search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1802588 [wpt PR 37170] - WebKit export of https://bugs.webkit.org/show_bug.cgi...
[gecko.git] / caps / nsIPrincipal.idl
blobe5bacca601aa9af2ca253ad04305f2ddd5c1f7f9
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5
6 /* Defines the abstract interface for a principal. */
7
8 #include "nsIContentSecurityPolicy.idl"
9 #include "nsISerializable.idl"
10 #include "nsIAboutModule.idl"
11 #include "nsIReferrerInfo.idl"
12 interface nsIChannel;
13 #include "mozIDOMWindow.idl"
14
15 %{C++
16 struct JSPrincipals;
17 #include "nsCOMPtr.h"
18 #include "nsTArray.h"
19 #include "nsString.h"
20 #include "mozilla/DebugOnly.h"
21 namespace mozilla {
22 class OriginAttributes;
23 }
24
25 /**
26 * Some methods have a fast path for the case when we're comparing a principal
27 * to itself. The situation may happen for example with about:blank documents.
28 */
29
30 #define DECL_FAST_INLINE_HELPER(method_) \
31 inline bool method_(nsIPrincipal* aOther) \
32 { \
33 mozilla::DebugOnly<bool> val = false; \
34 MOZ_ASSERT_IF(this == aOther, \
35 NS_SUCCEEDED(method_(aOther, &val)) && val); \
36 \
37 bool retVal = false; \
38 return \
39 this == aOther || \
40 (NS_SUCCEEDED(method_(aOther, &retVal)) && retVal); \
41 }
42
43 %}
44
45 interface nsIURI;
46
47 webidl WebExtensionPolicy;
48
49 [ptr] native JSContext(JSContext);
50 [ptr] native JSPrincipals(JSPrincipals);
51 [ref] native PrincipalArray(const nsTArray<nsCOMPtr<nsIPrincipal>>);
52 [ref] native const_OriginAttributes(const mozilla::OriginAttributes);
53 native ReferrerPolicy(mozilla::dom::ReferrerPolicy);
54
55 [scriptable, builtinclass, uuid(f75f502d-79fd-48be-a079-e5a7b8f80c8b)]
56 interface nsIPrincipal : nsISupports
57 {
58 /**
59 * Returns whether the other principal is equivalent to this principal.
60 * Principals are considered equal if they are the same principal, or
61 * they have the same origin.
62 *
63 * May be called from any thread.
64 */
65 boolean equals(in nsIPrincipal other);
66
67 /**
68 * Returns whether the other principal is equivalent to this principal
69 * for permission purposes
70 * Matches {originAttributes ,equalsURIForPermission}
71 *
72 * May be called from any thread.
73 */
74
75 boolean equalsForPermission(in nsIPrincipal other, in bool aExactHost);
76
77 /**
78 * Like equals, but takes document.domain changes into account.
79 *
80 * May be called from any thread, though document.domain may racily change
81 * during the comparison when called from off-main-thread.
82 */
83 boolean equalsConsideringDomain(in nsIPrincipal other);
84
85 %{C++
86 DECL_FAST_INLINE_HELPER(Equals)
87 DECL_FAST_INLINE_HELPER(EqualsConsideringDomain)
88 %}
89
90 /*
91 * Returns whether the Principals URI is equal to the other URI
92 *
93 * May be called from any thread.
94 */
95 boolean equalsURI(in nsIURI aOtherURI);
96
97 /**
98 * Returns a hash value for the principal.
99 *
100 * May be called from any thread.
101 */
102 [notxpcom, nostdcall] readonly attribute unsigned long hashValue;
103
104 /**
105 * The principal URI to which this principal pertains. This is
106 * generally the document URI.
107 *
108 * May be called from any thread.
109 */
110 [infallible] readonly attribute nsIURI URI;
111
112 /**
113 * The domain URI to which this principal pertains.
114 * This is null unless script successfully sets document.domain to our URI
115 * or a superdomain of our URI.
116 * Setting this has no effect on the URI.
117 * See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin
118 *
119 * The getter may be called from any thread, but may only be set on the main thread.
