| blob | a3849dd723154b4b8aabc81f20665e1e5b937541 |
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 /* Defines the abstract interface for a principal. */
8 #include "nsIContentSecurityPolicy.idl"
9 #include "nsISerializable.idl"
10 #include "nsIAboutModule.idl"
11 #include "nsIReferrerInfo.idl"
13 #include "mozIDOMWindow.idl"
17 #include "nsCOMPtr.h"
18 #include "nsTArray.h"
19 #include "nsString.h"
20 #include "mozilla/DebugOnly.h"
21 namespace mozilla {
22 class OriginAttributes;
23 }
25 /**
26 * Some methods have a fast path for the case when we're comparing a principal
27 * to itself. The situation may happen for example with about:blank documents.
28 */
32 { \
36 \
38 return \
39 this == aOther || \
41 }
43 %}
47 webidl WebExtensionPolicy;
57 {
58 /**
59 * Returns whether the other principal is equivalent to this principal.
60 * Principals are considered equal if they are the same principal, or
61 * they have the same origin.
62 *
63 * May be called from any thread.
64 */
67 /**
68 * Returns whether the other principal is equivalent to this principal
69 * for permission purposes
70 * Matches {originAttributes ,equalsURIForPermission}
71 *
72 * May be called from any thread.
73 */
77 /**
78 * Like equals, but takes document.domain changes into account.
79 *
80 * May be called from any thread, though document.domain may racily change
81 * during the comparison when called from off-main-thread.
82 */
88 %}
90 /*
91 * Returns whether the Principals URI is equal to the other URI
92 *
93 * May be called from any thread.
94 */
97 /**
98 * Returns a hash value for the principal.
99 *
100 * May be called from any thread.
101 */
104 /**
105 * The principal URI to which this principal pertains. This is
106 * generally the document URI.
107 *
108 * May be called from any thread.
109 */
112 /**
113 * The domain URI to which this principal pertains.
114 * This is null unless script successfully sets document.domain to our URI
115 * or a superdomain of our URI.
116 * Setting this has no effect on the URI.
117 * See https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#Changing_origin
118 *
119 * The getter may be called from any thread, but may only be set on the main thread.
120 */
123 /**
124 * Returns whether the other principal is equal to or weaker than this
125 * principal. Principals are equal if they are the same object or they
126 * have the same origin.
127 *
128 * Thus a principal always subsumes itself.
129 *
130 * The system principal subsumes itself and all other principals.
131 *
132 * A null principal (corresponding to an unknown, hence assumed minimally
133 * privileged, security context) is not equal to any other principal
134 * (including other null principals), and therefore does not subsume
135 * anything but itself.
136 *
137 * May be called from any thread.
138 */
141 /**
142 * Same as the previous method, subsumes(), but takes document.domain into
143 * account.
144 *
145 * May be called from any thread, though document.domain may racily change
146 * during the comparison when called from off-main-thread.
147 */
150 /**
151 * Same as the subsumesConsideringDomain(), but ignores the first party
152 * domain in its originAttributes.
153 *
154 * May be called from any thread, though document.domain may racily change
155 * during the comparison when called from off-main-thread.
156 */
163 #undef DECL_FAST_INLINE_HELPER
164 %}
166 /**
167 * Checks whether this principal is allowed to load the network resource
168 * located at the given URI under the same-origin policy. This means that
169 * content principals are only allowed to load resources from the same
170 * domain, the system principal is allowed to load anything, and null
171 * principals can only load URIs where they are the principal. This is
172 * changed by the optional flag allowIfInheritsPrincipal (which defaults to
173 * false) which allows URIs that inherit their loader's principal.
174 *
175 * If the load is allowed this function does nothing. If the load is not
176 * allowed the function throws NS_ERROR_DOM_BAD_URI.
177 *
178 * NOTE: Other policies might override this, such as the Access-Control
179 * specification.
180 * NOTE: The 'domain' attribute has no effect on the behaviour of this
181 * function.
182 * NOTE: Main-Thread Only.
183 *
184 *
185 * @param uri The URI about to be loaded.
186 * @param allowIfInheritsPrincipal If true, the load is allowed if the
187 * loadee inherits the principal of the
188 * loader.
189 * @throws NS_ERROR_DOM_BAD_URI if the load is not allowed.
