caps/idl/nsIScriptSecurityManager.idl@ac0c01689b40 (annotated)
caps/idl/nsIScriptSecurityManager.idl
Thu, 15 Jan 2015 15:59:08 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 15 Jan 2015 15:59:08 +0100
- branch
- TOR_BUG_9701
- changeset 10
- ac0c01689b40
- permissions
- -rw-r--r--
Implement a real Private Browsing Mode condition by changing the API/ABI;
This solves Tor bug #9701, complying with disk avoidance documented in
https://www.torproject.org/projects/torbrowser/design/#disk-avoidance.
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ |
| michael@0 | 2 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 3 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 4 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 5 | |
| michael@0 | 6 | #include "nsISupports.idl" |
| michael@0 | 7 | #include "nsIPrincipal.idl" |
| michael@0 | 8 | #include "nsIXPCSecurityManager.idl" |
| michael@0 | 9 | interface nsIURI; |
| michael@0 | 10 | interface nsIChannel; |
| michael@0 | 11 | interface nsIDocShell; |
| michael@0 | 12 | interface nsIDomainPolicy; |
| michael@0 | 13 | |
| michael@0 | 14 | [scriptable, uuid(4c087cc3-e0cc-4ec3-88df-8d68f3023b45)] |
| michael@0 | 15 | interface nsIScriptSecurityManager : nsIXPCSecurityManager |
| michael@0 | 16 | { |
| michael@0 | 17 | /** |
| michael@0 | 18 | * Check that the script currently running in context "cx" can load "uri". |
| michael@0 | 19 | * |
| michael@0 | 20 | * Will return error code NS_ERROR_DOM_BAD_URI if the load request |
| michael@0 | 21 | * should be denied. |
| michael@0 | 22 | * |
| michael@0 | 23 | * @param cx the JSContext of the script causing the load |
| michael@0 | 24 | * @param uri the URI that is being loaded |
| michael@0 | 25 | */ |
| michael@0 | 26 | [noscript] void checkLoadURIFromScript(in JSContextPtr cx, in nsIURI uri); |
| michael@0 | 27 | |
| michael@0 | 28 | /** |
| michael@0 | 29 | * Default CheckLoadURI permissions |
| michael@0 | 30 | */ |
| michael@0 | 31 | // Default permissions |
| michael@0 | 32 | const unsigned long STANDARD = 0; |
| michael@0 | 33 | |
| michael@0 | 34 | // Indicate that the load is a load of a new document that is not |
| michael@0 | 35 | // user-triggered. Here "user-triggered" could be broadly interpreted -- |
| michael@0 | 36 | // for example, scripted sets of window.location.href might be treated as |
| michael@0 | 37 | // "user-triggered" in some circumstances. A typical example of a load |
| michael@0 | 38 | // that is not user-triggered is a <meta> refresh load. If this flag is |
| michael@0 | 39 | // set, the load will be denied if the originating principal's URI has the |
| michael@0 | 40 | // nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set. |
| michael@0 | 41 | const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0; |
| michael@0 | 42 | |
| michael@0 | 43 | // Allow the loading of chrome URLs by non-chrome URLs. Use with great |
| michael@0 | 44 | // care! This will actually allow the loading of any URI which has the |
| michael@0 | 45 | // nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set. Ths |
| michael@0 | 46 | // probably means at least chrome: and resource:. |
| michael@0 | 47 | const unsigned long ALLOW_CHROME = 1 << 1; |
| michael@0 | 48 | |
| michael@0 | 49 | // Don't allow URLs which would inherit the caller's principal (such as |
| michael@0 | 50 | // javascript: or data:) to load. See |
| michael@0 | 51 | // nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT. |
