michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public
michael@0:  * License, v. 2.0. If a copy of the MPL was not distributed with this
michael@0:  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
michael@0: 
michael@0: #include "nsISerializable.idl"
michael@0: 
michael@0: interface nsIURI;
michael@0: interface nsIChannel;
michael@0: interface nsIDocShell;
michael@0: interface nsIPrincipal;
michael@0: 
michael@0: /**
michael@0:  * nsIContentSecurityPolicy
michael@0:  * Describes an XPCOM component used to model and enforce CSPs.  Instances of
michael@0:  * this class may have multiple policies within them, but there should only be
michael@0:  * one of these per document/principal.
michael@0:  */
michael@0: 
michael@0: [scriptable, uuid(8b91f829-b1bf-4327-8ece-4000aa823394)]
michael@0: interface nsIContentSecurityPolicy : nsISerializable
michael@0: {
michael@0: 
michael@0:   /**
michael@0:    * Set to true when the CSP has been read in and parsed and is ready to
michael@0:    * enforce.  This is a barrier for the nsDocument so it doesn't load any
michael@0:    * sub-content until either it knows that a CSP is ready or will not be used.
michael@0:    */
michael@0:   attribute boolean isInitialized;
michael@0: 
michael@0:   /**
michael@0:    * Accessor method for a read-only string version of the policy at a given
michael@0:    * index.
michael@0:    */
michael@0:   AString getPolicy(in unsigned long index);
michael@0: 
michael@0:   /**
michael@0:    * Returns the number of policies attached to this CSP instance.  Useful with
michael@0:    * getPolicy().
michael@0:    */
michael@0:   attribute long policyCount;
michael@0: 
michael@0:   /**
michael@0:    * Remove a policy associated with this CSP context.
michael@0:    * @throws NS_ERROR_FAILURE if the index is out of bounds or invalid.
michael@0:    */
michael@0:   void removePolicy(in unsigned long index);
michael@0: 
michael@0:   /**
michael@0:    * Parse and install a CSP policy.
michael@0:    * @param aPolicy
michael@0:    *        String representation of the policy (e.g., header value)
michael@0:    * @param selfURI
michael@0:    *        the URI of the protected document/principal
michael@0:    * @param reportOnly
michael@0:    *        Should this policy affect content, script and style processing or
michael@0:    *        just send reports if it is violated?
michael@0:    * @param specCompliant
michael@0:    *        Whether or not the policy conforms to the W3C specification.
michael@0:    *        If this is false, that indicates this policy is from the older
michael@0:    *        implementation with different semantics and directive names.
michael@0:    */
michael@0:   void appendPolicy(in AString policyString, in nsIURI selfURI,
michael@0:                     in boolean reportOnly, in boolean specCompliant);
michael@0: 
michael@0:   /**
michael@0:    * Whether this policy allows in-page script.
michael@0:    * @param shouldReportViolations
michael@0:    *     Whether or not the use of inline script should be reported.
michael@0:    *     This function always returns "true" for report-only policies, but when
michael@0:    *     any policy (report-only or otherwise) is violated,
michael@0:    *     shouldReportViolations is true as well.
michael@0:    * @return
michael@0:    *     Whether or not the effects of the inline script should be allowed
michael@0:    *     (block the compilation if false).
michael@0:    */
michael@0:   boolean getAllowsInlineScript(out boolean shouldReportViolations);
michael@0: 
michael@0:   /**
michael@0:    * whether this policy allows eval and eval-like functions
michael@0:    * such as setTimeout("code string", time).
michael@0:    * @param shouldReportViolations
michael@0:    *     Whether or not the use of eval should be reported.
michael@0:    *     This function returns "true" when violating report-only policies, but
michael@0:    *     when any policy (report-only or otherwise) is violated,
michael@0:    *     shouldReportViolations is true as well.
michael@0:    * @return
michael@0:    *     Whether or not the effects of the eval call should be allowed
michael@0:    *     (block the call if false).
michael@0:    */
michael@0:   boolean getAllowsEval(out boolean shouldReportViolations);
michael@0: 
michael@0:   /**
michael@0:    * Whether this policy allows in-page styles.
michael@0:    * This includes <style> tags with text content and style="" attributes in
michael@0:    * HTML elements.
michael@0:    * @param shouldReportViolations
michael@0:    *     Whether or not the use of inline style should be reported.
michael@0:    *     If there are report-only policies, this function may return true
michael@0:    *     (don't block), but one or more policy may still want to send
michael@0:    *     violation reports so shouldReportViolations will be true even if the
michael@0:    *     inline style should be permitted.
michael@0:    * @return
michael@0:    *     Whether or not the effects of the inline style should be allowed
michael@0:    *     (block the rules if false).
michael@0:    */
michael@0:   boolean getAllowsInlineStyle(out boolean shouldReportViolations);
michael@0: 
michael@0:   /**
michael@0:    * Whether this policy accepts the given nonce
michael@0:    * @param aNonce
michael@0:    *     The nonce string to check against the policy
michael@0:    * @param aContentType
michael@0:    *     The type of element on which we encountered this nonce
michael@0:    * @param shouldReportViolation
michael@0:    *     Whether or not the use of an incorrect nonce should be reported.
michael@0:    *     This function always returns "true" for report-only policies, but when
michael@0:    *     the report-only policy is violated, shouldReportViolation is true as
michael@0:    *     well.
michael@0:    * @return
michael@0:    *     Whether or not this nonce is valid
michael@0:    */
michael@0:    boolean getAllowsNonce(in AString aNonce,
michael@0:                           in unsigned long aContentType,
michael@0:                           out boolean shouldReportViolation);
michael@0: 
michael@0:    /**
michael@0:     * Whether this policy accepts the given inline resource based on the hash
michael@0:     * of its content.