120 */
121 [noscript] attribute nsIURI domain;
122
123 /**
124 * Returns whether the other principal is equal to or weaker than this
125 * principal. Principals are equal if they are the same object or they
126 * have the same origin.
127 *
128 * Thus a principal always subsumes itself.
129 *
130 * The system principal subsumes itself and all other principals.
131 *
132 * A null principal (corresponding to an unknown, hence assumed minimally
133 * privileged, security context) is not equal to any other principal
134 * (including other null principals), and therefore does not subsume
135 * anything but itself.
136 *
137 * May be called from any thread.
138 */
139 boolean subsumes(in nsIPrincipal other);
140
141 /**
142 * Same as the previous method, subsumes(), but takes document.domain into
143 * account.
144 *
145 * May be called from any thread, though document.domain may racily change
146 * during the comparison when called from off-main-thread.
147 */
148 boolean subsumesConsideringDomain(in nsIPrincipal other);
149
150 /**
151 * Same as the subsumesConsideringDomain(), but ignores the first party
152 * domain in its originAttributes.
153 *
154 * May be called from any thread, though document.domain may racily change
155 * during the comparison when called from off-main-thread.
156 */
157 boolean subsumesConsideringDomainIgnoringFPD(in nsIPrincipal other);
158
159 %{C++
160 DECL_FAST_INLINE_HELPER(Subsumes)
161 DECL_FAST_INLINE_HELPER(SubsumesConsideringDomain)
162 DECL_FAST_INLINE_HELPER(SubsumesConsideringDomainIgnoringFPD)
163 #undef DECL_FAST_INLINE_HELPER
164 %}
165
166 /**
167 * Checks whether this principal is allowed to load the network resource
168 * located at the given URI under the same-origin policy. This means that
169 * content principals are only allowed to load resources from the same
170 * domain, the system principal is allowed to load anything, and null
171 * principals can only load URIs where they are the principal. This is
172 * changed by the optional flag allowIfInheritsPrincipal (which defaults to
173 * false) which allows URIs that inherit their loader's principal.
174 *
175 * If the load is allowed this function does nothing. If the load is not
176 * allowed the function throws NS_ERROR_DOM_BAD_URI.
177 *
178 * NOTE: Other policies might override this, such as the Access-Control
179 * specification.
180 * NOTE: The 'domain' attribute has no effect on the behaviour of this
181 * function.
182 * NOTE: Main-Thread Only.
183 *
184 *
185 * @param uri The URI about to be loaded.
186 * @param allowIfInheritsPrincipal If true, the load is allowed if the
187 * loadee inherits the principal of the
188 * loader.
189 * @throws NS_ERROR_DOM_BAD_URI if the load is not allowed.
190 */
191 void checkMayLoad(in nsIURI uri,
192 in boolean allowIfInheritsPrincipal);
193
194 /**
195 * Like checkMayLoad, but if returning an error will also report that error
196 * to the console, using the provided window id. The window id may be 0 to
197 * report to just the browser console, not web consoles.
198 *
199 * NOTE: Main-Thread Only.
200 */
201 void checkMayLoadWithReporting(in nsIURI uri,
202 in boolean allowIfInheritsPrincipal,
203 in unsigned long long innerWindowID);
204
205 /**
206 * Checks if the provided URI is considered third-party to the
207 * URI of the principal.
208 * Returns true if the URI is third-party.
209 *
210 * May be called from any thread.
211 *
212 * @param uri - The URI to check
213 */
214 boolean isThirdPartyURI(in nsIURI uri);
215
216 /**
217 * Checks if the provided principal is considered third-party to the
218 * URI of the Principal.
219 * Returns true if the principal is third-party.
220 *
221 * May be called from any thread.
222 *
223 * @param principal - The principal to check
224 */
225 boolean isThirdPartyPrincipal(in nsIPrincipal principal);
226
227 /**
228 * Checks if the provided channel is considered third-party to the
229 * URI of the principal.
230 * Returns true if the channel is third-party.
231 * Returns false if the Principal is a System Principal
232 *
233 * NOTE: Main-Thread Only.