| michael@0 | 52 | const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2; |
| michael@0 | 53 | |
| michael@0 | 54 | // Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with |
| michael@0 | 55 | // JS-implemented extensions. |
| michael@0 | 56 | const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL; |
| michael@0 | 57 | |
| michael@0 | 58 | // Don't allow javascript: URLs to load |
| michael@0 | 59 | // WARNING: Support for this value was added in Mozilla 1.7.8 and |
| michael@0 | 60 | // Firefox 1.0.4. Use in prior versions WILL BE IGNORED. |
| michael@0 | 61 | // When using this, make sure that you actually want DISALLOW_SCRIPT, not |
| michael@0 | 62 | // DISALLOW_INHERIT_PRINCIPAL |
| michael@0 | 63 | const unsigned long DISALLOW_SCRIPT = 1 << 3; |
| michael@0 | 64 | |
| michael@0 | 65 | // Do not report errors if we just want to check if a principal can load |
| michael@0 | 66 | // a URI to not unnecessarily spam the error console. |
| michael@0 | 67 | const unsigned long DONT_REPORT_ERRORS = 1 << 4; |
| michael@0 | 68 | |
| michael@0 | 69 | /** |
| michael@0 | 70 | * Check that content with principal aPrincipal can load "uri". |
| michael@0 | 71 | * |
| michael@0 | 72 | * Will return error code NS_ERROR_DOM_BAD_URI if the load request |
| michael@0 | 73 | * should be denied. |
| michael@0 | 74 | * |
| michael@0 | 75 | * @param aPrincipal the principal identifying the actor causing the load |
| michael@0 | 76 | * @param uri the URI that is being loaded |
| michael@0 | 77 | * @param flags the permission set, see above |
| michael@0 | 78 | */ |
| michael@0 | 79 | void checkLoadURIWithPrincipal(in nsIPrincipal aPrincipal, |
| michael@0 | 80 | in nsIURI uri, |
| michael@0 | 81 | in unsigned long flags); |
| michael@0 | 82 | |
| michael@0 | 83 | /** |
| michael@0 | 84 | * Similar to checkLoadURIWithPrincipal but there are two differences: |
| michael@0 | 85 | * |
| michael@0 | 86 | * 1) The URI is a string, not a URI object. |
| michael@0 | 87 | * 2) This function assumes that the URI may still be subject to fixup (and |
| michael@0 | 88 | * hence will check whether fixed-up versions of the URI are allowed to |
| michael@0 | 89 | * load as well); if any of the versions of this URI is not allowed, this |
| michael@0 | 90 | * function will return error code NS_ERROR_DOM_BAD_URI. |
| michael@0 | 91 | */ |
| michael@0 | 92 | void checkLoadURIStrWithPrincipal(in nsIPrincipal aPrincipal, |
| michael@0 | 93 | in AUTF8String uri, |
| michael@0 | 94 | in unsigned long flags); |
| michael@0 | 95 | |
| michael@0 | 96 | /** |
| michael@0 | 97 | * Return true if scripts may be executed in the scope of the given global. |
| michael@0 | 98 | */ |
| michael@0 | 99 | [noscript,notxpcom] boolean scriptAllowed(in JSObjectPtr aGlobal); |
| michael@0 | 100 | |
| michael@0 | 101 | ///////////////// Principals /////////////////////// |
| michael@0 | 102 | /** |
| michael@0 | 103 | * Return the principal of the innermost frame of the currently |
| michael@0 | 104 | * executing script. Will return null if there is no script |
| michael@0 | 105 | * currently executing. |
| michael@0 | 106 | */ |
| michael@0 | 107 | [noscript] nsIPrincipal getSubjectPrincipal(); |
| michael@0 | 108 | |
| michael@0 | 109 | /** |
| michael@0 | 110 | * Return the all-powerful system principal. |
| michael@0 | 111 | */ |
| michael@0 | 112 | nsIPrincipal getSystemPrincipal(); |
| michael@0 | 113 | |
| michael@0 | 114 | /** |
| michael@0 | 115 | * Return a principal that has the same origin as aURI. |
