOM component used to model and enforce CSPs. Instances of |
| michael@0 | 15 | * this class may have multiple policies within them, but there should only be |
| michael@0 | 16 | * one of these per document/principal. |
| michael@0 | 17 | */ |
| michael@0 | 18 | |
| michael@0 | 19 | [scriptable, uuid(8b91f829-b1bf-4327-8ece-4000aa823394)] |
| michael@0 | 20 | interface nsIContentSecurityPolicy : nsISerializable |
| michael@0 | 21 | { |
| michael@0 | 22 | |
| michael@0 | 23 | /** |
| michael@0 | 24 | * Set to true when the CSP has been read in and parsed and is ready to |
| michael@0 | 25 | * enforce. This is a barrier for the nsDocument so it doesn't load any |
| michael@0 | 26 | * sub-content until either it knows that a CSP is ready or will not be used. |
| michael@0 | 27 | */ |
| michael@0 | 28 | attribute boolean isInitialized; |
| michael@0 | 29 | |
| michael@0 | 30 | /** |
| michael@0 | 31 | * Accessor method for a read-only string version of the policy at a given |
| michael@0 | 32 | * index. |
| michael@0 | 33 | */ |
| michael@0 | 34 | AString getPolicy(in unsigned long index); |
| michael@0 | 35 | |
| michael@0 | 36 | /** |
| michael@0 | 37 | * Returns the number of policies attached to this CSP instance. Useful with |
| michael@0 | 38 | * getPolicy(). |
| michael@0 | 39 | */ |
| michael@0 | 40 | attribute long policyCount; |
| michael@0 | 41 | |
| michael@0 | 42 | /** |
| michael@0 | 43 | * Remove a policy associated with this CSP context. |
| michael@0 | 44 | * @throws NS_ERROR_FAILURE if the index is out of bounds or invalid. |
| michael@0 | 45 | */ |
| michael@0 | 46 | void removePolicy(in unsigned long index); |
| michael@0 | 47 | |
| michael@0 | 48 | /** |
| michael@0 | 49 | * Parse and install a CSP policy. |
| michael@0 | 50 | * @param aPolicy |
| michael@0 | 51 | * String representation of the policy (e.g., header value) |
| michael@0 | 52 | * @param selfURI |
| michael@0 | 53 | * the URI of the protected document/principal |
| michael@0 | 54 | * @param reportOnly |
| michael@0 | 55 | * Should this policy affect content, script and style processing or |
| michael@0 | 56 | * just send reports if it is violated? |
| michael@0 | 57 | * @param specCompliant |
| michael@0 | 58 | * Whether or not the policy conforms to the W3C specification. |
| michael@0 | 59 | * If this is false, that indicates this policy is from the older |
| michael@0 | 60 | * implementation with different semantics and directive names. |
| michael@0 | 61 | */ |
| michael@0 | 62 | void appendPolicy(in AString policyString, in nsIURI selfURI, |
| michael@0 | 63 | in boolean reportOnly, in boolean specCompliant); |
| michael@0 | 64 | |
| michael@0 | 65 | /** |
| michael@0 | 66 | * Whether this policy allows in-page script. |
| michael@0 | 67 | * @param shouldReportViolations |
| michael@0 | 68 | * Whether or not the use of inline script should be reported. |
| michael@0 | 69 | * This function always returns "true" for report-only policies, but when |
| michael@0 | 70 | * any policy (report-only or otherwise) is violated, |
| michael@0 | 71 | * shouldReportViolations is true as well. |
| michael@0 | 72 | * @return |
| michael@0 | 73 | * Whether or not the effects of the inline script should be allowed |
| michael@0 | 74 | * (block the compilation if false). |
| michael@0 | 75 | */ |
| michael@0 | 76 | boolean getAllowsInlineScript(out boolean shouldReportViolations); |
| michael@0 | 77 | |
| michael@0 | 78 | /** |
| michael@0 | 79 | * whether this policy allows eval and eval-like functions |
| michael@0 | 80 | * such as setTimeout("code string", time). |
| michael@0 | 81 | * @param shouldReportViolations |
| michael@0 | 82 | * Whether or not the use of eval should be reported. |
| michael@0 | 83 | * This function returns "true" when violating report-only policies, but |
| michael@0 | 84 | * when any policy (report-only or otherwise) is violated, |
| michael@0 | 85 | * shouldReportViolations is true as well. |
| michael@0 | 86 | * @return |
| michael@0 | 87 | * Whether or not the effects of the eval call should be allowed |
| michael@0 | 88 | * (block the call if false). |
| michael@0 | 89 | */ |
| michael@0 | 90 | boolean getAllowsEval(out boolean shouldReportViolations); |
| michael@0 | 91 | |