234 *
235 * @param channel - The Channel to check
236 */
237 boolean isThirdPartyChannel(in nsIChannel channel);
238
239 /**
240 * A dictionary of the non-default origin attributes associated with this
241 * nsIPrincipal.
242 *
243 * Attributes are tokens that are taken into account when determining whether
244 * two principals are same-origin - if any attributes differ, the principals
245 * are cross-origin, even if the scheme, host, and port are the same.
246 * Attributes should also be considered for all security and bucketing decisions,
247 * even those which make non-standard comparisons (like cookies, which ignore
248 * scheme, or quotas, which ignore subdomains).
249 *
250 * If you're looking for an easy-to-use canonical stringification of the origin
251 * attributes, see |originSuffix| below.
252 */
253 [implicit_jscontext]
254 readonly attribute jsval originAttributes;
255
256 // May be called from any thread.
257 [noscript, notxpcom, nostdcall, binaryname(OriginAttributesRef)]
258 const_OriginAttributes OriginAttributesRef();
259
260 /**
261 * A canonical representation of the origin for this principal. This
262 * consists of a base string (which, for content principals, is of the
263 * format scheme://host:port), concatenated with |originAttributes| (see
264 * below).
265 *
266 * We maintain the invariant that principalA.equals(principalB) if and only
267 * if principalA.origin == principalB.origin.
268 *
269 * May be called from any thread.
270 */
271 readonly attribute ACString origin;
272
273 /**
274 * Returns an ASCII compatible representation
275 * of the principals Origin
276 *
277 * May be called from any thread.
278 */
279 [noscript] readonly attribute ACString asciiOrigin;
280
281 /**
282 * Returns the "host:port" portion of the
283 * Principals URI, if any.
284 *
285 * May be called from any thread.
286 */
287 readonly attribute ACString hostPort;
288
289 /**
290 * Returns the "host:port" portion of the
291 * Principals URI, if any.
292 *
293 * May be called from any thread.
294 */
295 readonly attribute ACString asciiHost;
296
297 /**
298 * Returns the "host" portion of the
299 * Principals URI, if any.
300 *
301 * May be called from any thread.
302 */
303 readonly attribute ACString host;
304
305 /**
306 * Returns the prePath of the principals uri
307 * follows the format scheme:
308 * "scheme://username:password@hostname:portnumber/"
309 *
310 * May be called from any thread.
311 */
312 readonly attribute ACString prePath;
313
314 /**
315 * Returns the filePath of the principals uri. See nsIURI.
316 *
317 * May be called from any thread.
318 */
319 readonly attribute ACString filePath;
320
321 /**
322 * Returns the ASCII Spec from the Principals URI.
323 * Might return the empty string, e.g. for the case of
324 * a SystemPrincipal or an EpxandedPrincipal.
325 *
326 * May be called from any thread.
327 *
328 * WARNING: DO NOT USE FOR SECURITY CHECKS.
329 * just for logging purposes!
330 */
331 readonly attribute ACString asciiSpec;
332
333 /**
334 * Returns the Spec from the Principals URI.
335 * Might return the empty string, e.g. for the case of
336 * a SystemPrincipal or an EpxandedPrincipal.
337 *
338 * May be called from any thread.
339 *
340 * WARNING: Do not land new Code using, as this will be removed soon
341 */
342 readonly attribute ACString spec;
343
344 /**
345 * Returns the Pre Path of the Principals URI with
346 * user:pass stripped for privacy and spoof prevention
347 *
348 * May be called from any thread.
349 */
350 readonly attribute ACString exposablePrePath;
351
352 /**
353 * Returns the Spec of the Principals URI with
354 * user/pass/ref/query stripped for privacy and spoof prevention
355 *
356 * May be called from any thread.
357 */
358 readonly attribute ACString exposableSpec;
359
360 /**
361 * Return the scheme of the principals URI
362 *
363 * May be called from any thread.
364 */
365 readonly attribute ACString scheme;
366
367 /**
368 * Checks if the Principal's URI Scheme matches with the parameter
369 *
370 * May be called from any thread.
371 *
372 * @param scheme The scheme to be checked
373 */
374 [infallible]
375 boolean schemeIs(in string scheme);
376
377 /*
378 * Checks if the Principal's URI is contained in the given Pref
379 *
380 * NOTE: Main-Thread Only.
