caps/nsIScriptSecurityManager.idl

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #include "nsISupports.idl"
   7 #include "nsIPrincipal.idl"
   8 interface nsIURI;
   9 interface nsIChannel;
  10 interface nsIClassInfo;
  11 interface nsIDocShell;
  12 interface nsIDomainPolicy;
  13 interface nsILoadContext;
  14
  15 %{ C++
  16 #include "jspubtd.h"
  17 %}
  18
  19 [ptr] native JSContextPtr(JSContext);
  20 [ptr] native JSObjectPtr(JSObject);
  21
  22 [scriptable, uuid(f6e1e37e-14d0-44fa-a9bb-712bfad6c5f7)]
  23 interface nsIScriptSecurityManager : nsISupports
  24 {
  25     /**
  26      * For each of these hooks returning NS_OK means 'let the action continue'.
  27      * Returning an error code means 'veto the action'. XPConnect will return
  28      * false to the js engine if the action is vetoed. The implementor of this
  29      * interface is responsible for setting a JS exception into the JSContext
  30      * if that is appropriate.
  31      */
  32     [noscript] void canCreateWrapper(in JSContextPtr aJSContext,
  33                                      in nsIIDRef aIID,
  34                                      in nsISupports aObj,
  35                                      in nsIClassInfo aClassInfo);
  36
  37     [noscript] void canCreateInstance(in JSContextPtr aJSContext,
  38                                       in nsCIDRef aCID);
  39
  40     [noscript] void canGetService(in JSContextPtr aJSContext,
  41                                   in nsCIDRef aCID);
  42
  43     /**
  44      * Check that the script currently running in context "cx" can load "uri".
  45      *
  46      * Will return error code NS_ERROR_DOM_BAD_URI if the load request
  47      * should be denied.
  48      *
  49      * @param cx the JSContext of the script causing the load
  50      * @param uri the URI that is being loaded
  51      */
  52     [noscript] void checkLoadURIFromScript(in JSContextPtr cx, in nsIURI uri);
  53
  54     /**
  55      * Default CheckLoadURI permissions
  56      */
  57     // Default permissions
  58     const unsigned long STANDARD = 0;
  59
  60     // Indicate that the load is a load of a new document that is not
  61     // user-triggered.  Here "user-triggered" could be broadly interpreted --
  62     // for example, scripted sets of window.location.href might be treated as
  63     // "user-triggered" in some circumstances.  A typical example of a load
  64     // that is not user-triggered is a <meta> refresh load.  If this flag is
  65     // set, the load will be denied if the originating principal's URI has the
  66     // nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set.
  67     const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0;
  68
  69     // Allow the loading of chrome URLs by non-chrome URLs.  Use with great
  70     // care!  This will actually allow the loading of any URI which has the
  71     // nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set.  Ths
  72     // probably means at least chrome: and resource:.
  73     const unsigned long ALLOW_CHROME = 1 << 1;
  74
  75     // Don't allow URLs which would inherit the caller's principal (such as
  76     // javascript: or data:) to load.  See
  77     // nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT.
  78     const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2;
  79
  80     // Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with
  81     // JS-implemented extensions.
  82     const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL;
  83
  84     // Don't allow javascript: URLs to load
  85     //   WARNING: Support for this value was added in Mozilla 1.7.8 and
  86     //   Firefox 1.0.4.  Use in prior versions WILL BE IGNORED.
  87     // When using this, make sure that you actually want DISALLOW_SCRIPT, not
  88     // DISALLOW_INHERIT_PRINCIPAL
  89     const unsigned long DISALLOW_SCRIPT = 1 << 3;
  90
  91     // Do not report errors if we just want to check if a principal can load
  92     // a URI to not unnecessarily spam the error console.
  93     const unsigned long DONT_REPORT_ERRORS = 1 << 4;
  94
  95     /**
  96      * Check that content with principal aPrincipal can load "uri".
  97      *
  98      * Will return error code NS_ERROR_DOM_BAD_URI if the load request
  99      * should be denied.
 100      *
 101      * @param aPrincipal the principal identifying the actor causing the load
 102      * @param uri the URI that is being loaded
 103      * @param flags the permission set, see above
 104      */
 105     void checkLoadURIWithPrincipal(in nsIPrincipal aPrincipal,
 106                                    in nsIURI uri,
 107                                    in unsigned long flags);
 108
 109     /**
 110      * Similar to checkLoadURIWithPrincipal but there are two differences:
 111      *
 112      * 1) The URI is a string, not a URI object.
 113      * 2) This function assumes that the URI may still be subject to fixup (and
 114      * hence will check whether fixed-up versions of the URI are allowed to
 115      * load as well); if any of the versions of this URI is not allowed, this
 116      * function will return error code NS_ERROR_DOM_BAD_URI.
 117      */
 118     void checkLoadURIStrWithPrincipal(in nsIPrincipal aPrincipal,
 119                                       in AUTF8String uri,
 120                                       in unsigned long flags);
 121
 122     /**
 123      * Return true if scripts may be executed in the scope of the given global.