| michael@0 | 116 | * This principals should not be used for any data/permission check, it will |
| michael@0 | 117 | * have appId = UNKNOWN_APP_ID. |
| michael@0 | 118 | */ |
| michael@0 | 119 | nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI); |
| michael@0 | 120 | |
| michael@0 | 121 | /** |
| michael@0 | 122 | * Returns a principal that has the given information. |
| michael@0 | 123 | * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID. |
| michael@0 | 124 | * @param inMozBrowser is true if the principal has to be considered as |
| michael@0 | 125 | * inside a mozbrowser frame. |
| michael@0 | 126 | */ |
| michael@0 | 127 | nsIPrincipal getAppCodebasePrincipal(in nsIURI uri, |
| michael@0 | 128 | in unsigned long appId, |
| michael@0 | 129 | in boolean inMozBrowser); |
| michael@0 | 130 | |
| michael@0 | 131 | /** |
| michael@0 | 132 | * Returns a principal that has the appId and inMozBrowser of the docshell |
| michael@0 | 133 | * inside a mozbrowser frame. |
| michael@0 | 134 | * @param docShell to get appId/inMozBrowser from. |
| michael@0 | 135 | */ |
| michael@0 | 136 | nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri, |
| michael@0 | 137 | in nsIDocShell docShell); |
| michael@0 | 138 | |
| michael@0 | 139 | /** |
| michael@0 | 140 | * Returns a principal with that has the same origin as uri and is not part |
| michael@0 | 141 | * of an appliction. |
| michael@0 | 142 | * The returned principal will have appId = NO_APP_ID. |
| michael@0 | 143 | */ |
| michael@0 | 144 | nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri); |
| michael@0 | 145 | |
| michael@0 | 146 | /** |
| michael@0 | 147 | * Legacy name for getNoAppCodebasePrincipal. |
| michael@0 | 148 | * |
| michael@0 | 149 | * @deprecated use getNoAppCodebasePrincipal instead. |
| michael@0 | 150 | */ |
| michael@0 | 151 | [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri); |
| michael@0 | 152 | |
| michael@0 | 153 | /** |
| michael@0 | 154 | * Returns true if the principal of the currently running script is the |
| michael@0 | 155 | * system principal, false otherwise. |
| michael@0 | 156 | */ |
| michael@0 | 157 | [noscript] boolean subjectPrincipalIsSystem(); |
| michael@0 | 158 | |
| michael@0 | 159 | /** |
| michael@0 | 160 | * Returns OK if aJSContext and target have the same "origin" |
| michael@0 | 161 | * (scheme, host, and port). |
| michael@0 | 162 | */ |
| michael@0 | 163 | [noscript] void checkSameOrigin(in JSContextPtr aJSContext, |
| michael@0 | 164 | in nsIURI aTargetURI); |
| michael@0 | 165 | |
| michael@0 | 166 | /** |
| michael@0 | 167 | * Returns OK if aSourceURI and target have the same "origin" |
| michael@0 | 168 | * (scheme, host, and port). |
| michael@0 | 169 | * ReportError flag suppresses error reports for functions that |
| michael@0 | 170 | * don't need reporting. |
| michael@0 | 171 | */ |
| michael@0 | 172 | void checkSameOriginURI(in nsIURI aSourceURI, |
| michael@0 | 173 | in nsIURI aTargetURI, |
| michael@0 | 174 | in boolean reportError); |
| michael@0 | 175 | /** |
| michael@0 | 176 | * Get the principal for the given channel. This will typically be the |
| michael@0 | 177 | * channel owner if there is one, and the codebase principal for the |
| michael@0 | 178 | * channel's URI otherwise. aChannel must not be null. |
| michael@0 | 179 | */ |
| michael@0 | 180 | nsIPrincipal getChannelPrincipal(in nsIChannel aChannel); |
| michael@0 | 181 | |
| michael@0 | 182 | /** |