381 *
382 * @param pref The pref to be checked
383 */
384 [infallible]
385 boolean isURIInPrefList(in string pref);
386
387 /**
388 * Check if the Principal's URI is contained in the given list
389 *
390 * May be called from any thread.
391 *
392 * @param list The list to be checked
393 */
394 [infallible]
395 boolean isURIInList(in ACString list);
396
397 /**
398 * Uses NS_Security Compare to determine if the
399 * other URI is same-origin as the uri of the Principal
400 *
401 * May be called from any thread.
402 */
403 [infallible]
404 boolean isSameOrigin(in nsIURI otherURI);
405
406 /*
407 * Checks if the Principal is allowed to load the Provided file:// URI
408 * using NS_RelaxStrictFileOriginPolicy
409 *
410 * May be called from any thread.
411 */
412 bool allowsRelaxStrictFileOriginPolicy(in nsIURI aURI);
413
414
415 /*
416 * Generates a Cache-Key for the Cors-Preflight Cache
417 *
418 * May be called from any thread.
419 */
420 [noscript]
421 ACString getPrefLightCacheKey(in nsIURI aURI ,in bool aWithCredentials,
422 in const_OriginAttributes aOriginAttributes);
423
424
425 /*
426 * Checks if the Principals URI has first party storage access
427 * when loaded inside the provided 3rd party resource window.
428 * See also: ContentBlocking::ShouldAllowAccessFor
429 *
430 * NOTE: Main-Thread Only.
431 */
432 bool hasFirstpartyStorageAccess(in mozIDOMWindow aWindow, out uint32_t rejectedReason);
433
434
435 /*
436 * Returns a Key for the LocalStorage Manager, used to
437 * check the Principals Origin Storage usage.
438 *
439 * May be called from any thread.
440 */
441 readonly attribute ACString localStorageQuotaKey;
442
443 /**
444 * Implementation of
445 * https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
446 *
447 * The value returned by this method feeds into the the Secure Context
448 * algorithm that determins the value of Window.isSecureContext and
449 * WorkerGlobalScope.isSecureContext.
450 *
451 * This method returns false instead of throwing upon errors.
452 *
453 * NOTE: Main-Thread Only.
454 */
455 [infallible]
456 readonly attribute boolean isOriginPotentiallyTrustworthy;
457
458 /**
459 * NOTE: Main-Thread Only.
460 */
461 [infallible]
462 readonly attribute boolean isLoopbackHost;
463
464 /**
465 * Returns the Flags of the Principals
466 * associated AboutModule, in case there is one.
467 *
468 * NOTE: Main-Thread Only.
469 */
470 uint32_t getAboutModuleFlags();
471
472 /**
473 * Returns the Key to access the Principals
474 * Origin Local/Session Storage
475 *
476 * May be called from any thread.
477 */
478 readonly attribute ACString storageOriginKey;
479
480 /**
481 * Creates and Returns a new ReferrerInfo with the
482 * Principals URI
483 *
484 * May be called from any thread.
485 */
486 nsIReferrerInfo createReferrerInfo(in ReferrerPolicy aReferrerPolicy);
487
488 /**
489 * The base part of |origin| without the concatenation with |originSuffix|.
490 * This doesn't have the important invariants described above with |origin|,
491 * and as such should only be used for legacy situations.
492 *
493 * May be called from any thread.
494 */
495 readonly attribute ACString originNoSuffix;
496
497 /**
498 * A string of the form ^key1=value1&key2=value2, where each pair represents
499 * an attribute with a non-default value. If all attributes have default
500 * values, this is the empty string.
501 *
502 * The value of .originSuffix is automatically serialized into .origin, so any
503 * consumers using that are automatically origin-attribute-aware. Consumers with
504 * special requirements must inspect and compare .originSuffix manually.
505 *
506 * May be called from any thread.
507 */
508 readonly attribute AUTF8String originSuffix;
509
510 /**
511 * A canonical representation of the site-origin for this principal.
512 * This string has the same format as |origin| (see above). Two principals
513 * with differing |siteOrigin| values will never compare equal, even when
514 * considering domain mutations.
