The Tor Browser / file comparison

comparison: caps/idl/nsIScriptSecurityManager.idl

caps/idl/nsIScriptSecurityManager.idl

branch
TOR_BUG_3246
changeset 7
129ffea94266
equal deleted inserted replaced
-1:000000000000 0:c16e58bdbf80
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5
6 #include "nsISupports.idl"
7 #include "nsIPrincipal.idl"
8 #include "nsIXPCSecurityManager.idl"
9 interface nsIURI;
10 interface nsIChannel;
11 interface nsIDocShell;
12 interface nsIDomainPolicy;
13
14 [scriptable, uuid(4c087cc3-e0cc-4ec3-88df-8d68f3023b45)]
15 interface nsIScriptSecurityManager : nsIXPCSecurityManager
16 {
17 /**
18 * Check that the script currently running in context "cx" can load "uri".
19 *
20 * Will return error code NS_ERROR_DOM_BAD_URI if the load request
21 * should be denied.
22 *
23 * @param cx the JSContext of the script causing the load
24 * @param uri the URI that is being loaded
25 */
26 [noscript] void checkLoadURIFromScript(in JSContextPtr cx, in nsIURI uri);
27
28 /**
29 * Default CheckLoadURI permissions
30 */
31 // Default permissions
32 const unsigned long STANDARD = 0;
33
34 // Indicate that the load is a load of a new document that is not
35 // user-triggered. Here "user-triggered" could be broadly interpreted --
36 // for example, scripted sets of window.location.href might be treated as
37 // "user-triggered" in some circumstances. A typical example of a load
38 // that is not user-triggered is a <meta> refresh load. If this flag is
39 // set, the load will be denied if the originating principal's URI has the
40 // nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set.
41 const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0;
42
43 // Allow the loading of chrome URLs by non-chrome URLs. Use with great
44 // care! This will actually allow the loading of any URI which has the
45 // nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set. Ths
46 // probably means at least chrome: and resource:.
47 const unsigned long ALLOW_CHROME = 1 << 1;
48
49 // Don't allow URLs which would inherit the caller's principal (such as
50 // javascript: or data:) to load. See
51 // nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT.
52 const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2;
53
54 // Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with
55 // JS-implemented extensions.
56 const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL;
57
58 // Don't allow javascript: URLs to load
59 // WARNING: Support for this value was added in Mozilla 1.7.8 and
60 // Firefox 1.0.4. Use in prior versions WILL BE IGNORED.
61 // When using this, make sure that you actually want DISALLOW_SCRIPT, not
62 // DISALLOW_INHERIT_PRINCIPAL
63 const unsigned long DISALLOW_SCRIPT = 1 << 3;
64
65 // Do not report errors if we just want to check if a principal can load
66 // a URI to not unnecessarily spam the error console.
67 const unsigned long DONT_REPORT_ERRORS = 1 << 4;
68
69 /**
70 * Check that content with principal aPrincipal can load "uri".
71 *
72 * Will return error code NS_ERROR_DOM_BAD_URI if the load request
73 * should be denied.
74 *
75 * @param aPrincipal the principal identifying the actor causing the load
76 * @param uri the URI that is being loaded
77 * @param flags the permission set, see above
78 */
79 void checkLoadURIWithPrincipal(in nsIPrincipal aPrincipal,
80 in nsIURI uri,
81 in unsigned long flags);
82
83 /**
84 * Similar to checkLoadURIWithPrincipal but there are two differences:
85 *
86 * 1) The URI is a string, not a URI object.
87 * 2) This function assumes that the URI may still be subject to fixup (and
88 * hence will check whether fixed-up versions of the URI are allowed to
89 * load as well); if any of the versions of this URI is not allowed, this
90 * function will return error code NS_ERROR_DOM_BAD_URI.
91 */
92 void checkLoadURIStrWithPrincipal(in nsIPrincipal aPrincipal,
93 in AUTF8String uri,
94 in unsigned long flags);
95
96 /**
97 * Return true if scripts may be executed in the scope of the given global.
98 */
99 [noscript,notxpcom] boolean scriptAllowed(in JSObjectPtr aGlobal);
100
101 ///////////////// Principals ///////////////////////
102 /**
103 * Return the principal of the innermost frame of the currently
104 * executing script. Will return null if there is no script
105 * currently executing.
106 */
107 [noscript] nsIPrincipal getSubjectPrincipal();
108
109 /**
110 * Return the all-powerful system principal.
111 */
112 nsIPrincipal getSystemPrincipal();
113
114 /**
115 * Return a principal that has the same origin as aURI.
116 * This principals should not be used for any data/permission check, it will
