| blob | e7264aa5d850c2af42362a58ac9b5e3b2eabcd6c |
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 /* Defines the abstract interface for a principal. */
8 #include "nsIContentSecurityPolicy.idl"
9 #include "nsISerializable.idl"
10 #include "nsIAboutModule.idl"
11 #include "nsIReferrerInfo.idl"
13 #include "mozIDOMWindow.idl"
17 #include "nsCOMPtr.h"
18 #include "nsTArray.h"
19 #include "nsString.h"
20 #include "mozilla/DebugOnly.h"
21 namespace mozilla {
22 class OriginAttributes;
23 }
25 /**
26 * Some methods have a fast path for the case when we're comparing a principal
27 * to itself. The situation may happen for example with about:blank documents.
28 */
32 { \
36 \
38 return \
39 this == aOther || \
41 }
43 %}
47 webidl WebExtensionPolicy;
57 {
58 /**
59 * Returns whether the other principal is equivalent to this principal.
60 * Principals are considered equal if they are the same principal, or
61 * they have the same origin.
62 *
63 * May be called from any thread.
64 */
67 /**
68 * Returns whether the other principal is equivalent to this principal
69 * for permission purposes
70 * Matches {originAttributes ,equalsURIForPermission}
71 *
72 * May be called from any thread.
73 */
77 /**
78 * Like equals, but takes document.domain changes into account.
79 *
80 * May be called from any thread, though document.domain may racily change
81 * during the comparison when called from off-main-thread.
82 */
88 %}
90 /*
91 * Returns whether the Principals URI is equal to the other URI
92 *
93 * May be called from any thread.
94 */
97 /**
98 * Returns a hash value for the principal.
99 *
100 * May be called from any thread.
101 */
104 /**
105 * The principal URI to which this principal pertains. This is
106 * generally the document URI.
107 *
108 * May be called from any thread.
109 */
112 /**
113 * The domain URI to which this principal pertains.
114 * This is null unless script successfully sets document.domain to our URI
115 * or a superdomain of our URI.
116 * Setting this has no effect on the URI.
117 * See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin
118 *
119 * The getter may be called from any thread, but may only be set on the main thread.
120 */
123 /**
124 * Returns whether the other principal is equal to or weaker than this
125 * principal. Principals are equal if they are the same object or they
126 * have the same origin.
127 *
128 * Thus a principal always subsumes itself.
129 *
130 * The system principal subsumes itself and all other principals.
131 *
132 * A null principal (corresponding to an unknown, hence assumed minimally
133 * privileged, security context) is not equal to any other principal
134 * (including other null principals), and therefore does not subsume
135 * anything but itself.
136 *
137 * May be called from any thread.
138 */
141 /**
142 * Same as the previous method, subsumes(), but takes document.domain into
143 * account.
144 *
145 * May be called from any thread, though document.domain may racily change
146 * during the comparison when called from off-main-thread.
147 */
150 /**
151 * Same as the subsumesConsideringDomain(), but ignores the first party
152 * domain in its originAttributes.
153 *
154 * May be called from any thread, though document.domain may racily change
155 * during the comparison when called from off-main-thread.
156 */
163 #undef DECL_FAST_INLINE_HELPER
164 %}
166 /**
167 * Checks whether this principal is allowed to load the network resource
168 * located at the given URI under the same-origin policy. This means that
169 * content principals are only allowed to load resources from the same
170 * domain, the system principal is allowed to load anything, and null
171 * principals can only load URIs where they are the principal. This is
172 * changed by the optional flag allowIfInheritsPrincipal (which defaults to
173 * false) which allows URIs that inherit their loader's principal.
174 *
175 * If the load is allowed this function does nothing. If the load is not
176 * allowed the function throws NS_ERROR_DOM_BAD_URI.
177 *
178 * NOTE: Other policies might override this, such as the Access-Control
179 * specification.
180 * NOTE: The 'domain' attribute has no effect on the behaviour of this
181 * function.
182 * NOTE: Main-Thread Only.
183 *
184 *
185 * @param uri The URI about to be loaded.
186 * @param allowIfInheritsPrincipal If true, the load is allowed if the
187 * loadee inherits the principal of the
188 * loader.
189 * @throws NS_ERROR_DOM_BAD_URI if the load is not allowed.
