1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/caps/idl/nsIScriptSecurityManager.idl Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,242 @@
1.4 +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
1.5 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.6 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.7 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.8 +
1.9 +#include "nsISupports.idl"
1.10 +#include "nsIPrincipal.idl"
1.11 +#include "nsIXPCSecurityManager.idl"
1.12 +interface nsIURI;
1.13 +interface nsIChannel;
1.14 +interface nsIDocShell;
1.15 +interface nsIDomainPolicy;
1.16 +
1.17 +[scriptable, uuid(4c087cc3-e0cc-4ec3-88df-8d68f3023b45)]
1.18 +interface nsIScriptSecurityManager : nsIXPCSecurityManager
1.19 +{
1.20 + /**
1.21 + * Check that the script currently running in context "cx" can load "uri".
1.22 + *
1.23 + * Will return error code NS_ERROR_DOM_BAD_URI if the load request
1.24 + * should be denied.
1.25 + *
1.26 + * @param cx the JSContext of the script causing the load
1.27 + * @param uri the URI that is being loaded
1.28 + */
1.29 + [noscript] void checkLoadURIFromScript(in JSContextPtr cx, in nsIURI uri);
1.30 +
1.31 + /**
1.32 + * Default CheckLoadURI permissions
1.33 + */
1.34 + // Default permissions
1.35 + const unsigned long STANDARD = 0;
1.36 +
1.37 + // Indicate that the load is a load of a new document that is not
1.38 + // user-triggered. Here "user-triggered" could be broadly interpreted --
1.39 + // for example, scripted sets of window.location.href might be treated as
1.40 + // "user-triggered" in some circumstances. A typical example of a load
1.41 + // that is not user-triggered is a <meta> refresh load. If this flag is
1.42 + // set, the load will be denied if the originating principal's URI has the
1.43 + // nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set.
1.44 + const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0;
1.45 +
1.46 + // Allow the loading of chrome URLs by non-chrome URLs. Use with great
1.47 + // care! This will actually allow the loading of any URI which has the
1.48 + // nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set. Ths
1.49 + // probably means at least chrome: and resource:.
1.50 + const unsigned long ALLOW_CHROME = 1 << 1;
1.51 +
1.52 + // Don't allow URLs which would inherit the caller's principal (such as
1.53 + // javascript: or data:) to load. See
1.54 + // nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT.
1.55 + const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2;
1.56 +
1.57 + // Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with
1.58 + // JS-implemented extensions.
1.59 + const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL;
1.60 +
1.61 + // Don't allow javascript: URLs to load
1.62 + // WARNING: Support for this value was added in Mozilla 1.7.8 and
1.63 + // Firefox 1.0.4. Use in prior versions WILL BE IGNORED.
1.64 + // When using this, make sure that you actually want DISALLOW_SCRIPT, not
1.65 + // DISALLOW_INHERIT_PRINCIPAL
1.66 + const unsigned long DISALLOW_SCRIPT = 1 << 3;
1.67 +
1.68 + // Do not report errors if we just want to check if a principal can load
1.69 + // a URI to not unnecessarily spam the error console.
1.70 + const unsigned long DONT_REPORT_ERRORS = 1 << 4;
1.71 +
1.72 + /**
1.73 + * Check that content with principal aPrincipal can load "uri".
1.74 + *
1.75 + * Will return error code NS_ERROR_DOM_BAD_URI if the load request
1.76 + * should be denied.
1.77 + *
1.78 + * @param aPrincipal the principal identifying the actor causing the load
1.79 + * @param uri the URI that is being loaded
1.80 + * @param flags the permission set, see above
1.81 + */
1.82 + void checkLoadURIWithPrincipal(in nsIPrincipal aPrincipal,
1.83 + in nsIURI uri,
1.84 + in unsigned long flags);
1.85 +
1.86 + /**
1.87 + * Similar to checkLoadURIWithPrincipal but there are two differences:
1.88 + *
1.89 + * 1) The URI is a string, not a URI object.
1.90 + * 2) This function assumes that the URI may still be subject to fixup (and
1.91 + * hence will check whether fixed-up versions of the URI are allowed to
1.92 + * load as well); if any of the versions of this URI is not allowed, this
1.93 + * function will return error code NS_ERROR_DOM_BAD_URI.
1.94 + */
1.95 + void checkLoadURIStrWithPrincipal(in nsIPrincipal aPrincipal,
1.96 + in AUTF8String uri,
1.97 + in unsigned long flags);
1.98 +
1.99 + /**
1.100 + * Return true if scripts may be executed in the scope of the given global.
1.101 + */
1.102 + [noscript,notxpcom] boolean scriptAllowed(in JSObjectPtr aGlobal);
1.103 +
1.104 + ///////////////// Principals ///////////////////////
1.105 + /**
1.106 + * Return the principal of the innermost frame of the currently
1.107 + * executing script. Will return null if there is no script
1.108 + * currently executing.
1.109 + */
1.110 + [noscript] nsIPrincipal getSubjectPrincipal();
1.111 +
1.112 + /**
1.113 + * Return the all-powerful system principal.
1.114 + */
1.115 + nsIPrincipal getSystemPrincipal();
1.116 +
1.117 + /**
1.118 + * Return a principal that has the same origin as aURI.
1.119 + * This principals should not be used for any data/permission check, it will
1.120 + * have appId = UNKNOWN_APP_ID.
1.121 + */
1.122 + nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI);
1.123 +
1.124 + /**
1.125 + * Returns a principal that has the given information.
