summaryrefslogtreecommitdiffstats
path: root/dom/interfaces/security
diff options
context:
space:
mode:
Diffstat (limited to 'dom/interfaces/security')
-rw-r--r--dom/interfaces/security/moz.build13
-rw-r--r--dom/interfaces/security/nsIContentSecurityManager.idl56
-rw-r--r--dom/interfaces/security/nsIContentSecurityPolicy.idl294
3 files changed, 363 insertions, 0 deletions
diff --git a/dom/interfaces/security/moz.build b/dom/interfaces/security/moz.build
new file mode 100644
index 000000000..6796305f7
--- /dev/null
+++ b/dom/interfaces/security/moz.build
@@ -0,0 +1,13 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+XPIDL_SOURCES += [
+ 'nsIContentSecurityManager.idl',
+ 'nsIContentSecurityPolicy.idl'
+]
+
+XPIDL_MODULE = 'dom_security'
+
diff --git a/dom/interfaces/security/nsIContentSecurityManager.idl b/dom/interfaces/security/nsIContentSecurityManager.idl
new file mode 100644
index 000000000..1a1c91021
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityManager.idl
@@ -0,0 +1,56 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIChannel;
+interface nsIPrincipal;
+interface nsIStreamListener;
+interface nsIURI;
+
+/**
+ * nsIContentSecurityManager
+ * Describes an XPCOM component used to perform security checks.
+ */
+
+[scriptable, uuid(3a9a1818-2ae8-4ec5-a340-8b29d31fca3b)]
+interface nsIContentSecurityManager : nsISupports
+{
+ /**
+ * Checks whether a channel is allowed to access the given URI and
+ * whether the channel should be openend or should be blocked consulting
+ * internal security checks like Same Origin Policy, Content Security
+ * Policy, Mixed Content Blocker, etc.
+ *
+ * If security checks within performSecurityCheck fail, the function
+ * throws an exception.
+ *
+ * @param aChannel
+ * The channel about to be openend
+ * @param aStreamListener
+ * The Streamlistener of the channel potentially wrapped
+ * into CORSListenerProxy.
+ * @return
+ * The StreamListener of the channel wrapped into CORSListenerProxy.
+ *
+ * @throws NS_ERROR_DOM_BAD_URI
+ * If accessing the URI is not allowed (e.g. prohibted by SOP)
+ * @throws NS_ERROR_CONTENT_BLOCKED
+ * If any of the security policies (CSP, Mixed content) is violated
+ */
+ nsIStreamListener performSecurityCheck(in nsIChannel aChannel,
+ in nsIStreamListener aStreamListener);
+
+ /**
+ * Implementation of
+ * https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+ *
+ * The value returned by this method feeds into the the Secure Context
+ * algorithm that determins the value of Window.isSecureContext and
+ * WorkerGlobalScope.isSecureContext.
+ *
+ * This method returns false instead of throwing upon errors.
+ */
+ boolean isOriginPotentiallyTrustworthy(in nsIPrincipal aPrincipal);
+};
diff --git a/dom/interfaces/security/nsIContentSecurityPolicy.idl b/dom/interfaces/security/nsIContentSecurityPolicy.idl
new file mode 100644
index 000000000..ade5b1243
--- /dev/null
+++ b/dom/interfaces/security/nsIContentSecurityPolicy.idl
@@ -0,0 +1,294 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISerializable.idl"
+#include "nsIContentPolicy.idl"
+
+interface nsIURI;
+interface nsIChannel;
+interface nsIDocShell;
+interface nsIDOMDocument;
+interface nsIPrincipal;
+interface nsIURI;
+
+/**
+ * nsIContentSecurityPolicy
+ * Describes an XPCOM component used to model and enforce CSPs. Instances of
+ * this class may have multiple policies within them, but there should only be
+ * one of these per document/principal.
+ */
+
+typedef unsigned short CSPDirective;
+
+%{C++
+class nsCSPPolicy;
+%}
+
+[ptr] native CSPPolicyPtr(const nsCSPPolicy);
+
+[scriptable, builtinclass, uuid(b3c4c0ae-bd5e-4cad-87e0-8d210dbb3f9f)]
+interface nsIContentSecurityPolicy : nsISerializable
+{
+ /**
+ * Directives supported by Content Security Policy. These are enums for
+ * the CSPDirective type.
+ * The NO_DIRECTIVE entry is used for checking default permissions and
+ * returning failure when asking CSP which directive to check.
+ *
+ * NOTE: When implementing a new directive, you will need to add it here but also
+ * add it to the CSPStrDirectives array in nsCSPUtils.h.
