1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsISerializable.idl"
#include "nsIContentPolicy.idl"
interface nsIURI;
interface nsIChannel;
interface nsIDocShell;
interface nsIDOMDocument;
interface nsIPrincipal;
interface nsIURI;
/**
* nsIContentSecurityPolicy
* Describes an XPCOM component used to model and enforce CSPs. Instances of
* this class may have multiple policies within them, but there should only be
* one of these per document/principal.
*/
typedef unsigned short CSPDirective;
%{C++
class nsCSPPolicy;
%}
[ptr] native CSPPolicyPtr(const nsCSPPolicy);
[scriptable, builtinclass, uuid(b3c4c0ae-bd5e-4cad-87e0-8d210dbb3f9f)]
interface nsIContentSecurityPolicy : nsISerializable
{
/**
* Directives supported by Content Security Policy. These are enums for
* the CSPDirective type.
* The NO_DIRECTIVE entry is used for checking default permissions and
* returning failure when asking CSP which directive to check.
*
* NOTE: When implementing a new directive, you will need to add it here but also
* add it to the CSPStrDirectives array in nsCSPUtils.h.
*/
const unsigned short NO_DIRECTIVE = 0;
const unsigned short DEFAULT_SRC_DIRECTIVE = 1;
const unsigned short SCRIPT_SRC_DIRECTIVE = 2;
const unsigned short OBJECT_SRC_DIRECTIVE = 3;
const unsigned short STYLE_SRC_DIRECTIVE = 4;
const unsigned short IMG_SRC_DIRECTIVE = 5;
const unsigned short MEDIA_SRC_DIRECTIVE = 6;
const unsigned short FRAME_SRC_DIRECTIVE = 7;
const unsigned short FONT_SRC_DIRECTIVE = 8;
const unsigned short CONNECT_SRC_DIRECTIVE = 9;
const unsigned short REPORT_URI_DIRECTIVE = 10;
const unsigned short FRAME_ANCESTORS_DIRECTIVE = 11;
const unsigned short REFLECTED_XSS_DIRECTIVE = 12;
const unsigned short BASE_URI_DIRECTIVE = 13;
const unsigned short FORM_ACTION_DIRECTIVE = 14;
const unsigned short REFERRER_DIRECTIVE = 15;
const unsigned short WEB_MANIFEST_SRC_DIRECTIVE = 16;
const unsigned short UPGRADE_IF_INSECURE_DIRECTIVE = 17;
const unsigned short CHILD_SRC_DIRECTIVE = 18;
const unsigned short BLOCK_ALL_MIXED_CONTENT = 19;
const unsigned short REQUIRE_SRI_FOR = 20;
const unsigned short SANDBOX_DIRECTIVE = 21;
/**
* Accessor method for a read-only string version of the policy at a given
* index.
*/
[binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
/**
* Accessor method for a read-only pointer the policy object at a given
* index. Returns a null pointer if the index is larger than the current
* policy count.
*/
[noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
/**
* Returns the number of policies attached to this CSP instance. Useful with
* getPolicy().
*/
readonly attribute unsigned long policyCount;
/**
* Returns whether this policy uses the directive upgrade-insecure-requests.
* Please note that upgrade-insecure-reqeusts also applies if the parent or
* including document (context) makes use of the directive.
*/
readonly attribute bool upgradeInsecureRequests;
/**
* Returns whether this policy uses the directive block-all-mixed-content.
* Please note that block-all-mixed-content takes presedence in case the
* directive upgrade-insecure-requests is defined in the same policy and
* will therefore block all mixed content without even trying to perform
* an upgrade.
*/
readonly attribute bool blockAllMixedContent;
/**
* Returns whether this policy enforces the frame-ancestors directive.
*/
readonly attribute bool enforcesFrameAncestors;
/**
* Obtains the referrer policy (as integer) for this browsing context as
* specified in CSP. If there are multiple policies and...
* - only one sets a referrer policy: that policy is returned
* - more than one sets different referrer policies: no-referrer is returned
* - more than one set equivalent policies: that policy is returned
* For the enumeration of policies see ReferrerPolicy.h and nsIHttpChannel.
*
* @param aPolicy
* The referrer policy to use for the protected resource.
* @return
* true if a referrer policy is specified, false if it's unspecified.
*/
bool getReferrerPolicy(out unsigned long policy);
/**
* Parse and install a CSP policy.
* @param aPolicy
* String representation of the policy
* (e.g., header value, meta content)
* @param reportOnly
* Should this policy affect content, script and style processing or
* just send reports if it is violated?
* @param deliveredViaMetaTag
* Indicates whether the policy was delivered via the meta tag.
*/
void appendPolicy(in AString policyString,
in boolean reportOnly,
in boolean deliveredViaMetaTag);
/*
* Whether this policy allows inline script or style.
* @param aContentPolicyType Either TYPE_SCRIPT or TYPE_STYLESHEET
* @param aNonce The nonce string to check against the policy
* @param aParserCreated If the script element was created by the HTML Parser
* @param aContent The content of the inline resource to hash
* (and compare to the hashes listed in the policy)
* @param aLineNumber The line number of the inline resource
* (used for reporting)
* @return
* Whether or not the effects of the inline style should be allowed
* (block the rules if false).