190 */
194 /**
195 * Like checkMayLoad, but if returning an error will also report that error
196 * to the console, using the provided window id. The window id may be 0 to
197 * report to just the browser console, not web consoles.
198 *
199 * NOTE: Main-Thread Only.
200 */
205 /**
206 * Checks if the provided URI is considered third-party to the
207 * URI of the principal.
208 * Returns true if the URI is third-party.
209 *
210 * May be called from any thread.
211 *
212 * @param uri - The URI to check
213 */
216 /**
217 * Checks if the provided principal is considered third-party to the
218 * URI of the Principal.
219 * Returns true if the principal is third-party.
220 *
221 * May be called from any thread.
222 *
223 * @param principal - The principal to check
224 */
227 /**
228 * Checks if the provided channel is considered third-party to the
229 * URI of the principal.
230 * Returns true if the channel is third-party.
231 * Returns false if the Principal is a System Principal
232 *
233 * NOTE: Main-Thread Only.
234 *
235 * @param channel - The Channel to check
236 */
239 /**
240 * A dictionary of the non-default origin attributes associated with this
241 * nsIPrincipal.
242 *
243 * Attributes are tokens that are taken into account when determining whether
244 * two principals are same-origin - if any attributes differ, the principals
245 * are cross-origin, even if the scheme, host, and port are the same.
246 * Attributes should also be considered for all security and bucketing decisions,
247 * even those which make non-standard comparisons (like cookies, which ignore
248 * scheme, or quotas, which ignore subdomains).
249 *
250 * If you're looking for an easy-to-use canonical stringification of the origin
251 * attributes, see |originSuffix| below.
252 */
256 // May be called from any thread.
258 const_OriginAttributes OriginAttributesRef();
260 /**
261 * A canonical representation of the origin for this principal. This
262 * consists of a base string (which, for content principals, is of the
263 * format scheme://host:port), concatenated with |originAttributes| (see
264 * below).
265 *
266 * We maintain the invariant that principalA.equals(principalB) if and only
267 * if principalA.origin == principalB.origin.
268 *
269 * May be called from any thread.
270 */
273 /**
274 * Returns an ASCII compatible representation
275 * of the principals Origin
276 *
277 * May be called from any thread.
278 */
281 /**
282 * Returns the "host:port" portion of the
283 * Principals URI, if any.
284 *
285 * May be called from any thread.
286 */
289 /**
290 * Returns the "host:port" portion of the
291 * Principals URI, if any.
292 *
293 * May be called from any thread.
294 */
297 /**
298 * Returns the "host" portion of the
299 * Principals URI, if any.
300 *
301 * May be called from any thread.
302 */
305 /**
306 * Returns the prePath of the principals uri
307 * follows the format scheme:
308 * "scheme://username:password@hostname:portnumber/"
309 *
310 * May be called from any thread.
311 */
314 /**
315 * Returns the filePath of the principals uri. See nsIURI.
316 *
317 * May be called from any thread.
318 */
321 /**
322 * Returns the ASCII Spec from the Principals URI.
323 * Might return the empty string, e.g. for the case of
324 * a SystemPrincipal or an EpxandedPrincipal.
325 *
326 * May be called from any thread.
327 *
328 * WARNING: DO NOT USE FOR SECURITY CHECKS.
329 * just for logging purposes!
330 */
333 /**
334 * Returns the Spec from the Principals URI.
335 * Might return the empty string, e.g. for the case of
336 * a SystemPrincipal or an EpxandedPrincipal.
337 *
338 * May be called from any thread.
339 *
340 * WARNING: Do not land new Code using, as this will be removed soon
341 */
344 /**
345 * Returns the Pre Path of the Principals URI with
346 * user:pass stripped for privacy and spoof prevention
347 *
348 * May be called from any thread.
349 */
352 /**
353 * Returns the Spec of the Principals URI with
354 * user/pass/ref/query stripped for privacy and spoof prevention
355 *
356 * May be called from any thread.
357 */
360 /**
361 * Return the scheme of the principals URI
362 *
363 * May be called from any thread.
364 */
367 /**
368 * Checks if the Principal's URI Scheme matches with the parameter
369 *
370 * May be called from any thread.
371 *
372 * @param scheme The scheme to be checked
373 */
377 /*
378 * Checks if the Principal's URI is contained in the given Pref
379 *
380 * NOTE: Main-Thread Only.