+ */
+ const unsigned short NO_DIRECTIVE = 0;
+ const unsigned short DEFAULT_SRC_DIRECTIVE = 1;
+ const unsigned short SCRIPT_SRC_DIRECTIVE = 2;
+ const unsigned short OBJECT_SRC_DIRECTIVE = 3;
+ const unsigned short STYLE_SRC_DIRECTIVE = 4;
+ const unsigned short IMG_SRC_DIRECTIVE = 5;
+ const unsigned short MEDIA_SRC_DIRECTIVE = 6;
+ const unsigned short FRAME_SRC_DIRECTIVE = 7;
+ const unsigned short FONT_SRC_DIRECTIVE = 8;
+ const unsigned short CONNECT_SRC_DIRECTIVE = 9;
+ const unsigned short REPORT_URI_DIRECTIVE = 10;
+ const unsigned short FRAME_ANCESTORS_DIRECTIVE = 11;
+ const unsigned short REFLECTED_XSS_DIRECTIVE = 12;
+ const unsigned short BASE_URI_DIRECTIVE = 13;
+ const unsigned short FORM_ACTION_DIRECTIVE = 14;
+ const unsigned short REFERRER_DIRECTIVE = 15;
+ const unsigned short WEB_MANIFEST_SRC_DIRECTIVE = 16;
+ const unsigned short UPGRADE_IF_INSECURE_DIRECTIVE = 17;
+ const unsigned short CHILD_SRC_DIRECTIVE = 18;
+ const unsigned short BLOCK_ALL_MIXED_CONTENT = 19;
+ const unsigned short REQUIRE_SRI_FOR = 20;
+ const unsigned short SANDBOX_DIRECTIVE = 21;
+
+ /**
+ * Accessor method for a read-only string version of the policy at a given
+ * index.
+ */
+ [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
+
+ /**
+ * Accessor method for a read-only pointer the policy object at a given
+ * index. Returns a null pointer if the index is larger than the current
+ * policy count.
+ */
+ [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
+
+ /**
+ * Returns the number of policies attached to this CSP instance. Useful with
+ * getPolicy().
+ */
+ readonly attribute unsigned long policyCount;
+
+ /**
+ * Returns whether this policy uses the directive upgrade-insecure-requests.
+ * Please note that upgrade-insecure-reqeusts also applies if the parent or
+ * including document (context) makes use of the directive.
+ */
+ readonly attribute bool upgradeInsecureRequests;
+
+ /**
+ * Returns whether this policy uses the directive block-all-mixed-content.
+ * Please note that block-all-mixed-content takes presedence in case the
+ * directive upgrade-insecure-requests is defined in the same policy and
+ * will therefore block all mixed content without even trying to perform
+ * an upgrade.
+ */
+ readonly attribute bool blockAllMixedContent;
+
+ /**
+ * Obtains the referrer policy (as integer) for this browsing context as
+ * specified in CSP. If there are multiple policies and...
+ * - only one sets a referrer policy: that policy is returned
+ * - more than one sets different referrer policies: no-referrer is returned
+ * - more than one set equivalent policies: that policy is returned
+ * For the enumeration of policies see ReferrerPolicy.h and nsIHttpChannel.
+ *
+ * @param aPolicy
+ * The referrer policy to use for the protected resource.
+ * @return
+ * true if a referrer policy is specified, false if it's unspecified.
+ */
+ bool getReferrerPolicy(out unsigned long policy);
+
+ /**
+ * Parse and install a CSP policy.
+ * @param aPolicy
+ * String representation of the policy
+ * (e.g., header value, meta content)
+ * @param reportOnly
+ * Should this policy affect content, script and style processing or
+ * just send reports if it is violated?
+ * @param deliveredViaMetaTag
+ * Indicates whether the policy was delivered via the meta tag.
+ */
+ void appendPolicy(in AString policyString,
+ in boolean reportOnly,
+ in boolean deliveredViaMetaTag);
+
+ /*
+ * Whether this policy allows inline script or style.
+ * @param aContentPolicyType Either TYPE_SCRIPT or TYPE_STYLESHEET
+ * @param aNonce The nonce string to check against the policy
+ * @param aParserCreated If the script element was created by the HTML Parser
+ * @param aContent The content of the inline resource to hash
+ * (and compare to the hashes listed in the policy)
+ * @param aLineNumber The line number of the inline resource
+ * (used for reporting)
+ * @return
+ * Whether or not the effects of the inline style should be allowed
+ * (block the rules if false).
+ */
+ boolean getAllowsInline(in nsContentPolicyType aContentPolicyType,
+ in AString aNonce,
+ in boolean aParserCreated,
+ in AString aContent,
+ in unsigned long aLineNumber);
+
+ /**
+ * whether this policy allows eval and eval-like functions
+ * such as setTimeout("code string", time).
+ * @param shouldReportViolations
+ * Whether or not the use of eval should be reported.
+ * This function returns "true" when violating report-only policies, but
+ * when any policy (report-only or otherwise) is violated,
+ * shouldReportViolations is true as well.
+ * @return
+ * Whether or not the effects of the eval call should be allowed
+ * (block the call if false).