*/
boolean getAllowsInline(in nsContentPolicyType aContentPolicyType,
in AString aNonce,
in boolean aParserCreated,
in AString aContent,
in unsigned long aLineNumber);
/**
* whether this policy allows eval and eval-like functions
* such as setTimeout("code string", time).
* @param shouldReportViolations
* Whether or not the use of eval should be reported.
* This function returns "true" when violating report-only policies, but
* when any policy (report-only or otherwise) is violated,
* shouldReportViolations is true as well.
* @return
* Whether or not the effects of the eval call should be allowed
* (block the call if false).
*/
boolean getAllowsEval(out boolean shouldReportViolations);
/**
* Delegate method called by the service when the protected document is loaded.
* Returns the union of all the sandbox flags contained in CSP policies. This is the most
* restrictive interpretation of flags set in multiple policies.
* See nsSandboxFlags.h for the possible flags.
*
* @return
* sandbox flags or SANDBOXED_NONE if no sandbox directive exists
*/
uint32_t getCSPSandboxFlags();
/**
* For each violated policy (of type violationType), log policy violation on
* the Error Console and send a report to report-uris present in the violated
* policies.
*
* @param violationType
* one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval
* @param sourceFile
* name of the source file containing the violation (if available)
* @param contentSample
* sample of the violating content (to aid debugging)
* @param lineNum
* source line number of the violation (if available)
* @param aNonce
* (optional) If this is a nonce violation, include the nonce so we can
* recheck to determine which policies were violated and send the
* appropriate reports.
* @param aContent
* (optional) If this is a hash violation, include contents of the inline
* resource in the question so we can recheck the hash in order to
* determine which policies were violated and send the appropriate
* reports.
*/
void logViolationDetails(in unsigned short violationType,
in AString sourceFile,
in AString scriptSample,
in int32_t lineNum,
[optional] in AString nonce,
[optional] in AString content);
const unsigned short VIOLATION_TYPE_INLINE_SCRIPT = 1;
const unsigned short VIOLATION_TYPE_EVAL = 2;
const unsigned short VIOLATION_TYPE_INLINE_STYLE = 3;
const unsigned short VIOLATION_TYPE_NONCE_SCRIPT = 4;
const unsigned short VIOLATION_TYPE_NONCE_STYLE = 5;
const unsigned short VIOLATION_TYPE_HASH_SCRIPT = 6;
const unsigned short VIOLATION_TYPE_HASH_STYLE = 7;
const unsigned short VIOLATION_TYPE_REQUIRE_SRI_FOR_STYLE = 8;
const unsigned short VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT = 9;
/**
* Called after the CSP object is created to fill in appropriate request
* context. Either use
* * aDocument (preferred), or if no document is available, then provide
* * aPrincipal
*/
void setRequestContext(in nsIDOMDocument aDocument,
in nsIPrincipal aPrincipal);
/*
* Checks if a CSP requires Subresource Integrity (SRI)
* for a given nsContentPolicyType.
*/
bool requireSRIForType(in nsContentPolicyType aContentType);
/**
* Verifies ancestry as permitted by the policy.
*
* NOTE: Calls to this may trigger violation reports when queried, so this
* value should not be cached.
*
* @param docShell
* containing the protected resource
* @return
* true if the frame's ancestors are all allowed by policy (except for
* report-only policies, which will send reports and then return true
* here when violated).
*/
boolean permitsAncestry(in nsIDocShell docShell);
/**
* Checks if a specific directive permits loading of a URI.
*
* NOTE: Calls to this may trigger violation reports when queried, so the
* return value should not be cached.
*
* @param aURI
* The URI about to be loaded or used.
* @param aDir
* The CSPDirective to query (see above constants *_DIRECTIVE).
* @param aSpecific
* If "true" and the directive is specified to fall back to "default-src"
* when it's not explicitly provided, directivePermits will NOT try
* default-src when the specific directive is not used. Setting this to
* "false" allows CSP to fall back to default-src. This function
* behaves the same for both values of canUseDefault when querying
* directives that don't fall-back.
* @return
* Whether or not the provided URI is allowed by CSP under the given
* directive. (block the pending operation if false).
*/
boolean permits(in nsIURI aURI, in CSPDirective aDir, in boolean aSpecific);
/**
* Delegate method called by the service when sub-elements of the protected
* document are being loaded. Given a bit of information about the request,
* decides whether or not the policy is satisfied.
*
* Calls to this may trigger violation reports when queried, so
* this value should not be cached.
*/
short shouldLoad(in nsContentPolicyType aContentType,
in nsIURI aContentLocation,
in nsIURI aRequestOrigin,
in nsISupports aContext,
in ACString aMimeTypeGuess,
in nsISupports aExtra);
%{ C++
// nsIObserver topic to fire when the policy encounters a violation.
#define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
%}
/**
* Returns the CSP in JSON notation.
*/
AString toJSON();
};
|
