dom/interfaces/security/nsIContentSecurityPolicy.idl

   1 /* This Source Code Form is subject to the terms of the Mozilla Public
   2  * License, v. 2.0. If a copy of the MPL was not distributed with this
   3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   4
   5 #include "nsISerializable.idl"
   6 #include "nsIContentPolicy.idl"
   7
   8 interface nsIURI;
   9 interface nsIEventTarget;
  10 interface nsILoadInfo;
  11 interface nsIPrincipal;
  12 interface nsICSPEventListener;
  13
  14 webidl Element;
  15 webidl Document;
  16
  17 /**
  18  * nsIContentSecurityPolicy
  19  * Describes an XPCOM component used to model and enforce CSPs.  Instances of
  20  * this class may have multiple policies within them, but there should only be
  21  * one of these per document/principal.
  22  */
  23
  24 %{C++
  25 class nsCSPPolicy;
  26 %}
  27
  28 [ptr] native CSPPolicyPtr(const nsCSPPolicy);
  29
  30 [scriptable, builtinclass, uuid(1d632008-6c97-48ae-a51c-16e2daa0f4f6)]
  31 interface nsIContentSecurityPolicy : nsISerializable
  32 {
  33   /**
  34    * Directives supported by Content Security Policy.  These are enums for
  35    * the CSPDirective type.
  36    * The NO_DIRECTIVE entry is  used for checking default permissions and
  37    * returning failure when asking CSP which directive to check.
  38    *
  39    * NOTE: When implementing a new directive, you will need to add it here but also
  40    * add it to the CSPStrDirectives array in nsCSPUtils.h.
  41    */
  42   cenum CSPDirective : 8 {
  43     NO_DIRECTIVE                          = 0,
  44     DEFAULT_SRC_DIRECTIVE                 = 1,
  45     SCRIPT_SRC_DIRECTIVE                  = 2,
  46     OBJECT_SRC_DIRECTIVE                  = 3,
  47     STYLE_SRC_DIRECTIVE                   = 4,
  48     IMG_SRC_DIRECTIVE                     = 5,
  49     MEDIA_SRC_DIRECTIVE                   = 6,
  50     FRAME_SRC_DIRECTIVE                   = 7,
  51     FONT_SRC_DIRECTIVE                    = 8,
  52     CONNECT_SRC_DIRECTIVE                 = 9,
  53     REPORT_URI_DIRECTIVE                  = 10,
  54     FRAME_ANCESTORS_DIRECTIVE             = 11,
  55     REFLECTED_XSS_DIRECTIVE               = 12,
  56     BASE_URI_DIRECTIVE                    = 13,
  57     FORM_ACTION_DIRECTIVE                 = 14,
  58     WEB_MANIFEST_SRC_DIRECTIVE            = 15,
  59     UPGRADE_IF_INSECURE_DIRECTIVE         = 16,
  60     CHILD_SRC_DIRECTIVE                   = 17,
  61     BLOCK_ALL_MIXED_CONTENT               = 18,
  62     SANDBOX_DIRECTIVE                     = 19,
  63     WORKER_SRC_DIRECTIVE                  = 20,
  64     SCRIPT_SRC_ELEM_DIRECTIVE             = 21,
  65     SCRIPT_SRC_ATTR_DIRECTIVE             = 22,
  66     STYLE_SRC_ELEM_DIRECTIVE              = 23,
  67     STYLE_SRC_ATTR_DIRECTIVE              = 24,
  68     REQUIRE_TRUSTED_TYPES_FOR_DIRECTIVE   = 25,
  69   };
  70
  71   /**
  72    * Accessor method for a read-only string version of the policy at a given
  73    * index.
  74    */
  75   [binaryname(GetPolicyString)] AString getPolicy(in unsigned long index);
  76
  77   /**
  78    * Accessor method for a read-only pointer the policy object at a given
  79    * index. Returns a null pointer if the index is larger than the current
  80    * policy count.
  81    */
  82   [noscript,notxpcom,nostdcall] CSPPolicyPtr GetPolicy(in unsigned long index);
  83
  84   /**
  85    * Returns the number of policies attached to this CSP instance.  Useful with
  86    * getPolicy().
  87    */
  88   readonly attribute unsigned long policyCount;
  89
  90   /**
  91    * Returns whether this policy uses the directive upgrade-insecure-requests.
  92    * Please note that upgrade-insecure-reqeusts also applies if the parent or
  93    * including document (context) makes use of the directive.
  94    */
  95   readonly attribute boolean upgradeInsecureRequests;
  96
  97   /**
  98    * Returns whether this policy uses the directive block-all-mixed-content.
  99    * Please note that block-all-mixed-content takes presedence in case the
 100    * directive upgrade-insecure-requests is defined in the same policy and
 101    * will therefore block all mixed content without even trying to perform
 102    * an upgrade.
 103    */
 104   readonly attribute boolean blockAllMixedContent;
 105
 106   /**
 107    * Returns whether this policy enforces the frame-ancestors directive.
 108    */
 109   readonly attribute boolean enforcesFrameAncestors;
 110
 111   /**
 112    * Parse and install a CSP policy.