| michael@0 | 92 | /** |
| michael@0 | 93 | * Whether this policy allows in-page styles. |
| michael@0 | 94 | * This includes <style> tags with text content and style="" attributes in |
| michael@0 | 95 | * HTML elements. |
| michael@0 | 96 | * @param shouldReportViolations |
| michael@0 | 97 | * Whether or not the use of inline style should be reported. |
| michael@0 | 98 | * If there are report-only policies, this function may return true |
| michael@0 | 99 | * (don't block), but one or more policy may still want to send |
| michael@0 | 100 | * violation reports so shouldReportViolations will be true even if the |
| michael@0 | 101 | * inline style should be permitted. |
| michael@0 | 102 | * @return |
| michael@0 | 103 | * Whether or not the effects of the inline style should be allowed |
| michael@0 | 104 | * (block the rules if false). |
| michael@0 | 105 | */ |
| michael@0 | 106 | boolean getAllowsInlineStyle(out boolean shouldReportViolations); |
| michael@0 | 107 | |
| michael@0 | 108 | /** |
| michael@0 | 109 | * Whether this policy accepts the given nonce |
| michael@0 | 110 | * @param aNonce |
| michael@0 | 111 | * The nonce string to check against the policy |
| michael@0 | 112 | * @param aContentType |
| michael@0 | 113 | * The type of element on which we encountered this nonce |
| michael@0 | 114 | * @param shouldReportViolation |
| michael@0 | 115 | * Whether or not the use of an incorrect nonce should be reported. |
| michael@0 | 116 | * This function always returns "true" for report-only policies, but when |
| michael@0 | 117 | * the report-only policy is violated, shouldReportViolation is true as |
| michael@0 | 118 | * well. |
| michael@0 | 119 | * @return |
| michael@0 | 120 | * Whether or not this nonce is valid |
| michael@0 | 121 | */ |
| michael@0 | 122 | boolean getAllowsNonce(in AString aNonce, |
| michael@0 | 123 | in unsigned long aContentType, |
| michael@0 | 124 | out boolean shouldReportViolation); |
| michael@0 | 125 | |
| michael@0 | 126 | /** |
| michael@0 | 127 | * Whether this policy accepts the given inline resource based on the hash |
| michael@0 | 128 | * of its content. |
| michael@0 | 129 | * @param aContent |
| michael@0 | 130 | * The content of the inline resource to hash (and compare to the |
| michael@0 | 131 | * hashes listed in the policy) |
| michael@0 | 132 | * @param aContentType |
| michael@0 | 133 | * The type of inline element (script or style) |
| michael@0 | 134 | * @param shouldReportViolation |
| michael@0 | 135 | * Whether this inline resource should be reported as a hash-source |
| michael@0 | 136 | * violation. If there are no hash-sources in the policy, this is |
| michael@0 | 137 | * always false. |
| michael@0 | 138 | * @return |
| michael@0 | 139 | * Whether or not this inline resource is whitelisted by a hash-source |
| michael@0 | 140 | */ |
| michael@0 | 141 | boolean getAllowsHash(in AString aContent, |
| michael@0 | 142 | in unsigned short aContentType, |
| michael@0 | 143 | out boolean shouldReportViolation); |
| michael@0 | 144 | |
| michael@0 | 145 | /** |
| michael@0 | 146 | * For each violated policy (of type violationType), log policy violation on |
| michael@0 | 147 | * the Error Console and send a report to report-uris present in the violated |
| michael@0 | 148 | * policies. |
| michael@0 | 149 | * |
| michael@0 | 150 | * @param violationType |
| michael@0 | 151 | * one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval |
| michael@0 | 152 | * @param sourceFile |
| michael@0 | 153 | * name of the source file containing the violation (if available) |
| michael@0 | 154 | * @param contentSample |
| michael@0 | 155 | * sample of the violating content (to aid debugging) |
| michael@0 | 156 | * @param lineNum |
| michael@0 | 157 | * source line number of the violation (if available) |
| michael@0 | 158 | * @param aNonce |
| michael@0 | 159 | * (optional) If this is a nonce violation, include the nonce so we can |
| michael@0 | 160 | * recheck to determine which policies were violated and send the |
| michael@0 | 161 | * appropriate reports. |
| michael@0 | 162 | * @param aContent |
| michael@0 | 163 | * (optional) If this is a hash violation, include contents of the inline |