1.126 + * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
1.127 + * @param inMozBrowser is true if the principal has to be considered as
1.128 + * inside a mozbrowser frame.
1.129 + */
1.130 + nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
1.131 + in unsigned long appId,
1.132 + in boolean inMozBrowser);
1.133 +
1.134 + /**
1.135 + * Returns a principal that has the appId and inMozBrowser of the docshell
1.136 + * inside a mozbrowser frame.
1.137 + * @param docShell to get appId/inMozBrowser from.
1.138 + */
1.139 + nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
1.140 + in nsIDocShell docShell);
1.141 +
1.142 + /**
1.143 + * Returns a principal with that has the same origin as uri and is not part
1.144 + * of an appliction.
1.145 + * The returned principal will have appId = NO_APP_ID.
1.146 + */
1.147 + nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
1.148 +
1.149 + /**
1.150 + * Legacy name for getNoAppCodebasePrincipal.
1.151 + *
1.152 + * @deprecated use getNoAppCodebasePrincipal instead.
1.153 + */
1.154 + [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
1.155 +
1.156 + /**
1.157 + * Returns true if the principal of the currently running script is the
1.158 + * system principal, false otherwise.
1.159 + */
1.160 + [noscript] boolean subjectPrincipalIsSystem();
1.161 +
1.162 + /**
1.163 + * Returns OK if aJSContext and target have the same "origin"
1.164 + * (scheme, host, and port).
1.165 + */
1.166 + [noscript] void checkSameOrigin(in JSContextPtr aJSContext,
1.167 + in nsIURI aTargetURI);
1.168 +
1.169 + /**
1.170 + * Returns OK if aSourceURI and target have the same "origin"
1.171 + * (scheme, host, and port).
1.172 + * ReportError flag suppresses error reports for functions that
1.173 + * don't need reporting.
1.174 + */
1.175 + void checkSameOriginURI(in nsIURI aSourceURI,
1.176 + in nsIURI aTargetURI,
1.177 + in boolean reportError);
1.178 + /**
1.179 + * Get the principal for the given channel. This will typically be the
1.180 + * channel owner if there is one, and the codebase principal for the
1.181 + * channel's URI otherwise. aChannel must not be null.
1.182 + */
1.183 + nsIPrincipal getChannelPrincipal(in nsIChannel aChannel);
1.184 +
1.185 + /**
1.186 + * Check whether a given principal is a system principal. This allows us
1.187 + * to avoid handing back the system principal to script while allowing
1.188 + * script to check whether a given principal is system.
1.189 + */
1.190 + boolean isSystemPrincipal(in nsIPrincipal aPrincipal);
1.191 +%{C++
1.192 + bool IsSystemPrincipal(nsIPrincipal* aPrincipal) {
1.193 + bool isSystem = false;
1.194 + IsSystemPrincipal(aPrincipal, &isSystem);
1.195 + return isSystem;
1.196 + }
1.197 +%}
1.198 +
1.199 + /**
1.200 + * Same as getSubjectPrincipal(), only faster. cx must *never* be
1.201 + * passed null, and it must be the context on the top of the
1.202 + * context stack. Does *not* reference count the returned
1.203 + * principal.
1.204 + */
1.205 + [noscript,notxpcom] nsIPrincipal getCxSubjectPrincipal(in JSContextPtr cx);
1.206 +
1.207 + const unsigned long NO_APP_ID = 0;
1.208 + const unsigned long UNKNOWN_APP_ID = 4294967295; // UINT32_MAX
1.209 + const unsigned long SAFEBROWSING_APP_ID = 4294967294; // UINT32_MAX - 1
1.210 +
1.211 + /**
1.212 + * Returns the jar prefix for the app.
1.213 + * appId can be NO_APP_ID or a valid app id. appId should not be
1.214 + * UNKNOWN_APP_ID.
1.215 + * inMozBrowser has to be true if the app is inside a mozbrowser iframe.
1.216 + */
1.217 + AUTF8String getJarPrefix(in unsigned long appId, in boolean inMozBrowser);
1.218 +
1.219 + /**
1.220 + * Per-domain controls to enable and disable script. This system is designed
1.221 + * to be used by at most one consumer, and enforces this with its semantics.
1.222 + *
1.223 + * Initially, domainPolicyActive is false. When activateDomainPolicy() is
1.224 + * invoked, domainPolicyActive becomes true, and subsequent calls to
1.225 + * activateDomainPolicy() will fail until deactivate() is invoked on the
1.226 + * nsIDomainPolicy returned from activateDomainPolicy(). At this point,
1.227 + * domainPolicyActive becomes false again, and a new consumer may acquire
1.228 + * control of the system by invoking activateDomainPolicy().
1.229 + */
1.230 + nsIDomainPolicy activateDomainPolicy();
1.231 + readonly attribute boolean domainPolicyActive;
1.232 +
1.233 + /**
1.234 + * Query mechanism for the above policy.
1.235 + *
1.236 + * If domainPolicyEnabled is false, this simply returns the current value
1.237 + * of javascript.enabled. Otherwise, it returns the same value, but taking
1.238 + * the various blacklist/whitelist exceptions into account.
1.239 + */
1.240 + bool policyAllowsScript(in nsIURI aDomain);
1.241 +};
1.242 +
1.243 +%{C++
1.244 +#define NS_SCRIPTSECURITYMANAGER_CONTRACTID "@mozilla.org/scriptsecuritymanager;1"
1.245 +%}