 113    * @param aPolicy
 114    *        String representation of the policy
 115    *        (e.g., header value, meta content)
 116    * @param reportOnly
 117    *        Should this policy affect content, script and style processing or
 118    *        just send reports if it is violated?
 119    * @param deliveredViaMetaTag
 120    *        Indicates whether the policy was delivered via the meta tag.
 121    */
 122   void appendPolicy(in AString policyString,
 123                     in boolean reportOnly,
 124                     in boolean deliveredViaMetaTag);
 125
 126   /*
 127    * Whether this policy allows inline script or style.
 128    * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
 129    *                           STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
 130    * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
 131    *                       also specified.
 132    * @param aNonce The nonce string to check against the policy.
 133    * @param aParserCreated If the script element was created by the HTML Parser
 134    * @param aTriggeringElement The script element of the inline resource to
 135    *        hash. It can be null.
 136    * @param aContentOfPseudoScript The content of the psuedo-script to compare
 137    *                               to hash (and compare to the hashes listed in
 138    *                               the policy)
 139    * @param aLineNumber The line number of the inline resource
 140    *        (used for reporting)
 141    * @param aColumnNumber The column number of the inline resource
 142    *        (used for reporting)
 143    * @return
 144    *     Whether or not the effects of the inline style should be allowed
 145    *     (block the rules if false).
 146    */
 147   boolean getAllowsInline(in nsIContentSecurityPolicy_CSPDirective aDirective,
 148                           in boolean aHasUnsafeHash,
 149                           in AString aNonce,
 150                           in boolean aParserCreated,
 151                           in Element aTriggeringElement,
 152                           in nsICSPEventListener aCSPEventListener,
 153                           in AString aContentOfPseudoScript,
 154                           in unsigned long aLineNumber,
 155                           in unsigned long aColumnNumber);
 156
 157   /**
 158    * Whether this policy allows eval and eval-like functions
 159    * such as setTimeout("code string", time).
 160    * @param shouldReportViolations
 161    *     Whether or not the use of eval should be reported.
 162    *     This function returns "true" when violating report-only policies, but
 163    *     when any policy (report-only or otherwise) is violated,
 164    *     shouldReportViolations is true as well.
 165    * @return
 166    *     Whether or not the effects of the eval call should be allowed
 167    *     (block the call if false).
 168    */
 169   boolean getAllowsEval(out boolean shouldReportViolations);
 170
 171   /**
 172    * Whether this policy allows the evaluation (and compilation) of
 173    * WASM code from functions like `WebAssembly.compile`.
 174   * @param shouldReportViolations
 175    *     Whether or not the use of WASM evaluation should be reported.
 176    *     This function returns "true" when violating report-only policies, but
 177    *     when any policy (report-only or otherwise) is violated,
 178    *     shouldReportViolations is true as well.
 179    * @return
 180    *     Whether or not the effects of the WASM evaluation should be allowed
 181    *     (block the call if false).
 182    */
 183   boolean getAllowsWasmEval(out boolean shouldReportViolations);
 184
 185   /**
 186    * Delegate method called by the service when the protected document is loaded.
 187    * Returns the union of all the sandbox flags contained in CSP policies. This is the most
 188    * restrictive interpretation of flags set in multiple policies.
 189    * See nsSandboxFlags.h for the possible flags.
 190    *
 191    * @return
 192    *    sandbox flags or SANDBOXED_NONE if no sandbox directive exists
 193    */
 194   uint32_t getCSPSandboxFlags();
 195
 196   /**
 197    * For each violated policy (of type violationType), log policy violation on
 198    * the Error Console and send a report to report-uris present in the violated
 199    * policies.
 200    *
 201    * @param violationType
 202    *     one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
 203    * @param triggeringElement
 204    *     the element that triggers this CSP violation. It can be null.
 205    * @param sourceFile
 206    *     name of the source file containing the violation (if available)
 207    * @param contentSample
 208    *     sample of the violating content (to aid debugging)
 209    * @param lineNum
 210    *     source line number of the violation (if available)
 211    * @param columnNum
 212    *     source column number of the violation (if available)
 213    * @param aNonce
 214    *     (optional) If this is a nonce violation, include the nonce so we can
 215    *     recheck to determine which policies were violated and send the
 216    *     appropriate reports.
 217    * @param aContent
 218    *     (optional) If this is a hash violation, include contents of the inline
 219    *     resource in the question so we can recheck the hash in order to
 220    *     determine which policies were violated and send the appropriate
 221    *     reports.