515 *
516 * For most principals, |siteOrigin| matches |origin| precisely. Only
517 * principals which allow mutating |domain|, such as ContentPrincipal,
518 * override the default implementation in BasePrincipal.
519 *
520 * May be called from any thread.
521 */
522 readonly attribute ACString siteOrigin;
523
524 /**
525 * The base part of |siteOrigin| without the concatenation with
526 * |originSuffix|.
527 *
528 * May be called from any thread.
529 */
530 readonly attribute ACString siteOriginNoSuffix;
531
532 /**
533 * The base domain of the principal URI to which this principal pertains
534 * (generally the document URI), handling null principals and
535 * non-hierarchical schemes correctly.
536 *
537 * May be called from any thread.
538 */
539 readonly attribute ACString baseDomain;
540
541 /**
542 * Gets the ID of the add-on this principal belongs to.
543 *
544 * May be called from any thread.
545 */
546 readonly attribute AString addonId;
547
548 /**
549 * Gets the WebExtensionPolicy of the add-on this principal belongs to.
550 *
551 * NOTE: Main-Thread Only.
552 */
553 readonly attribute WebExtensionPolicy addonPolicy;
554
555 /**
556 * Gets the id of the user context this principal is inside. If this
557 * principal is inside the default userContext, this returns
558 * nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID.
559 *
560 * May be called from any thread.
561 */
562 [infallible] readonly attribute unsigned long userContextId;
563
564 /**
565 * Gets the id of the private browsing state of the context containing
566 * this principal. If the principal has a private browsing value of 0, it
567 * is not in private browsing.
568 *
569 * May be called from any thread.
570 */
571 [infallible] readonly attribute unsigned long privateBrowsingId;
572
573 /**
574 * Returns true iff the principal is inside an isolated mozbrowser element.
575 * <xul:browser> is not considered to be a mozbrowser element.
576 * <iframe mozbrowser noisolation> does not count as isolated since
577 * isolation is disabled. Isolation can only be disabled if the
578 * containing document is chrome.
579 *
580 * May be called from any thread.
581 */
582 [infallible] readonly attribute boolean isInIsolatedMozBrowserElement;
583
584 /**
585 * Returns true iff this is a null principal (corresponding to an
586 * unknown, hence assumed minimally privileged, security context).
587 *
588 * May be called from any thread.
589 */
590 [infallible] readonly attribute boolean isNullPrincipal;
591
592 /**
593 * Returns true iff this principal corresponds to a principal origin.
594 *
595 * May be called from any thread.
596 */
597 [infallible] readonly attribute boolean isContentPrincipal;
598
599 /**
600 * Returns true iff this is an expanded principal.
601 *
602 * May be called from any thread.
603 */
604 [infallible] readonly attribute boolean isExpandedPrincipal;
605
606 /**
607 * Returns true iff this is the system principal. C++ callers should use
608 * IsSystemPrincipal() instead of this scriptable accessor.
609 *
610 * May be called from any thread.
611 */
612 readonly attribute boolean isSystemPrincipal;
613
614 /**
615 * Faster and nicer version callable from C++. Callers must include
616 * BasePrincipal.h, where it's implemented.
617 *
618 * May be called from any thread.
619 */
620 %{C++
621 inline bool IsSystemPrincipal() const;
622 %}
623
624 /**
625 * Returns true iff the principal is either an addon principal or
626 * an expanded principal, which contains at least one addon principal.
627 *
628 * May be called from any thread.
629 */
630 [infallible] readonly attribute boolean isAddonOrExpandedAddonPrincipal;
631
632 %{C++
633 // MOZ_DBG support (threadsafe)
634 friend std::ostream& operator<<(std::ostream& aOut, const nsIPrincipal& aPrincipal) {
635 nsIPrincipal* principal = const_cast<nsIPrincipal*>(&aPrincipal);
636 nsAutoCString origin;
637 mozilla::DebugOnly<nsresult> rv = principal->GetOrigin(origin);
638 MOZ_ASSERT(NS_SUCCEEDED(rv));
639 return aOut << "nsIPrincipal { " << origin << " }";
640 }
641 %}
642
643 /**
644 * Returns true if the URI is an Onion URI.