117 * have appId = UNKNOWN_APP_ID.
118 */
119 nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI);
120
121 /**
122 * Returns a principal that has the given information.
123 * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
124 * @param inMozBrowser is true if the principal has to be considered as
125 * inside a mozbrowser frame.
126 */
127 nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
128 in unsigned long appId,
129 in boolean inMozBrowser);
130
131 /**
132 * Returns a principal that has the appId and inMozBrowser of the docshell
133 * inside a mozbrowser frame.
134 * @param docShell to get appId/inMozBrowser from.
135 */
136 nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
137 in nsIDocShell docShell);
138
139 /**
140 * Returns a principal with that has the same origin as uri and is not part
141 * of an appliction.
142 * The returned principal will have appId = NO_APP_ID.
143 */
144 nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
145
146 /**
147 * Legacy name for getNoAppCodebasePrincipal.
148 *
149 * @deprecated use getNoAppCodebasePrincipal instead.
150 */
151 [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
152
153 /**
154 * Returns true if the principal of the currently running script is the
155 * system principal, false otherwise.
156 */
157 [noscript] boolean subjectPrincipalIsSystem();
158
159 /**
160 * Returns OK if aJSContext and target have the same "origin"
161 * (scheme, host, and port).
162 */
163 [noscript] void checkSameOrigin(in JSContextPtr aJSContext,
164 in nsIURI aTargetURI);
165
166 /**
167 * Returns OK if aSourceURI and target have the same "origin"
168 * (scheme, host, and port).
169 * ReportError flag suppresses error reports for functions that
170 * don't need reporting.
171 */
172 void checkSameOriginURI(in nsIURI aSourceURI,
173 in nsIURI aTargetURI,
174 in boolean reportError);
175 /**
176 * Get the principal for the given channel. This will typically be the
177 * channel owner if there is one, and the codebase principal for the
178 * channel's URI otherwise. aChannel must not be null.
179 */
180 nsIPrincipal getChannelPrincipal(in nsIChannel aChannel);
181
182 /**
183 * Check whether a given principal is a system principal. This allows us
184 * to avoid handing back the system principal to script while allowing
185 * script to check whether a given principal is system.
186 */
187 boolean isSystemPrincipal(in nsIPrincipal aPrincipal);
188 %{C++
189 bool IsSystemPrincipal(nsIPrincipal* aPrincipal) {
190 bool isSystem = false;
191 IsSystemPrincipal(aPrincipal, &isSystem);
192 return isSystem;
193 }
194 %}
195
196 /**
197 * Same as getSubjectPrincipal(), only faster. cx must *never* be
198 * passed null, and it must be the context on the top of the
199 * context stack. Does *not* reference count the returned
200 * principal.
201 */
202 [noscript,notxpcom] nsIPrincipal getCxSubjectPrincipal(in JSContextPtr cx);
203
204 const unsigned long NO_APP_ID = 0;
205 const unsigned long UNKNOWN_APP_ID = 4294967295; // UINT32_MAX
206 const unsigned long SAFEBROWSING_APP_ID = 4294967294; // UINT32_MAX - 1
207
208 /**
209 * Returns the jar prefix for the app.
210 * appId can be NO_APP_ID or a valid app id. appId should not be
211 * UNKNOWN_APP_ID.
212 * inMozBrowser has to be true if the app is inside a mozbrowser iframe.
213 */
214 AUTF8String getJarPrefix(in unsigned long appId, in boolean inMozBrowser);
215
216 /**
217 * Per-domain controls to enable and disable script. This system is designed
218 * to be used by at most one consumer, and enforces this with its semantics.
219 *
220 * Initially, domainPolicyActive is false. When activateDomainPolicy() is
221 * invoked, domainPolicyActive becomes true, and subsequent calls to
222 * activateDomainPolicy() will fail until deactivate() is invoked on the
223 * nsIDomainPolicy returned from activateDomainPolicy(). At this point,
224 * domainPolicyActive becomes false again, and a new consumer may acquire
225 * control of the system by invoking activateDomainPolicy().
226 */
227 nsIDomainPolicy activateDomainPolicy();
228 readonly attribute boolean domainPolicyActive;
229
230 /**
231 * Query mechanism for the above policy.
232 *
233 * If domainPolicyEnabled is false, this simply returns the current value
234 * of javascript.enabled. Otherwise, it returns the same value, but taking
235 * the various blacklist/whitelist exceptions into account.
236 */
237 bool policyAllowsScript(in nsIURI aDomain);
238 };
239
240 %{C++
241 #define NS_SCRIPTSECURITYMANAGER_CONTRACTID "@mozilla.org/scriptsecuritymanager;1"
242 %}

Mercurial Repository: The Tor Browser

Europalab SCM Repository Server

mercurial