190 */
194 /**
195 * Like checkMayLoad, but if returning an error will also report that error
196 * to the console, using the provided window id. The window id may be 0 to
197 * report to just the browser console, not web consoles.
198 *
199 * NOTE: Main-Thread Only.
200 */
205 /**
206 * Checks if the provided URI is considered third-party to the
207 * URI of the principal.
208 * Returns true if the URI is third-party.
209 *
210 * May be called from any thread.
211 *
212 * @param uri - The URI to check
213 */
216 /**
217 * Checks if the provided principal is considered third-party to the
218 * URI of the Principal.
219 * Returns true if the principal is third-party.
220 *
221 * May be called from any thread.
222 *
223 * @param principal - The principal to check
224 */
227 /**
228 * Checks if the provided channel is considered third-party to the
229 * URI of the principal.
230 * Returns true if the channel is third-party.
231 * Returns false if the Principal is a System Principal
232 *
233 * NOTE: Main-Thread Only.
234 *
235 * @param channel - The Channel to check
236 */
239 /**
240 * A dictionary of the non-default origin attributes associated with this
241 * nsIPrincipal.
242 *
243 * Attributes are tokens that are taken into account when determining whether
244 * two principals are same-origin - if any attributes differ, the principals
245 * are cross-origin, even if the scheme, host, and port are the same.
246 * Attributes should also be considered for all security and bucketing decisions,
247 * even those which make non-standard comparisons (like cookies, which ignore
248 * scheme, or quotas, which ignore subdomains).
249 *
250 * If you're looking for an easy-to-use canonical stringification of the origin
251 * attributes, see |originSuffix| below.
252 */
256 // May be called from any thread.
258 const_OriginAttributes OriginAttributesRef();
260 /**
261 * A canonical representation of the origin for this principal. This
262 * consists of a base string (which, for content principals, is of the
263 * format scheme://host:port), concatenated with |originAttributes| (see
264 * below).
265 *
266 * We maintain the invariant that principalA.equals(principalB) if and only
267 * if principalA.origin == principalB.origin.
268 *
269 * May be called from any thread.
270 */
273 /**
274 * Returns an ASCII compatible serialization of the principal's origin, as
275 * specified by the whatwg HTML specification. If the principal does not
276 * have a host, the origin will be "null".
277 *
278 * https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
279 *
280 * Note that this is different from `origin`, does not contain
281 * gecko-specific metadata like origin attributes, and should not be used
282 * for permissions or security checks.
283 *
284 * May be called from any thread.
285 */
288 /**
289 * Returns the "host:port" portion of the
290 * Principals URI, if any.
291 *
292 * May be called from any thread.
293 */
296 /**
297 * Returns the "host:port" portion of the
298 * Principals URI, if any.
299 *
300 * May be called from any thread.
301 */
304 /**
305 * Returns the "host" portion of the
306 * Principals URI, if any.
307 *
308 * May be called from any thread.
309 */
312 /**
313 * Returns the prePath of the principals uri
314 * follows the format scheme:
315 * "scheme://username:password@hostname:portnumber/"
316 *
317 * May be called from any thread.
318 */
321 /**
322 * Returns the filePath of the principals uri. See nsIURI.
323 *
324 * May be called from any thread.
325 */
328 /**
329 * Returns the ASCII Spec from the Principals URI.
330 * Might return the empty string, e.g. for the case of
331 * a SystemPrincipal or an EpxandedPrincipal.
332 *
333 * May be called from any thread.
334 *
335 * WARNING: DO NOT USE FOR SECURITY CHECKS.
336 * just for logging purposes!
337 */
340 /**
341 * Returns the Spec from the Principals URI.
342 * Might return the empty string, e.g. for the case of
343 * a SystemPrincipal or an EpxandedPrincipal.
344 *
345 * May be called from any thread.
346 *
347 * WARNING: Do not land new Code using, as this will be removed soon
348 */
351 /**
352 * Returns the Pre Path of the Principals URI with
353 * user:pass stripped for privacy and spoof prevention
354 *
355 * May be called from any thread.
356 */
359 /**
360 * Returns the Spec of the Principals URI with
361 * user/pass/ref/query stripped for privacy and spoof prevention
362 *
363 * May be called from any thread.
364 */
367 /**
368 * Return the scheme of the principals URI
369 *
370 * May be called from any thread.