| michael@0 | 164 | * resource in the question so we can recheck the hash in order to |
| michael@0 | 165 | * determine which policies were violated and send the appropriate |
| michael@0 | 166 | * reports. |
| michael@0 | 167 | */ |
| michael@0 | 168 | void logViolationDetails(in unsigned short violationType, |
| michael@0 | 169 | in AString sourceFile, |
| michael@0 | 170 | in AString scriptSample, |
| michael@0 | 171 | in int32_t lineNum, |
| michael@0 | 172 | [optional] in AString nonce, |
| michael@0 | 173 | [optional] in AString content); |
| michael@0 | 174 | |
| michael@0 | 175 | const unsigned short VIOLATION_TYPE_INLINE_SCRIPT = 1; |
| michael@0 | 176 | const unsigned short VIOLATION_TYPE_EVAL = 2; |
| michael@0 | 177 | const unsigned short VIOLATION_TYPE_INLINE_STYLE = 3; |
| michael@0 | 178 | const unsigned short VIOLATION_TYPE_NONCE_SCRIPT = 4; |
| michael@0 | 179 | const unsigned short VIOLATION_TYPE_NONCE_STYLE = 5; |
| michael@0 | 180 | const unsigned short VIOLATION_TYPE_HASH_SCRIPT = 6; |
| michael@0 | 181 | const unsigned short VIOLATION_TYPE_HASH_STYLE = 7; |
| michael@0 | 182 | |
| michael@0 | 183 | /** |
| michael@0 | 184 | * Called after the CSP object is created to fill in appropriate request |
| michael@0 | 185 | * context and give it a reference to its owning principal for violation |
| michael@0 | 186 | * report generation. |
| michael@0 | 187 | * This will use whatever data is available, choosing earlier arguments first |
| michael@0 | 188 | * if multiple are available. Either way, it will attempt to obtain the URI, |
| michael@0 | 189 | * referrer and the principal from whatever is available. If the channel is |
| michael@0 | 190 | * available, it'll also store that for processing policy-uri directives. |
| michael@0 | 191 | */ |
| michael@0 | 192 | void setRequestContext(in nsIURI selfURI, |
| michael@0 | 193 | in nsIURI referrer, |
| michael@0 | 194 | in nsIPrincipal documentPrincipal, |
| michael@0 | 195 | in nsIChannel aChannel); |
| michael@0 | 196 | |
| michael@0 | 197 | /** |
| michael@0 | 198 | * Verifies ancestry as permitted by the policy. |
| michael@0 | 199 | * |
| michael@0 | 200 | * NOTE: Calls to this may trigger violation reports when queried, so this |
| michael@0 | 201 | * value should not be cached. |
| michael@0 | 202 | * |
| michael@0 | 203 | * @param docShell |
| michael@0 | 204 | * containing the protected resource |
| michael@0 | 205 | * @return |
| michael@0 | 206 | * true if the frame's ancestors are all allowed by policy (except for |
| michael@0 | 207 | * report-only policies, which will send reports and then return true |
| michael@0 | 208 | * here when violated). |
| michael@0 | 209 | */ |
| michael@0 | 210 | boolean permitsAncestry(in nsIDocShell docShell); |
| michael@0 | 211 | |
| michael@0 | 212 | /** |
| michael@0 | 213 | * Delegate method called by the service when sub-elements of the protected |
| michael@0 | 214 | * document are being loaded. Given a bit of information about the request, |
| michael@0 | 215 | * decides whether or not the policy is satisfied. |
| michael@0 | 216 | * |
| michael@0 | 217 | * Calls to this may trigger violation reports when queried, so |
| michael@0 | 218 | * this value should not be cached. |
| michael@0 | 219 | */ |
| michael@0 | 220 | short shouldLoad(in unsigned long aContentType, |
| michael@0 | 221 | in nsIURI aContentLocation, |
| michael@0 | 222 | in nsIURI aRequestOrigin, |
| michael@0 | 223 | in nsISupports aContext, |
| michael@0 | 224 | in ACString aMimeTypeGuess, |
| michael@0 | 225 | in nsISupports aExtra); |
| michael@0 | 226 | |
| michael@0 | 227 | /** |
| michael@0 | 228 | * Delegate method called by the service when sub-elements of the protected |
| michael@0 | 229 | * document are being processed. Given a bit of information about the request, |
| michael@0 | 230 | * decides whether or not the policy is satisfied. |
| michael@0 | 231 | */ |
| michael@0 | 232 | short shouldProcess(in unsigned long aContentType, |
| michael@0 | 233 | in nsIURI aContentLocation, |
| michael@0 | 234 | in nsIURI aRequestOrigin, |
| michael@0 | 235 | in nsISupports aContext, |
| michael@0 | 236 | in ACString aMimeType, |
| michael@0 | 237 | in nsISupports aExtra); |
| michael@0 | 238 | |
| michael@0 | 239 | }; |