 124      */
 125     [noscript,notxpcom] boolean scriptAllowed(in JSObjectPtr aGlobal);
 126
 127     ///////////////// Principals ///////////////////////
 128
 129     /**
 130      * Return the all-powerful system principal.
 131      */
 132     nsIPrincipal getSystemPrincipal();
 133
 134     /**
 135      * Return a principal that has the same origin as aURI.
 136      * This principals should not be used for any data/permission check, it will
 137      * have appId = UNKNOWN_APP_ID.
 138      */
 139     nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI);
 140
 141     /**
 142      * Returns a principal that has the given information.
 143      * @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
 144      * @param inMozBrowser is true if the principal has to be considered as
 145      * inside a mozbrowser frame.
 146      */
 147     nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
 148                                          in unsigned long appId,
 149                                          in boolean inMozBrowser);
 150
 151     /**
 152      * Returns a principal that has the appId and inMozBrowser of the load
 153      * context.
 154      * @param loadContext to get appId/inMozBrowser from.
 155      */
 156     nsIPrincipal getLoadContextCodebasePrincipal(in nsIURI uri,
 157                                                  in nsILoadContext loadContext);
 158
 159     /**
 160      * Returns a principal that has the appId and inMozBrowser of the docshell
 161      * inside a mozbrowser frame.
 162      * @param docShell to get appId/inMozBrowser from.
 163      */
 164     nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
 165                                               in nsIDocShell docShell);
 166
 167     /**
 168      * Returns a principal with that has the same origin as uri and is not part
 169      * of an appliction.
 170      * The returned principal will have appId = NO_APP_ID.
 171      */
 172     nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
 173
 174     /**
 175      * Legacy name for getNoAppCodebasePrincipal.
 176      *
 177      * @deprecated use getNoAppCodebasePrincipal instead.
 178      */
 179     [deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
 180
 181     /**
 182      * Returns OK if aJSContext and target have the same "origin"
 183      * (scheme, host, and port).
 184      */
 185     [noscript] void checkSameOrigin(in JSContextPtr aJSContext,
 186                                     in nsIURI aTargetURI);
 187
 188     /**
 189      * Returns OK if aSourceURI and target have the same "origin"
 190      * (scheme, host, and port).
 191      * ReportError flag suppresses error reports for functions that
 192      * don't need reporting.
 193      */
 194     void checkSameOriginURI(in nsIURI aSourceURI,
 195                             in nsIURI aTargetURI,
 196                             in boolean reportError);
 197     /**
 198      * Get the principal for the given channel.  This will typically be the
 199      * channel owner if there is one, and the codebase principal for the
 200      * channel's URI otherwise.  aChannel must not be null.
 201      */
 202     nsIPrincipal getChannelPrincipal(in nsIChannel aChannel);
 203
 204     /**
 205      * Check whether a given principal is a system principal.  This allows us
 206      * to avoid handing back the system principal to script while allowing
 207      * script to check whether a given principal is system.
 208      */
 209     boolean isSystemPrincipal(in nsIPrincipal aPrincipal);
 210 %{C++
 211     bool IsSystemPrincipal(nsIPrincipal* aPrincipal) {
 212       bool isSystem = false;
 213       IsSystemPrincipal(aPrincipal, &isSystem);
 214       return isSystem;
 215     }
 216 %}
 217
 218     const unsigned long NO_APP_ID = 0;
 219     const unsigned long UNKNOWN_APP_ID = 4294967295; // UINT32_MAX
 220     const unsigned long SAFEBROWSING_APP_ID = 4294967294; // UINT32_MAX - 1
 221
 222     /**
 223      * Returns the jar prefix for the app.
 224      * appId can be NO_APP_ID or a valid app id. appId should not be
 225      * UNKNOWN_APP_ID.
 226      * inMozBrowser has to be true if the app is inside a mozbrowser iframe.
 227      */
 228     AUTF8String getJarPrefix(in unsigned long appId, in boolean inMozBrowser);
 229
 230     /**
 231      * Per-domain controls to enable and disable script. This system is designed
 232      * to be used by at most one consumer, and enforces this with its semantics.
 233      *
 234      * Initially, domainPolicyActive is false. When activateDomainPolicy() is
 235      * invoked, domainPolicyActive becomes true, and subsequent calls to
 236      * activateDomainPolicy() will fail until deactivate() is invoked on the
 237      * nsIDomainPolicy returned from activateDomainPolicy(). At this point,
 238      * domainPolicyActive becomes false again, and a new consumer may acquire
 239      * control of the system by invoking activateDomainPolicy().
 240      */
 241     nsIDomainPolicy activateDomainPolicy();
 242     readonly attribute boolean domainPolicyActive;
 243
 244     /**
 245      * Query mechanism for the above policy.
 246      *
 247      * If domainPolicyEnabled is false, this simply returns the current value
 248      * of javascript.enabled. Otherwise, it returns the same value, but taking
 249      * the various blacklist/whitelist exceptions into account.
 250      */
 251     bool policyAllowsScript(in nsIURI aDomain);
 252 };
 253
 254 %{C++
 255 #define NS_SCRIPTSECURITYMANAGER_CONTRACTID "@mozilla.org/scriptsecuritymanager;1"
 256 %}