645 *
646 * May be called from any thread.
647 */
648 [infallible] readonly attribute boolean isOnion;
649
650 /**
651 * Returns true if the Domain Policy allows js execution
652 * for the Principal's URI
653 *
654 * NOTE: Main-Thread Only.
655 */
656 readonly attribute boolean isScriptAllowedByPolicy;
657
658
659 /**
660 * Returns true if the Principal can acess l10n
661 * features for the Provided DocumentURI
662 *
663 * NOTE: Main-Thread Only.
664 */
665 boolean isL10nAllowed(in nsIURI aDocumentURI);
666
667 /**
668 * Returns a nsIPrincipal, with one less Subdomain Segment
669 * Returns `nullptr` if there are no more segments to remove.
670 *
671 * May be called from any thread.
672 */
673 [infallible] readonly attribute nsIPrincipal nextSubDomainPrincipal;
674
675 /**
676 * Returns if the principal is for an IP address.
677 *
678 * May be called from any thread.
679 */
680 [infallible] readonly attribute boolean isIpAddress;
681
682 /**
683 * Returns if the principal is for a local IP address.
684 *
685 * May be called from any thread.
686 */
687 [infallible] readonly attribute boolean isLocalIpAddress;
688
689 /**
690 * If this principal is a null principal, reconstruct the precursor
691 * principal which this null principal was derived from. This may be null,
692 * in which case this is not a null principal, there is no known precursor
693 * to this null principal, it was created by a privileged context, or there
694 * was a bugged origin in the precursor string.
695 *
696 * May be called from any thread.
697 *
698 * WARNING: Be careful when using this principal, as it is not part of the
699 * security properties of the null principal, and should NOT be used to
700 * grant a resource with a null principal access to resources from its
701 * precursor origin. This is only to be used for places where tracking how
702 * null principals were created is necessary.
703 */
704 [infallible] readonly attribute nsIPrincipal precursorPrincipal;
705 };
706
707 /**
708 * If SystemPrincipal is too risky to use, but we want a principal to access
709 * more than one origin, ExpandedPrincipals letting us define an array of
710 * principals it subsumes. So script with an ExpandedPrincipals will gain
711 * same origin access when at least one of its principals it contains gained
712 * sameorigin acccess. An ExpandedPrincipal will be subsumed by the system
713 * principal, and by another ExpandedPrincipal that has all its principals.
714 * It is added for jetpack content-scripts to let them interact with the
715 * content and a well defined set of other domains, without the risk of
716 * leaking out a system principal to the content. See: Bug 734891
717 */
718 [uuid(f3e177Df-6a5e-489f-80a7-2dd1481471d8)]
719 interface nsIExpandedPrincipal : nsISupports
720 {
721 /**
722 * An array of principals that the expanded principal subsumes.
723 *
724 * When an expanded principal is used as a triggering principal for a
725 * request that inherits a security context, one of its constitutent
726 * principals is inherited rather than the expanded principal itself. The
727 * last principal in the allowlist is the default principal to inherit.
728 *
729 * Note: this list is not reference counted, it is shared, so
730 * should not be changed and should only be used ephemerally.
731 *
732 * May be called from any thread.
733 */
734 [noscript, notxpcom, nostdcall]
735 PrincipalArray AllowList();
736
737
738 /**
739 * Bug 1548468: Move CSP off ExpandedPrincipal.
740 *
741 * A Content Security Policy associated with this principal. Use this function
742 * to query the associated CSP with this principal.
743 *
744 * NOTE: Main-Thread Only.
745 */
746 readonly attribute nsIContentSecurityPolicy csp;
747
748 %{ C++
749 inline already_AddRefed<nsIContentSecurityPolicy> GetCsp()
750 {
751 nsCOMPtr<nsIContentSecurityPolicy> result;
752 mozilla::DebugOnly<nsresult> rv = GetCsp(getter_AddRefs(result));
753 MOZ_ASSERT(NS_SUCCEEDED(rv));
754 return result.forget();
755 }
756 %}
757
758 };