nsIContentSecurityPolicy.idl (16648B)
1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 #include "nsISerializable.idl" 6 #include "nsIContentPolicy.idl" 7 8 interface nsIURI; 9 interface nsIEventTarget; 10 interface nsILoadInfo; 11 interface nsIPrincipal; 12 interface nsICSPEventListener; 13 14 webidl Element; 15 webidl Document; 16 17 /** 18 * nsIContentSecurityPolicy 19 * Describes an XPCOM component used to model and enforce CSPs. Instances of 20 * this class may have multiple policies within them, but there should only be 21 * one of these per document/principal. 22 */ 23 24 %{C++ 25 class nsCSPPolicy; 26 namespace mozilla::dom { 27 struct CSPViolationData; 28 } 29 %} 30 31 [ptr] native CSPPolicyPtr(const nsCSPPolicy); 32 33 native CSPViolationData(mozilla::dom::CSPViolationData&&); 34 35 [scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)] 36 interface nsIContentSecurityPolicy : nsISerializable 37 { 38 /** 39 * Directives supported by Content Security Policy. These are enums for 40 * the CSPDirective type. 41 * The NO_DIRECTIVE entry is used for checking default permissions and 42 * returning failure when asking CSP which directive to check. 43 * 44 * NOTE: When implementing a new directive, you will need to add it here but also 45 * add it to the CSPStrDirectives array in nsCSPUtils.h. 46 */ 47 cenum CSPDirective : 8 { 48 NO_DIRECTIVE = 0, 49 DEFAULT_SRC_DIRECTIVE = 1, 50 SCRIPT_SRC_DIRECTIVE = 2, 51 OBJECT_SRC_DIRECTIVE = 3, 52 STYLE_SRC_DIRECTIVE = 4, 53 IMG_SRC_DIRECTIVE = 5, 54 MEDIA_SRC_DIRECTIVE = 6, 55 FRAME_SRC_DIRECTIVE = 7, 56 FONT_SRC_DIRECTIVE = 8, 57 CONNECT_SRC_DIRECTIVE = 9, 58 REPORT_URI_DIRECTIVE = 10, 59 FRAME_ANCESTORS_DIRECTIVE = 11, 60 REFLECTED_XSS_DIRECTIVE = 12, 61 BASE_URI_DIRECTIVE = 13, 62 FORM_ACTION_DIRECTIVE = 14, 63 WEB_MANIFEST_SRC_DIRECTIVE = 15, 64 UPGRADE_IF_INSECURE_DIRECTIVE = 16, 65 CHILD_SRC_DIRECTIVE = 17, 66 BLOCK_ALL_MIXED_CONTENT = 18, 67 SANDBOX_DIRECTIVE = 19, 68 WORKER_SRC_DIRECTIVE = 20, 69 SCRIPT_SRC_ELEM_DIRECTIVE = 21, 70 SCRIPT_SRC_ATTR_DIRECTIVE = 22, 71 STYLE_SRC_ELEM_DIRECTIVE = 23, 72 STYLE_SRC_ATTR_DIRECTIVE = 24, 73 REQUIRE_TRUSTED_TYPES_FOR_DIRECTIVE = 25, 74 TRUSTED_TYPES_DIRECTIVE = 26, 75 REPORT_TO_DIRECTIVE = 27, 76 }; 77 78 cenum RequireTrustedTypesForDirectiveState : 8 { 79 NONE = 0, 80 REPORT_ONLY = 1, 81 ENFORCE = 2, 82 }; 83 84 /** 85 * Accessor method for a read-only string version of the policy at a given 86 * index. 87 */ 88 [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index); 89 90 /** 91 * Accessor method for a read-only pointer the policy object at a given 92 * index. Returns a null pointer if the index is larger than the current 93 * policy count. 94 */ 95 [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index); 96 97 /** 98 * Returns the number of policies attached to this CSP instance. Useful with 99 * getPolicy(). 100 */ 101 readonly attribute unsigned long policyCount; 102 103 /** 104 * Returns whether this policy uses the directive upgrade-insecure-requests. 105 * Please note that upgrade-insecure-reqeusts also applies if the parent or 106 * including document (context) makes use of the directive. 107 */ 108 readonly attribute boolean upgradeInsecureRequests; 109 110 /** 111 * Returns whether this policy uses the directive block-all-mixed-content. 112 * Please note that block-all-mixed-content takes presedence in case the 113 * directive upgrade-insecure-requests is defined in the same policy and 114 * will therefore block all mixed content without even trying to perform 115 * an upgrade. 116 */ 117 readonly attribute boolean blockAllMixedContent; 118 119 /** 120 * Returns whether this policy enforces the frame-ancestors directive. 121 */ 122 readonly attribute boolean enforcesFrameAncestors; 123 124 /** 125 * Parse and install a CSP policy. 126 * @param aPolicy 127 * String representation of the policy 128 * (e.g., header value, meta content) 129 * @param reportOnly 130 * Should this policy affect content, script and style processing or 131 * just send reports if it is violated? 132 * @param deliveredViaMetaTag 133 * Indicates whether the policy was delivered via the meta tag. 134 */ 135 void appendPolicy(in AString policyString, 136 in boolean reportOnly, 137 in boolean deliveredViaMetaTag); 138 139 /** 140 * Indicate the global state for the require-trusted-types-for directives 141 * - NONE: No require-trusted-types-for directives. 142 * - REPORT_ONLY: At least one require-trusted-types-for directive, but all 143 * of them have "report" disposition. 144 * - ENFORCE: At least one require-trusted-types-for directive with "enforce" 145 * disposition. 146 */ 147 [infallible] readonly attribute nsIContentSecurityPolicy_RequireTrustedTypesForDirectiveState requireTrustedTypesForDirectiveState; 148 149 /* 150 * Whether this policy allows inline script or style. 151 * 152 * Reports when the policy forbids aContentOfPseudoScript, including 153 * potentially asynchronously firing a "securitypolicyviolation" event. 