+ */
+ boolean getAllowsEval(out boolean shouldReportViolations);
+
+ /**
+ * Delegate method called by the service when the protected document is loaded.
+ * Returns the union of all the sandbox flags contained in CSP policies. This is the most
+ * restrictive interpretation of flags set in multiple policies.
+ * See nsSandboxFlags.h for the possible flags.
+ *
+ * @return
+ * sandbox flags or SANDBOXED_NONE if no sandbox directive exists
+ */
+ uint32_t getCSPSandboxFlags();
+
+ /**
+ * For each violated policy (of type violationType), log policy violation on
+ * the Error Console and send a report to report-uris present in the violated
+ * policies.
+ *
+ * @param violationType
+ * one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval
+ * @param sourceFile
+ * name of the source file containing the violation (if available)
+ * @param contentSample
+ * sample of the violating content (to aid debugging)
+ * @param lineNum
+ * source line number of the violation (if available)
+ * @param aNonce
+ * (optional) If this is a nonce violation, include the nonce so we can
+ * recheck to determine which policies were violated and send the
+ * appropriate reports.
+ * @param aContent
+ * (optional) If this is a hash violation, include contents of the inline
+ * resource in the question so we can recheck the hash in order to
+ * determine which policies were violated and send the appropriate
+ * reports.
+ */
+ void logViolationDetails(in unsigned short violationType,
+ in AString sourceFile,
+ in AString scriptSample,
+ in int32_t lineNum,
+ [optional] in AString nonce,
+ [optional] in AString content);
+
+ const unsigned short VIOLATION_TYPE_INLINE_SCRIPT = 1;
+ const unsigned short VIOLATION_TYPE_EVAL = 2;
+ const unsigned short VIOLATION_TYPE_INLINE_STYLE = 3;
+ const unsigned short VIOLATION_TYPE_NONCE_SCRIPT = 4;
+ const unsigned short VIOLATION_TYPE_NONCE_STYLE = 5;
+ const unsigned short VIOLATION_TYPE_HASH_SCRIPT = 6;
+ const unsigned short VIOLATION_TYPE_HASH_STYLE = 7;
+ const unsigned short VIOLATION_TYPE_REQUIRE_SRI_FOR_STYLE = 8;
+ const unsigned short VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT = 9;
+
+ /**
+ * Called after the CSP object is created to fill in appropriate request
+ * context. Either use
+ * * aDocument (preferred), or if no document is available, then provide
+ * * aPrincipal
+ */
+ void setRequestContext(in nsIDOMDocument aDocument,
+ in nsIPrincipal aPrincipal);
+
+
+ /*
+ * Checks if a CSP requires Subresource Integrity (SRI)
+ * for a given nsContentPolicyType.
+ */
+ bool requireSRIForType(in nsContentPolicyType aContentType);
+
+ /**
+ * Verifies ancestry as permitted by the policy.
+ *
+ * NOTE: Calls to this may trigger violation reports when queried, so this
+ * value should not be cached.
+ *
+ * @param docShell
+ * containing the protected resource
+ * @return
+ * true if the frame's ancestors are all allowed by policy (except for
+ * report-only policies, which will send reports and then return true
+ * here when violated).
+ */
+ boolean permitsAncestry(in nsIDocShell docShell);
+
+
+ /**
+ * Checks if a specific directive permits loading of a URI.
+ *
+ * NOTE: Calls to this may trigger violation reports when queried, so the
+ * return value should not be cached.
+ *
+ * @param aURI
+ * The URI about to be loaded or used.
+ * @param aDir
+ * The CSPDirective to query (see above constants *_DIRECTIVE).
+ * @param aSpecific
+ * If "true" and the directive is specified to fall back to "default-src"
+ * when it's not explicitly provided, directivePermits will NOT try
+ * default-src when the specific directive is not used. Setting this to
+ * "false" allows CSP to fall back to default-src. This function
+ * behaves the same for both values of canUseDefault when querying
+ * directives that don't fall-back.
+ * @return
+ * Whether or not the provided URI is allowed by CSP under the given
+ * directive. (block the pending operation if false).
+ */
+ boolean permits(in nsIURI aURI, in CSPDirective aDir, in boolean aSpecific);
+
+ /**
+ * Delegate method called by the service when sub-elements of the protected
+ * document are being loaded. Given a bit of information about the request,
+ * decides whether or not the policy is satisfied.
+ *
+ * Calls to this may trigger violation reports when queried, so
+ * this value should not be cached.
+ */
+ short shouldLoad(in nsContentPolicyType aContentType,
+ in nsIURI aContentLocation,
+ in nsIURI aRequestOrigin,
+ in nsISupports aContext,
+ in ACString aMimeTypeGuess,
+ in nsISupports aExtra);
+
+%{ C++
+// nsIObserver topic to fire when the policy encounters a violation.
+#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
+%}
+
+ /**
+ * Returns the CSP in JSON notation.
+ */
+ AString toJSON();
+
+};