371 */
374 /**
375 * Checks if the Principal's URI Scheme matches with the parameter
376 *
377 * May be called from any thread.
378 *
379 * @param scheme The scheme to be checked
380 */
384 /*
385 * Checks if the Principal's URI is contained in the given Pref
386 *
387 * NOTE: Main-Thread Only.
388 *
389 * @param pref The pref to be checked
390 */
394 /**
395 * Check if the Principal's URI is contained in the given list
396 *
397 * May be called from any thread.
398 *
399 * @param list The list to be checked
400 */
404 /**
405 * Check if the Principal's URI is a content-accessible about: page
406 *
407 * May be called from any thread.
408 */
412 /**
413 * Uses NS_Security Compare to determine if the
414 * other URI is same-origin as the uri of the Principal
415 *
416 * May be called from any thread.
417 */
421 /*
422 * Checks if the Principal is allowed to load the Provided file:// URI
423 * using NS_RelaxStrictFileOriginPolicy
424 *
425 * May be called from any thread.
426 */
430 /*
431 * Generates a Cache-Key for the Cors-Preflight Cache
432 *
433 * May be called from any thread.
434 */
440 /*
441 * Checks if the Principals URI has first party storage access
442 * when loaded inside the provided 3rd party resource window.
443 * See also: ContentBlocking::ShouldAllowAccessFor
444 *
445 * NOTE: Main-Thread Only.
446 */
450 /*
451 * Returns a Key for the LocalStorage Manager, used to
452 * check the Principals Origin Storage usage.
453 *
454 * May be called from any thread.
455 */
458 /**
459 * Implementation of
460 * https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
461 *
462 * The value returned by this method feeds into the the Secure Context
463 * algorithm that determins the value of Window.isSecureContext and
464 * WorkerGlobalScope.isSecureContext.
465 *
466 * This method returns false instead of throwing upon errors.
467 *
468 * NOTE: Main-Thread Only.
469 */
473 /**
474 * NOTE: Main-Thread Only.
475 */
479 /**
480 * Returns the Flags of the Principals
481 * associated AboutModule, in case there is one.
482 *
483 * NOTE: Main-Thread Only.
484 */
485 uint32_t getAboutModuleFlags();
487 /**
488 * Returns the Key to access the Principals
489 * Origin Local/Session Storage
490 *
491 * May be called from any thread.
492 */
495 /**
496 * Creates and Returns a new ReferrerInfo with the
497 * Principals URI
498 *
499 * May be called from any thread.
500 */
503 /**
504 * The base part of |origin| without the concatenation with |originSuffix|.
505 * This doesn't have the important invariants described above with |origin|,
506 * and as such should only be used for legacy situations.
507 *
508 * May be called from any thread.
509 */
512 /**
513 * A string of the form ^key1=value1&key2=value2, where each pair represents
514 * an attribute with a non-default value. If all attributes have default
515 * values, this is the empty string.
516 *
517 * The value of .originSuffix is automatically serialized into .origin, so any
518 * consumers using that are automatically origin-attribute-aware. Consumers with
519 * special requirements must inspect and compare .originSuffix manually.
520 *
521 * May be called from any thread.
522 */
525 /**
526 * A canonical representation of the site-origin for this principal.
527 * This string has the same format as |origin| (see above). Two principals
528 * with differing |siteOrigin| values will never compare equal, even when
529 * considering domain mutations.
530 *
531 * For most principals, |siteOrigin| matches |origin| precisely. Only
532 * principals which allow mutating |domain|, such as ContentPrincipal,
533 * override the default implementation in BasePrincipal.
534 *
535 * May be called from any thread.
536 */
539 /**
540 * The base part of |siteOrigin| without the concatenation with
541 * |originSuffix|.
542 *
543 * May be called from any thread.
544 */
547 /**
548 * The base domain of the principal URI to which this principal pertains
549 * (generally the document URI), handling null principals and
550 * non-hierarchical schemes correctly.
551 *
552 * May be called from any thread.
553 */
556 /**
557 * Gets the ID of the add-on this principal belongs to.
558 *
559 * May be called from any thread.
560 */
563 /**
564 * Gets the WebExtensionPolicy of the add-on this principal belongs to.
565 *
566 * NOTE: Main-Thread Only.
567 */
571 /**
572 * Gets the id of the user context this principal is inside. If this
573 * principal is inside the default userContext, this returns
574 * nsIScriptSecurityManager::DEFAULT_USER_CONTEXT_ID.