| michael@0 | 183 | * Check whether a given principal is a system principal. This allows us |
| michael@0 | 184 | * to avoid handing back the system principal to script while allowing |
| michael@0 | 185 | * script to check whether a given principal is system. |
| michael@0 | 186 | */ |
| michael@0 | 187 | boolean isSystemPrincipal(in nsIPrincipal aPrincipal); |
| michael@0 | 188 | %{C++ |
| michael@0 | 189 | bool IsSystemPrincipal(nsIPrincipal* aPrincipal) { |
| michael@0 | 190 | bool isSystem = false; |
| michael@0 | 191 | IsSystemPrincipal(aPrincipal, &isSystem); |
| michael@0 | 192 | return isSystem; |
| michael@0 | 193 | } |
| michael@0 | 194 | %} |
| michael@0 | 195 | |
| michael@0 | 196 | /** |
| michael@0 | 197 | * Same as getSubjectPrincipal(), only faster. cx must *never* be |
| michael@0 | 198 | * passed null, and it must be the context on the top of the |
| michael@0 | 199 | * context stack. Does *not* reference count the returned |
| michael@0 | 200 | * principal. |
| michael@0 | 201 | */ |
| michael@0 | 202 | [noscript,notxpcom] nsIPrincipal getCxSubjectPrincipal(in JSContextPtr cx); |
| michael@0 | 203 | |
| michael@0 | 204 | const unsigned long NO_APP_ID = 0; |
| michael@0 | 205 | const unsigned long UNKNOWN_APP_ID = 4294967295; // UINT32_MAX |
| michael@0 | 206 | const unsigned long SAFEBROWSING_APP_ID = 4294967294; // UINT32_MAX - 1 |
| michael@0 | 207 | |
| michael@0 | 208 | /** |
| michael@0 | 209 | * Returns the jar prefix for the app. |
| michael@0 | 210 | * appId can be NO_APP_ID or a valid app id. appId should not be |
| michael@0 | 211 | * UNKNOWN_APP_ID. |
| michael@0 | 212 | * inMozBrowser has to be true if the app is inside a mozbrowser iframe. |
| michael@0 | 213 | */ |
| michael@0 | 214 | AUTF8String getJarPrefix(in unsigned long appId, in boolean inMozBrowser); |
| michael@0 | 215 | |
| michael@0 | 216 | /** |
| michael@0 | 217 | * Per-domain controls to enable and disable script. This system is designed |
| michael@0 | 218 | * to be used by at most one consumer, and enforces this with its semantics. |
| michael@0 | 219 | * |
| michael@0 | 220 | * Initially, domainPolicyActive is false. When activateDomainPolicy() is |
| michael@0 | 221 | * invoked, domainPolicyActive becomes true, and subsequent calls to |
| michael@0 | 222 | * activateDomainPolicy() will fail until deactivate() is invoked on the |
| michael@0 | 223 | * nsIDomainPolicy returned from activateDomainPolicy(). At this point, |
| michael@0 | 224 | * domainPolicyActive becomes false again, and a new consumer may acquire |
| michael@0 | 225 | * control of the system by invoking activateDomainPolicy(). |
| michael@0 | 226 | */ |
| michael@0 | 227 | nsIDomainPolicy activateDomainPolicy(); |
| michael@0 | 228 | readonly attribute boolean domainPolicyActive; |
| michael@0 | 229 | |
| michael@0 | 230 | /** |
| michael@0 | 231 | * Query mechanism for the above policy. |
| michael@0 | 232 | * |
| michael@0 | 233 | * If domainPolicyEnabled is false, this simply returns the current value |
| michael@0 | 234 | * of javascript.enabled. Otherwise, it returns the same value, but taking |
| michael@0 | 235 | * the various blacklist/whitelist exceptions into account. |
| michael@0 | 236 | */ |
| michael@0 | 237 | bool policyAllowsScript(in nsIURI aDomain); |
| michael@0 | 238 | }; |
| michael@0 | 239 | |
| michael@0 | 240 | %{C++ |
| michael@0 | 241 | #define NS_SCRIPTSECURITYMANAGER_CONTRACTID "@mozilla.org/scriptsecuritymanager;1" |
| michael@0 | 242 | %} |