 222    */
 223   void logViolationDetails(in unsigned short violationType,
 224                            in Element triggeringElement,
 225                            in nsICSPEventListener aCSPEventListener,
 226                            in AString sourceFile,
 227                            in AString scriptSample,
 228                            in int32_t lineNum,
 229                            in int32_t columnNum,
 230                            [optional] in AString nonce,
 231                            [optional] in AString content);
 232
 233   const unsigned short VIOLATION_TYPE_EVAL                   = 1;
 234   const unsigned short VIOLATION_TYPE_WASM_EVAL              = 2;
 235
 236   /**
 237    * Called after the CSP object is created to fill in appropriate request
 238    * context. Either use
 239    *  * aDocument (preferred), or if no document is available, then provide
 240    *  * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
 241    */
 242   [must_use] void setRequestContextWithDocument(in Document aDocument);
 243   [must_use] void setRequestContextWithPrincipal(in nsIPrincipal aRequestPrincipal,
 244                                                  in nsIURI aSelfURI,
 245                                                  in ACString aReferrer,
 246                                                  in unsigned long long aInnerWindowId);
 247
 248   /**
 249    * Get the various arguments needed to create a new request context for a CSP.
 250    */
 251   [noscript, notxpcom, nostdcall] readonly attribute nsIPrincipal requestPrincipal;
 252   [noscript, notxpcom, nostdcall] readonly attribute nsIURI selfURI;
 253   [noscript] readonly attribute ACString referrer;
 254   [noscript, notxpcom, nostdcall] readonly attribute unsigned long long innerWindowID;
 255
 256   /**
 257    * Warning: Do not set that attribute unless you know exactly what you are doing!
 258    *
 259    * Primarily used to allow Devtools to edit inline styles!
 260    */
 261   [noscript, notxpcom, nostdcall] attribute boolean skipAllowInlineStyleCheck;
 262
 263   /**
 264    *  Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
 265    */
 266   [noscript] void ensureEventTarget(in nsIEventTarget aEventTarget);
 267
 268
 269   /**
 270    * Verifies ancestry as permitted by the policy.
 271    *
 272    * NOTE: Calls to this may trigger violation reports when queried, so this
 273    * value should not be cached.
 274    *
 275    * @param aLoadInfo
 276    *    The loadinfo of the channel containing the protected resource
 277    * @return
 278    *    true if the frame's ancestors are all allowed by policy (except for
 279    *    report-only policies, which will send reports and then return true
 280    *    here when violated).
 281    */
 282   boolean permitsAncestry(in nsILoadInfo aLoadInfo);
 283
 284
 285   /**
 286    * Checks if a specific directive permits loading of a URI.
 287    *
 288    * @param aTriggeringElement
 289    *    The element that triggers this CSP check. It can be null.
 290    * @param aURI
 291    *    The URI about to be loaded or used.
 292    * @param aDir
 293    *    The CSPDirective to query (see above constants *_DIRECTIVE).
 294    * @param aSpecific
 295    *    If "true" and the directive is specified to fall back to "default-src"
 296    *    when it's not explicitly provided, directivePermits will NOT try
 297    *    default-src when the specific directive is not used.  Setting this to
 298    *    "false" allows CSP to fall back to default-src.  This function
 299    *    behaves the same for both values of canUseDefault when querying
 300    *    directives that don't fall-back.
 301    * @param aSendViolationReports
 302    *    If `true` and the uri is not allowed then trigger violation reports.
 303    *    This should be `false` for caching or preloads.
 304    * @return
 305    *    Whether or not the provided URI is allowed by CSP under the given
 306    *    directive. (block the pending operation if false).
 307    */
 308   boolean permits(in Element aTriggeringElement,
 309                   in nsICSPEventListener aCSPEventListener,
 310                   in nsIURI aURI,
 311                   in nsIContentSecurityPolicy_CSPDirective aDir,
 312                   in boolean aSpecific,
 313                   in boolean aSendViolationReports);
 314
 315   /**
 316    * Delegate method called by the service when sub-elements of the protected
 317    * document are being loaded.  Given a bit of information about the request,
 318    * decides whether or not the policy is satisfied.
 319    *
 320    * Calls to this may trigger violation reports when queried, so
 321    * this value should not be cached.
 322    *
 323    * aOriginalURIIfRedirect must be passed only if this loading is the result
 324    * of a redirect. In this case, aOriginalURIIfRedirect must be the original
 325    * URL.
 326    */
 327   short shouldLoad(in nsContentPolicyType aContentType,
 328                    in nsICSPEventListener aCSPEventListener,
 329                    in nsILoadInfo     aLoadInfo,
 330                    in nsIURI          aContentLocation,
 331                    in nsIURI          aOriginalURIIfRedirect,
 332                    in boolean         aSendViolationReports);
 333
 334 %{ C++
 335 // nsIObserver topic to fire when the policy encounters a violation.
 336 #define CSP_VIOLATION_TOPIC "csp-on-violate-policy"
 337 %}
 338
 339   /**
 340    * Returns the CSP in JSON notation.
 341    */
 342   AString toJSON();
 343
 344   /**
 345    * Ensure policies from IPC are read/parsed.
 346    */
 347   [noscript] void EnsureIPCPoliciesRead();
 348
 349 };
 350
 351 typedef nsIContentSecurityPolicy_CSPDirective CSPDirective;
 352
 353 /* Listener for security policy violation event */
 354 [function, scriptable, uuid(c3163b14-3a8f-46dd-a4af-bd04680364cd)]
 355 interface nsICSPEventListener : nsISupports
 356 {
 357   // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
 358   void onCSPViolationEvent(in AString aJSON);
 359 };