381 *
382 * @param pref The pref to be checked
383 */
387 /**
388 * Check if the Principal's URI is contained in the given list
389 *
390 * May be called from any thread.
391 *
392 * @param list The list to be checked
393 */
397 /**
398 * Uses NS_Security Compare to determine if the
399 * other URI is same-origin as the uri of the Principal
400 *
401 * May be called from any thread.
402 */
406 /*
407 * Checks if the Principal is allowed to load the Provided file:// URI
408 * using NS_RelaxStrictFileOriginPolicy
409 *
410 * May be called from any thread.
411 */
415 /*
416 * Generates a Cache-Key for the Cors-Preflight Cache
417 *
418 * May be called from any thread.
419 */
425 /*
426 * Checks if the Principals URI has first party storage access
427 * when loaded inside the provided 3rd party resource window.
428 * See also: ContentBlocking::ShouldAllowAccessFor
429 *
430 * NOTE: Main-Thread Only.
431 */
435 /*
436 * Returns a Key for the LocalStorage Manager, used to
437 * check the Principals Origin Storage usage.
438 *
439 * May be called from any thread.
440 */
443 /**
444 * Implementation of
445 * https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
446 *
447 * The value returned by this method feeds into the the Secure Context
448 * algorithm that determins the value of Window.isSecureContext and
449 * WorkerGlobalScope.isSecureContext.
450 *
451 * This method returns false instead of throwing upon errors.
452 *
453 * NOTE: Main-Thread Only.
454 */
458 /**
459 * NOTE: Main-Thread Only.
460 */
464 /**
465 * Returns the Flags of the Principals
466 * associated AboutModule, in case there is one.
467 *
468 * NOTE: Main-Thread Only.
469 */
470 uint32_t getAboutModuleFlags();
472 /**
473 * Returns the Key to access the Principals
474 * Origin Local/Session Storage
475 *
476 * May be called from any thread.
477 */
480 /**
481 * Creates and Returns a new ReferrerInfo with the
482 * Principals URI
483 *
484 * May be called from any thread.
485 */
488 /**
489 * The base part of |origin| without the concatenation with |originSuffix|.
490 * This doesn't have the important invariants described above with |origin|,
491 * and as such should only be used for legacy situations.
492 *
493 * May be called from any thread.
494 */
497 /**
498 * A string of the form ^key1=value1&key2=value2, where each pair represents
499 * an attribute with a non-default value. If all attributes have default
500 * values, this is the empty string.
501 *
502 * The value of .originSuffix is automatically serialized into .origin, so any
503 * consumers using that are automatically origin-attribute-aware. Consumers with
504 * special requirements must inspect and compare .originSuffix manually.
505 *
506 * May be called from any thread.
507 */
510 /**
511 * A canonical representation of the site-origin for this principal.
512 * This string has the same format as |origin| (see above). Two principals
513 * with differing |siteOrigin| values will never compare equal, even when
514 * considering domain mutations.
515 *
516 * For most principals, |siteOrigin| matches |origin| precisely. Only
517 * principals which allow mutating |domain|, such as ContentPrincipal,
518 * override the default implementation in BasePrincipal.
519 *
520 * May be called from any thread.
521 */
524 /**
525 * The base part of |siteOrigin| without the concatenation with
526 * |originSuffix|.
527 *
528 * May be called from any thread.
529 */
532 /**
533 * The base domain of the principal URI to which this principal pertains
534 * (generally the document URI), handling null principals and
535 * non-hierarchical schemes correctly.
536 *
537 * May be called from any thread.
538 */
541 /**
542 * Gets the ID of the add-on this principal belongs to.
543 *
544 * May be called from any thread.
545 */
548 /**
549 * Gets the WebExtensionPolicy of the add-on this principal belongs to.
550 *
551 * NOTE: Main-Thread Only.
552 */
556 /**
557 * Gets the id of the user context this principal is inside. If this
558 * principal is inside the default userContext, this returns
559 * nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID.
560 *
561 * May be called from any thread.
562 */
565 /**
566 * Gets the id of the private browsing state of the context containing
567 * this principal. If the principal has a private browsing value of 0, it
568 * is not in private browsing.
569 *
570 * May be called from any thread.
571 */
574 /**
575 * Returns true iff the principal is inside an isolated mozbrowser element.
