1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/public/nsIContentSecurityPolicy.idl Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,239 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include "nsISerializable.idl"
1.9 +
1.10 +interface nsIURI;
1.11 +interface nsIChannel;
1.12 +interface nsIDocShell;
1.13 +interface nsIPrincipal;
1.14 +
1.15 +/**
1.16 + * nsIContentSecurityPolicy
1.17 + * Describes an XPCOM component used to model and enforce CSPs. Instances of
1.18 + * this class may have multiple policies within them, but there should only be
1.19 + * one of these per document/principal.
1.20 + */
1.21 +
1.22 +[scriptable, uuid(8b91f829-b1bf-4327-8ece-4000aa823394)]
1.23 +interface nsIContentSecurityPolicy : nsISerializable
1.24 +{
1.25 +
1.26 + /**
1.27 + * Set to true when the CSP has been read in and parsed and is ready to
1.28 + * enforce. This is a barrier for the nsDocument so it doesn't load any
1.29 + * sub-content until either it knows that a CSP is ready or will not be used.
1.30 + */
1.31 + attribute boolean isInitialized;
1.32 +
1.33 + /**
1.34 + * Accessor method for a read-only string version of the policy at a given
1.35 + * index.
1.36 + */
1.37 + AString getPolicy(in unsigned long index);
1.38 +
1.39 + /**
1.40 + * Returns the number of policies attached to this CSP instance. Useful with
1.41 + * getPolicy().
1.42 + */
1.43 + attribute long policyCount;
1.44 +
1.45 + /**
1.46 + * Remove a policy associated with this CSP context.
1.47 + * @throws NS_ERROR_FAILURE if the index is out of bounds or invalid.
1.48 + */
1.49 + void removePolicy(in unsigned long index);
1.50 +
1.51 + /**
1.52 + * Parse and install a CSP policy.
1.53 + * @param aPolicy
1.54 + * String representation of the policy (e.g., header value)
1.55 + * @param selfURI
1.56 + * the URI of the protected document/principal
1.57 + * @param reportOnly
1.58 + * Should this policy affect content, script and style processing or
1.59 + * just send reports if it is violated?
1.60 + * @param specCompliant
1.61 + * Whether or not the policy conforms to the W3C specification.
1.62 + * If this is false, that indicates this policy is from the older
1.63 + * implementation with different semantics and directive names.
1.64 + */
1.65 + void appendPolicy(in AString policyString, in nsIURI selfURI,
1.66 + in boolean reportOnly, in boolean specCompliant);
1.67 +
1.68 + /**
1.69 + * Whether this policy allows in-page script.
1.70 + * @param shouldReportViolations
1.71 + * Whether or not the use of inline script should be reported.
1.72 + * This function always returns "true" for report-only policies, but when
1.73 + * any policy (report-only or otherwise) is violated,
1.74 + * shouldReportViolations is true as well.
1.75 + * @return
1.76 + * Whether or not the effects of the inline script should be allowed
1.77 + * (block the compilation if false).
1.78 + */
1.79 + boolean getAllowsInlineScript(out boolean shouldReportViolations);
1.80 +
1.81 + /**
1.82 + * whether this policy allows eval and eval-like functions
1.83 + * such as setTimeout("code string", time).
1.84 + * @param shouldReportViolations
1.85 + * Whether or not the use of eval should be reported.
1.86 + * This function returns "true" when violating report-only policies, but
1.87 + * when any policy (report-only or otherwise) is violated,
1.88 + * shouldReportViolations is true as well.
1.89 + * @return
1.90 + * Whether or not the effects of the eval call should be allowed
1.91 + * (block the call if false).
1.92 + */
1.93 + boolean getAllowsEval(out boolean shouldReportViolations);
1.94 +
1.95 + /**
1.96 + * Whether this policy allows in-page styles.
1.97 + * This includes <style> tags with text content and style="" attributes in
1.98 + * HTML elements.
1.99 + * @param shouldReportViolations
1.100 + * Whether or not the use of inline style should be reported.
1.101 + * If there are report-only policies, this function may return true
1.102 + * (don't block), but one or more policy may still want to send
1.103 + * violation reports so shouldReportViolations will be true even if the
1.104 + * inline style should be permitted.
1.105 + * @return
1.106 + * Whether or not the effects of the inline style should be allowed
1.107 + * (block the rules if false).
1.108 + */
1.109 + boolean getAllowsInlineStyle(out boolean shouldReportViolations);
1.110 +
1.111 + /**
1.112 + * Whether this policy accepts the given nonce
1.113 + * @param aNonce
1.114 + * The nonce string to check against the policy
1.115 + * @param aContentType
1.116 + * The type of element on which we encountered this nonce
1.117 + * @param shouldReportViolation
1.118 + * Whether or not the use of an incorrect nonce should be reported.
1.119 + * This function always returns "true" for report-only policies, but when
1.120 + * the report-only policy is violated, shouldReportViolation is true as
1.121 + * well.
1.122 + * @return
1.123 + * Whether or not this nonce is valid
1.124 + */
1.125 + boolean getAllowsNonce(in AString aNonce,
1.126 + in unsigned long aContentType,
1.127 + out boolean shouldReportViolation);
1.128 +
1.129 + /**
1.130 + * Whether this policy accepts the given inline resource based on the hash
1.131 + * of its content.