154 * 155 * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or 156 * STYLE_SRC_(ELEM|ATTR)_DIRECTIVE. 157 * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is 158 * also specified. 159 * @param aNonce The nonce string to check against the policy. 160 * @param aParserCreated If the script element was created by the HTML Parser 161 * @param aTriggeringElement The script element of the inline resource to 162 * hash. It can be null. 163 * @param aSourceText The content of the script or pseudo-script to compare 164 * to hash (and compare to the hashes listed in the 165 * policy). For trusted inline scripts (i.e. that don't 166 * need to go trough the Trusted Types default policy) we 167 * retrieve the source text lazily for performance reasons 168 * (see bug 1376651) and aSourceText is void. 169 * @param aLineNumber The line number of the inline resource 170 * (used for reporting) 171 * @param aColumnNumber The column number of the inline resource 172 * (used for reporting) 173 * @return 174 * Whether or not the effects of the inline style should be allowed 175 * (block the rules if false). 176 */ 177 boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective, 178 in boolean aHasUnsafeHash, 179 in AString aNonce, 180 in boolean aParserCreated, 181 in Element aTriggeringElement, 182 in nsICSPEventListener aCSPEventListener, 183 in AString aSourceText, 184 in unsigned long aLineNumber, 185 in unsigned long aColumnNumber); 186 187 /** 188 * Whether this policy allows eval and eval-like functions 189 * such as setTimeout("code string", time). 190 * @param shouldReportViolations 191 * Whether or not the use of eval should be reported. 192 * This function returns "true" when violating report-only policies, but 193 * when any policy (report-only or otherwise) is violated, 194 * shouldReportViolations is true as well. 195 * @return 196 * Whether or not the effects of the eval call should be allowed 197 * (block the call if false). 198 */ 199 boolean getAllowsEval(out boolean shouldReportViolations); 200 201 /** 202 * Whether this policy allows the evaluation (and compilation) of 203 * WASM code from functions like `WebAssembly.compile`. 204 * @param shouldReportViolations 205 * Whether or not the use of WASM evaluation should be reported. 206 * This function returns "true" when violating report-only policies, but 207 * when any policy (report-only or otherwise) is violated, 208 * shouldReportViolations is true as well. 209 * @return 210 * Whether or not the effects of the WASM evaluation should be allowed 211 * (block the call if false). 212 */ 213 boolean getAllowsWasmEval(out boolean shouldReportViolations); 214 215 /** 216 * Delegate method called by the service when the protected document is loaded. 217 * Returns the union of all the sandbox flags contained in CSP policies. This is the most 218 * restrictive interpretation of flags set in multiple policies. 219 * See nsSandboxFlags.h for the possible flags. 220 * 221 * @return 222 * sandbox flags or SANDBOXED_NONE if no sandbox directive exists 223 */ 224 uint32_t getCSPSandboxFlags(); 225 226 /** 227 * For each violated policy (of type violationType), log policy violation on 228 * the Error Console and send a report to report-uris present in the violated 229 * policies. 230 * 231 * @param violationType 232 * one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval 233 * @param triggeringElement 234 * the element that triggers this CSP violation. It can be null. 235 * @param sourceFile 236 * name of the source file containing the violation (if available) 237 * @param contentSample 238 * sample of the violating content (to aid debugging) 239 * @param lineNum 240 * source line number of the violation (if available) 241 * @param columnNum 242 * source column number of the violation (if available) 243 * @param aNonce 244 * (optional) If this is a nonce violation, include the nonce so we can 245 * recheck to determine which policies were violated and send the 246 * appropriate reports. 247 * @param aContent 248 * (optional) If this is a hash violation, include contents of the inline 249 * resource in the question so we can recheck the hash in order to 250 * determine which policies were violated and send the appropriate 251 * reports. 252 */ 253 void logViolationDetails(in unsigned short violationType, 254 in Element triggeringElement, 255 in nsICSPEventListener aCSPEventListener, 256 in ACString sourceFile, 257 in AString scriptSample, 258 in int32_t lineNum, 259 in int32_t columnNum, 260 [optional] in AString nonce, 261 [optional] in AString content); 262 263 const unsigned short VIOLATION_TYPE_EVAL = 1; 264 const unsigned short VIOLATION_TYPE_WASM_EVAL = 2; 265 266 /** 267 * Log violation details for aCSPViolationData's directive. The directive is 268 * required to: 269 * - be one of the CSP directives corresponding to Trusted Types. 270 * - belong to the policy referrenced by aCSPViolationData. 271 * No check happens that the policy is indeed violated. 272 * 273 * Notifies observers, logs on the error console, sends a report (with a code- 274 * sample) to the directive's report-uris and may fire a violation event. 