576 * <xul:browser> is not considered to be a mozbrowser element.
577 * <iframe mozbrowser noisolation> does not count as isolated since
578 * isolation is disabled. Isolation can only be disabled if the
579 * containing document is chrome.
580 *
581 * May be called from any thread.
582 */
585 /**
586 * Returns true iff this is a null principal (corresponding to an
587 * unknown, hence assumed minimally privileged, security context).
588 *
589 * May be called from any thread.
590 */
593 /**
594 * Returns true iff this principal corresponds to a principal origin.
595 *
596 * May be called from any thread.
597 */
600 /**
601 * Returns true iff this is an expanded principal.
602 *
603 * May be called from any thread.
604 */
607 /**
608 * Returns true iff this is the system principal. C++ callers should use
609 * IsSystemPrincipal() instead of this scriptable accessor.
610 *
611 * May be called from any thread.
612 */
615 /**
616 * Faster and nicer version callable from C++. Callers must include
617 * BasePrincipal.h, where it's implemented.
618 *
619 * May be called from any thread.
620 */
623 %}
625 /**
626 * Returns true iff the principal is either an addon principal or
627 * an expanded principal, which contains at least one addon principal.
628 *
629 * May be called from any thread.
630 */
634 // MOZ_DBG support (threadsafe)
637 nsAutoCString origin;
641 }
642 %}
644 /**
645 * Returns true if the URI is an Onion URI.
646 *
647 * May be called from any thread.
648 */
651 /**
652 * Returns true if the Domain Policy allows js execution
653 * for the Principal's URI
654 *
655 * NOTE: Main-Thread Only.
656 */
660 /**
661 * Returns true if the Principal can acess l10n
662 * features for the Provided DocumentURI
663 *
664 * NOTE: Main-Thread Only.
665 */
668 /**
669 * Returns a nsIPrincipal, with one less Subdomain Segment
670 * Returns `nullptr` if there are no more segments to remove.
671 *
672 * May be called from any thread.
673 */
676 /**
677 * Returns if the principal is for an IP address.
678 *
679 * May be called from any thread.
680 */
683 /**
684 * Returns if the principal is for a local IP address.
685 *
686 * May be called from any thread.
687 */
690 /**
691 * If this principal is a null principal, reconstruct the precursor
692 * principal which this null principal was derived from. This may be null,
693 * in which case this is not a null principal, there is no known precursor
694 * to this null principal, it was created by a privileged context, or there
695 * was a bugged origin in the precursor string.
696 *
697 * May be called from any thread.
698 *
699 * WARNING: Be careful when using this principal, as it is not part of the
700 * security properties of the null principal, and should NOT be used to
701 * grant a resource with a null principal access to resources from its
702 * precursor origin. This is only to be used for places where tracking how
703 * null principals were created is necessary.
704 */
706 };
708 /**
709 * If SystemPrincipal is too risky to use, but we want a principal to access
710 * more than one origin, ExpandedPrincipals letting us define an array of
711 * principals it subsumes. So script with an ExpandedPrincipals will gain
712 * same origin access when at least one of its principals it contains gained
713 * sameorigin acccess. An ExpandedPrincipal will be subsumed by the system
714 * principal, and by another ExpandedPrincipal that has all its principals.
715 * It is added for jetpack content-scripts to let them interact with the
716 * content and a well defined set of other domains, without the risk of
717 * leaking out a system principal to the content. See: Bug 734891
718 */
721 {
722 /**
723 * An array of principals that the expanded principal subsumes.
724 *
725 * When an expanded principal is used as a triggering principal for a
726 * request that inherits a security context, one of its constitutent
727 * principals is inherited rather than the expanded principal itself. The
728 * last principal in the allowlist is the default principal to inherit.
729 *
730 * Note: this list is not reference counted, it is shared, so
731 * should not be changed and should only be used ephemerally.
732 *
733 * May be called from any thread.
734 */
736 PrincipalArray AllowList();
739 /**
740 * Bug 1548468: Move CSP off ExpandedPrincipal.
741 *
742 * A Content Security Policy associated with this principal. Use this function
743 * to query the associated CSP with this principal.
744 *
745 * NOTE: Main-Thread Only.
746 */
751 {
755 return result.forget();
756 }
757 %}
759 };