1.132 + * @param aContent
1.133 + * The content of the inline resource to hash (and compare to the
1.134 + * hashes listed in the policy)
1.135 + * @param aContentType
1.136 + * The type of inline element (script or style)
1.137 + * @param shouldReportViolation
1.138 + * Whether this inline resource should be reported as a hash-source
1.139 + * violation. If there are no hash-sources in the policy, this is
1.140 + * always false.
1.141 + * @return
1.142 + * Whether or not this inline resource is whitelisted by a hash-source
1.143 + */
1.144 + boolean getAllowsHash(in AString aContent,
1.145 + in unsigned short aContentType,
1.146 + out boolean shouldReportViolation);
1.147 +
1.148 + /**
1.149 + * For each violated policy (of type violationType), log policy violation on
1.150 + * the Error Console and send a report to report-uris present in the violated
1.151 + * policies.
1.152 + *
1.153 + * @param violationType
1.154 + * one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval
1.155 + * @param sourceFile
1.156 + * name of the source file containing the violation (if available)
1.157 + * @param contentSample
1.158 + * sample of the violating content (to aid debugging)
1.159 + * @param lineNum
1.160 + * source line number of the violation (if available)
1.161 + * @param aNonce
1.162 + * (optional) If this is a nonce violation, include the nonce so we can
1.163 + * recheck to determine which policies were violated and send the
1.164 + * appropriate reports.
1.165 + * @param aContent
1.166 + * (optional) If this is a hash violation, include contents of the inline
1.167 + * resource in the question so we can recheck the hash in order to
1.168 + * determine which policies were violated and send the appropriate
1.169 + * reports.
1.170 + */
1.171 + void logViolationDetails(in unsigned short violationType,
1.172 + in AString sourceFile,
1.173 + in AString scriptSample,
1.174 + in int32_t lineNum,
1.175 + [optional] in AString nonce,
1.176 + [optional] in AString content);
1.177 +
1.178 + const unsigned short VIOLATION_TYPE_INLINE_SCRIPT = 1;
1.179 + const unsigned short VIOLATION_TYPE_EVAL = 2;
1.180 + const unsigned short VIOLATION_TYPE_INLINE_STYLE = 3;
1.181 + const unsigned short VIOLATION_TYPE_NONCE_SCRIPT = 4;
1.182 + const unsigned short VIOLATION_TYPE_NONCE_STYLE = 5;
1.183 + const unsigned short VIOLATION_TYPE_HASH_SCRIPT = 6;
1.184 + const unsigned short VIOLATION_TYPE_HASH_STYLE = 7;
1.185 +
1.186 + /**
1.187 + * Called after the CSP object is created to fill in appropriate request
1.188 + * context and give it a reference to its owning principal for violation
1.189 + * report generation.
1.190 + * This will use whatever data is available, choosing earlier arguments first
1.191 + * if multiple are available. Either way, it will attempt to obtain the URI,
1.192 + * referrer and the principal from whatever is available. If the channel is
1.193 + * available, it'll also store that for processing policy-uri directives.
1.194 + */
1.195 + void setRequestContext(in nsIURI selfURI,
1.196 + in nsIURI referrer,
1.197 + in nsIPrincipal documentPrincipal,
1.198 + in nsIChannel aChannel);
1.199 +
1.200 + /**
1.201 + * Verifies ancestry as permitted by the policy.
1.202 + *
1.203 + * NOTE: Calls to this may trigger violation reports when queried, so this
1.204 + * value should not be cached.
1.205 + *
1.206 + * @param docShell
1.207 + * containing the protected resource
1.208 + * @return
1.209 + * true if the frame's ancestors are all allowed by policy (except for
1.210 + * report-only policies, which will send reports and then return true
1.211 + * here when violated).
1.212 + */
1.213 + boolean permitsAncestry(in nsIDocShell docShell);
1.214 +
1.215 + /**
1.216 + * Delegate method called by the service when sub-elements of the protected
1.217 + * document are being loaded. Given a bit of information about the request,
1.218 + * decides whether or not the policy is satisfied.
1.219 + *
1.220 + * Calls to this may trigger violation reports when queried, so
1.221 + * this value should not be cached.
1.222 + */
1.223 + short shouldLoad(in unsigned long aContentType,
1.224 + in nsIURI aContentLocation,
1.225 + in nsIURI aRequestOrigin,
1.226 + in nsISupports aContext,
1.227 + in ACString aMimeTypeGuess,
1.228 + in nsISupports aExtra);
1.229 +
1.230 + /**
1.231 + * Delegate method called by the service when sub-elements of the protected
1.232 + * document are being processed. Given a bit of information about the request,
1.233 + * decides whether or not the policy is satisfied.
1.234 + */
1.235 + short shouldProcess(in unsigned long aContentType,
1.236 + in nsIURI aContentLocation,
1.237 + in nsIURI aRequestOrigin,
1.238 + in nsISupports aContext,
1.239 + in ACString aMimeType,
1.240 + in nsISupports aExtra);
1.241 +
1.242 +};