275 * 276 * @param aCSPEventListener Should be null for Windows 277 * (https://html.spec.whatwg.org/multipage/nav-history-apis.html#window), 278 * and non-null for Workers. 279 */ 280 [noscript] void logTrustedTypesViolationDetailsUnchecked( 281 in CSPViolationData aCSPViolationData, 282 in AString aObserverSubject, 283 in nsICSPEventListener aCSPEventListener); 284 285 /** 286 * Called after the CSP object is created to fill in appropriate request 287 * context. Either use 288 * * aDocument (preferred), or if no document is available, then provide 289 * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly. 290 */ 291 [must_use] void setRequestContextWithDocument(in Document aDocument); 292 [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal, 293 in nsIURI aSelfURI, 294 in ACString aReferrer, 295 in unsigned long long aInnerWindowId); 296 297 /** 298 * Get the various arguments needed to create a new request context for a CSP. 299 */ 300 [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal; 301 [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI; 302 [noscript] readonly attribute ACString referrer; 303 [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID; 304 305 /** 306 * Warning: Do not set that attribute unless you know exactly what you are doing! 307 * 308 * Primarily used to allow Devtools to edit inline styles! 309 */ 310 [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck; 311 312 /** 313 * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable 314 */ 315 [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget); 316 317 318 /** 319 * Verifies ancestry as permitted by the policy. 320 * 321 * NOTE: Calls to this may trigger violation reports when queried, so this 322 * value should not be cached. 323 * 324 * @param aLoadInfo 325 * The loadinfo of the channel containing the protected resource 326 * @return 327 * true if the frame's ancestors are all allowed by policy (except for 328 * report-only policies, which will send reports and then return true 329 * here when violated). 330 */ 331 boolean permitsAncestry(in nsILoadInfo aLoadInfo); 332 333 334 /** 335 * Checks if a specific directive permits loading of a URI. 336 * 337 * @param aTriggeringElement 338 * The element that triggers this CSP check. It can be null. 339 * @param aURI 340 * The URI about to be loaded or used. 341 * @param aDir 342 * The CSPDirective to query (see above constants *_DIRECTIVE). 343 * @param aSpecific 344 * If "true" and the directive is specified to fall back to "default-src" 345 * when it's not explicitly provided, directivePermits will NOT try 346 * default-src when the specific directive is not used. Setting this to 347 * "false" allows CSP to fall back to default-src. This function 348 * behaves the same for both values of canUseDefault when querying 349 * directives that don't fall-back. 350 * @param aSendViolationReports 351 * If `true` and the uri is not allowed then trigger violation reports. 352 * This should be `false` for caching or preloads. 353 * @return 354 * Whether or not the provided URI is allowed by CSP under the given 355 * directive. (block the pending operation if false). 356 */ 357 boolean permits(in Element aTriggeringElement, 358 in nsICSPEventListener aCSPEventListener, 359 in nsIURI aURI, 360 in nsIContentSecurityPolicy_CSPDirective aDir, 361 in boolean aSpecific, 362 in boolean aSendViolationReports); 363 364 /** 365 * Delegate method called by the service when sub-elements of the protected 366 * document are being loaded. Given a bit of information about the request, 367 * decides whether or not the policy is satisfied. 368 * 369 * Calls to this may trigger violation reports when queried, so 370 * this value should not be cached. 371 * 372 * aOriginalURIIfRedirect must be passed only if this loading is the result 373 * of a redirect. In this case, aOriginalURIIfRedirect must be the original 374 * URL. 375 */ 376 short shouldLoad(in nsContentPolicyType aContentType, 377 in nsICSPEventListener aCSPEventListener, 378 in nsILoadInfo aLoadInfo, 379 in nsIURI aContentLocation, 380 in nsIURI aOriginalURIIfRedirect, 381 in boolean aSendViolationReports); 382 383 %{ C++ 384 // nsIObserver topic to fire when the policy encounters a violation. 385 #define CSP_VIOLATION_TOPIC "csp-on-violate-policy" 386 %} 387 388 /** 389 * Returns the CSP in JSON notation. 390 */ 391 AString toJSON(); 392 393 /** 394 * Ensure policies from IPC are read/parsed. 395 */ 396 [noscript] void EnsureIPCPoliciesRead(); 397 398 }; 399 400 typedef nsIContentSecurityPolicy_CSPDirective CSPDirective; 401 typedef nsIContentSecurityPolicy_RequireTrustedTypesForDirectiveState RequireTrustedTypesForDirectiveState; 402 403 /* Listener for security policy violation event */ 404 [function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)] 405 interface nsICSPEventListener : nsISupports 406 { 407 // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary. 408 void onCSPViolationEvent(in AString aJSON); 409 };