575 *
576 * May be called from any thread.
577 */
580 /**
581 * Gets the id of the private browsing state of the context containing
582 * this principal. If the principal has a private browsing value of 0, it
583 * is not in private browsing.
584 *
585 * May be called from any thread.
586 */
589 /**
590 * Returns true iff this is a null principal (corresponding to an
591 * unknown, hence assumed minimally privileged, security context).
592 *
593 * May be called from any thread.
594 */
597 /**
598 * Returns true iff this principal corresponds to a principal origin.
599 *
600 * May be called from any thread.
601 */
604 /**
605 * Returns true iff this is an expanded principal.
606 *
607 * May be called from any thread.
608 */
611 /**
612 * Returns true iff this is the system principal. C++ callers should use
613 * IsSystemPrincipal() instead of this scriptable accessor.
614 *
615 * May be called from any thread.
616 */
619 /**
620 * Faster and nicer version callable from C++. Callers must include
621 * BasePrincipal.h, where it's implemented.
622 *
623 * May be called from any thread.
624 */
627 %}
629 /**
630 * Returns true iff the principal is either an addon principal or
631 * an expanded principal, which contains at least one addon principal.
632 *
633 * May be called from any thread.
634 */
638 // MOZ_DBG support (threadsafe)
641 nsAutoCString origin;
645 }
646 %}
648 /**
649 * Returns true if the URI is an Onion URI.
650 *
651 * May be called from any thread.
652 */
655 /**
656 * Returns true if the Domain Policy allows js execution
657 * for the Principal's URI
658 *
659 * NOTE: Main-Thread Only.
660 */
664 /**
665 * Returns true if the Principal can acess l10n
666 * features for the Provided DocumentURI
667 *
668 * NOTE: Main-Thread Only.
669 */
672 /**
673 * Returns a nsIPrincipal, with one less Subdomain Segment
674 * Returns `nullptr` if there are no more segments to remove.
675 *
676 * May be called from any thread.
677 */
680 /**
681 * Returns if the principal is for an IP address.
682 *
683 * May be called from any thread.
684 */
687 /**
688 * Returns if the principal is for a local IP address.
689 *
690 * May be called from any thread.
691 */
694 /**
695 * If this principal is a null principal, reconstruct the precursor
696 * principal which this null principal was derived from. This may be null,
697 * in which case this is not a null principal, there is no known precursor
698 * to this null principal, it was created by a privileged context, or there
699 * was a bugged origin in the precursor string.
700 *
701 * May be called from any thread.
702 *
703 * WARNING: Be careful when using this principal, as it is not part of the
704 * security properties of the null principal, and should NOT be used to
705 * grant a resource with a null principal access to resources from its
706 * precursor origin. This is only to be used for places where tracking how
707 * null principals were created is necessary.
708 */
710 };
712 /**
713 * If SystemPrincipal is too risky to use, but we want a principal to access
714 * more than one origin, ExpandedPrincipals letting us define an array of
715 * principals it subsumes. So script with an ExpandedPrincipals will gain
716 * same origin access when at least one of its principals it contains gained
717 * sameorigin acccess. An ExpandedPrincipal will be subsumed by the system
718 * principal, and by another ExpandedPrincipal that has all its principals.
719 * It is added for jetpack content-scripts to let them interact with the
720 * content and a well defined set of other domains, without the risk of
721 * leaking out a system principal to the content. See: Bug 734891
722 */
725 {
726 /**
727 * An array of principals that the expanded principal subsumes.
728 *
729 * When an expanded principal is used as a triggering principal for a
730 * request that inherits a security context, one of its constitutent
731 * principals is inherited rather than the expanded principal itself. The
732 * last principal in the allowlist is the default principal to inherit.
733 *
734 * Note: this list is not reference counted, it is shared, so
735 * should not be changed and should only be used ephemerally.
736 *
737 * May be called from any thread.
738 */
740 PrincipalArray AllowList();
743 /**
744 * Bug 1548468: Move CSP off ExpandedPrincipal.
745 *
746 * A Content Security Policy associated with this principal. Use this function
747 * to query the associated CSP with this principal.
748 *
749 * NOTE: Main-Thread Only.
750 */
755 {
759 return result.forget();
760 }
761 %}
763 };