michael@0:     * @param aContent
michael@0:     *     The content of the inline resource to hash (and compare to the
michael@0:     *     hashes listed in the policy)
michael@0:     * @param aContentType
michael@0:     *     The type of inline element (script or style)
michael@0:     * @param shouldReportViolation
michael@0:     *     Whether this inline resource should be reported as a hash-source
michael@0:     *     violation. If there are no hash-sources in the policy, this is
michael@0:     *     always false.
michael@0:     * @return
michael@0:     *     Whether or not this inline resource is whitelisted by a hash-source
michael@0:     */
michael@0:    boolean getAllowsHash(in AString aContent,
michael@0:                          in unsigned short aContentType,
michael@0:                          out boolean shouldReportViolation);
michael@0: 
michael@0:   /**
michael@0:    * For each violated policy (of type violationType), log policy violation on
michael@0:    * the Error Console and send a report to report-uris present in the violated
michael@0:    * policies.
michael@0:    *
michael@0:    * @param violationType
michael@0:    *     one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval
michael@0:    * @param sourceFile
michael@0:    *     name of the source file containing the violation (if available)
michael@0:    * @param contentSample
michael@0:    *     sample of the violating content (to aid debugging)
michael@0:    * @param lineNum
michael@0:    *     source line number of the violation (if available)
michael@0:    * @param aNonce
michael@0:    *     (optional) If this is a nonce violation, include the nonce so we can
michael@0:    *     recheck to determine which policies were violated and send the
michael@0:    *     appropriate reports.
michael@0:    * @param aContent
michael@0:    *     (optional) If this is a hash violation, include contents of the inline
michael@0:    *     resource in the question so we can recheck the hash in order to
michael@0:    *     determine which policies were violated and send the appropriate
michael@0:    *     reports.
michael@0:    */
michael@0:   void logViolationDetails(in unsigned short violationType,
michael@0:                            in AString sourceFile,
michael@0:                            in AString scriptSample,
michael@0:                            in int32_t lineNum,
michael@0:                            [optional] in AString nonce,
michael@0:                            [optional] in AString content);
michael@0: 
michael@0:   const unsigned short VIOLATION_TYPE_INLINE_SCRIPT = 1;
michael@0:   const unsigned short VIOLATION_TYPE_EVAL          = 2;
michael@0:   const unsigned short VIOLATION_TYPE_INLINE_STYLE  = 3;
michael@0:   const unsigned short VIOLATION_TYPE_NONCE_SCRIPT  = 4;
michael@0:   const unsigned short VIOLATION_TYPE_NONCE_STYLE   = 5;
michael@0:   const unsigned short VIOLATION_TYPE_HASH_SCRIPT   = 6;
michael@0:   const unsigned short VIOLATION_TYPE_HASH_STYLE    = 7;
michael@0: 
michael@0:   /**
michael@0:    * Called after the CSP object is created to fill in appropriate request
michael@0:    * context and give it a reference to its owning principal for violation
michael@0:    * report generation.
michael@0:    * This will use whatever data is available, choosing earlier arguments first
michael@0:    * if multiple are available.  Either way, it will attempt to obtain the URI,
michael@0:    * referrer and the principal from whatever is available.  If the channel is
michael@0:    * available, it'll also store that for processing policy-uri directives.
michael@0:    */
michael@0:   void setRequestContext(in nsIURI selfURI,
michael@0:                          in nsIURI referrer,
michael@0:                          in nsIPrincipal documentPrincipal,
michael@0:                          in nsIChannel aChannel);
michael@0: 
michael@0:   /**
michael@0:    * Verifies ancestry as permitted by the policy.
michael@0:    *
michael@0:    * NOTE: Calls to this may trigger violation reports when queried, so this
michael@0:    * value should not be cached.
michael@0:    *
michael@0:    * @param docShell
michael@0:    *    containing the protected resource
michael@0:    * @return
michael@0:    *    true if the frame's ancestors are all allowed by policy (except for
michael@0:    *    report-only policies, which will send reports and then return true
michael@0:    *    here when violated).
michael@0:    */
michael@0:   boolean permitsAncestry(in nsIDocShell docShell);
michael@0: 
michael@0:   /**
michael@0:    * Delegate method called by the service when sub-elements of the protected
michael@0:    * document are being loaded.  Given a bit of information about the request,
michael@0:    * decides whether or not the policy is satisfied.
michael@0:    *
michael@0:    * Calls to this may trigger violation reports when queried, so
michael@0:    * this value should not be cached.
michael@0:    */
michael@0:   short shouldLoad(in unsigned long   aContentType,
michael@0:                    in nsIURI          aContentLocation,
michael@0:                    in nsIURI          aRequestOrigin,
michael@0:                    in nsISupports     aContext,
michael@0:                    in ACString        aMimeTypeGuess,
michael@0:                    in nsISupports     aExtra);
michael@0: 
michael@0:   /**
michael@0:    * Delegate method called by the service when sub-elements of the protected
michael@0:    * document are being processed.  Given a bit of information about the request,
michael@0:    * decides whether or not the policy is satisfied.
michael@0:    */
michael@0:   short shouldProcess(in unsigned long   aContentType,
michael@0:                       in nsIURI          aContentLocation,
michael@0:                       in nsIURI          aRequestOrigin,
michael@0:                       in nsISupports     aContext,
michael@0:                       in ACString        aMimeType,
michael@0:                       in nsISupports     aExtra);
michael@0: 
michael@0: };