1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 #include
"nsISerializable.idl"
6 #include
"nsIContentPolicy.idl"
9 interface nsIEventTarget
;
10 interface nsILoadInfo
;
11 interface nsIPrincipal
;
12 interface nsICSPEventListener
;
18 * nsIContentSecurityPolicy
19 * Describes an XPCOM component used to model and enforce CSPs. Instances of
20 * this class may have multiple policies within them, but there should only be
21 * one of these per document/principal.
28 [ptr] native CSPPolicyPtr
(const nsCSPPolicy
);
30 [scriptable
, builtinclass
, uuid(1d632008
-6c97
-48ae
-a51c
-16e2daa0f4f6
)]
31 interface nsIContentSecurityPolicy
: nsISerializable
34 * Directives supported by Content Security Policy. These are enums for
35 * the CSPDirective type.
36 * The NO_DIRECTIVE entry is used for checking default permissions and
37 * returning failure when asking CSP which directive to check.
39 * NOTE: When implementing a new directive, you will need to add it here but also
40 * add it to the CSPStrDirectives array in nsCSPUtils.h.
42 cenum CSPDirective
: 8 {
44 DEFAULT_SRC_DIRECTIVE
= 1,
45 SCRIPT_SRC_DIRECTIVE
= 2,
46 OBJECT_SRC_DIRECTIVE
= 3,
47 STYLE_SRC_DIRECTIVE
= 4,
48 IMG_SRC_DIRECTIVE
= 5,
49 MEDIA_SRC_DIRECTIVE
= 6,
50 FRAME_SRC_DIRECTIVE
= 7,
51 FONT_SRC_DIRECTIVE
= 8,
52 CONNECT_SRC_DIRECTIVE
= 9,
53 REPORT_URI_DIRECTIVE
= 10,
54 FRAME_ANCESTORS_DIRECTIVE
= 11,
55 REFLECTED_XSS_DIRECTIVE
= 12,
56 BASE_URI_DIRECTIVE
= 13,
57 FORM_ACTION_DIRECTIVE
= 14,
58 WEB_MANIFEST_SRC_DIRECTIVE
= 15,
59 UPGRADE_IF_INSECURE_DIRECTIVE
= 16,
60 CHILD_SRC_DIRECTIVE
= 17,
61 BLOCK_ALL_MIXED_CONTENT
= 18,
62 SANDBOX_DIRECTIVE
= 19,
63 WORKER_SRC_DIRECTIVE
= 20,
64 SCRIPT_SRC_ELEM_DIRECTIVE
= 21,
65 SCRIPT_SRC_ATTR_DIRECTIVE
= 22,
66 STYLE_SRC_ELEM_DIRECTIVE
= 23,
67 STYLE_SRC_ATTR_DIRECTIVE
= 24,
68 REQUIRE_TRUSTED_TYPES_FOR_DIRECTIVE
= 25,
72 * Accessor method for a read-only string version of the policy at a given
75 [binaryname
(GetPolicyString
)] AString getPolicy
(in unsigned long index
);
78 * Accessor method for a read-only pointer the policy object at a given
79 * index. Returns a null pointer if the index is larger than the current
82 [noscript
,notxpcom
,nostdcall
] CSPPolicyPtr GetPolicy
(in unsigned long index
);
85 * Returns the number of policies attached to this CSP instance. Useful with
88 readonly attribute
unsigned long policyCount
;
91 * Returns whether this policy uses the directive upgrade-insecure-requests.
92 * Please note that upgrade-insecure-reqeusts also applies if the parent or
93 * including document (context) makes use of the directive.
95 readonly attribute
boolean upgradeInsecureRequests
;
98 * Returns whether this policy uses the directive block-all-mixed-content.
99 * Please note that block-all-mixed-content takes presedence in case the
100 * directive upgrade-insecure-requests is defined in the same policy and
101 * will therefore block all mixed content without even trying to perform
104 readonly attribute
boolean blockAllMixedContent
;
107 * Returns whether this policy enforces the frame-ancestors directive.
109 readonly attribute
boolean enforcesFrameAncestors
;
112 * Parse and install a CSP policy.
114 * String representation of the policy
115 * (e.g., header value, meta content)
117 * Should this policy affect content, script and style processing or
118 * just send reports if it is violated?
119 * @param deliveredViaMetaTag
120 * Indicates whether the policy was delivered via the meta tag.
122 void appendPolicy
(in AString policyString
,
123 in boolean reportOnly
,
124 in boolean deliveredViaMetaTag
);
127 * Whether this policy allows inline script or style.
128 * @param aContentPolicyType Either SCRIPT_SRC_(ELEM|ATTR)_DIRECTIVE or
129 * STYLE_SRC_(ELEM|ATTR)_DIRECTIVE.
130 * @param aHasUnsafeHash Only hash this when the 'unsafe-hashes' directive is
132 * @param aNonce The nonce string to check against the policy.
133 * @param aParserCreated If the script element was created by the HTML Parser
134 * @param aTriggeringElement The script element of the inline resource to
135 * hash. It can be null.
136 * @param aContentOfPseudoScript The content of the psuedo-script to compare
137 * to hash (and compare to the hashes listed in
139 * @param aLineNumber The line number of the inline resource
140 * (used for reporting)
141 * @param aColumnNumber The column number of the inline resource
142 * (used for reporting)
144 * Whether or not the effects of the inline style should be allowed
145 * (block the rules if false).
147 boolean getAllowsInline
(in nsIContentSecurityPolicy_CSPDirective aDirective
,
148 in boolean aHasUnsafeHash
,
150 in boolean aParserCreated
,
151 in Element aTriggeringElement
,
152 in nsICSPEventListener aCSPEventListener
,
153 in AString aContentOfPseudoScript
,
154 in unsigned long aLineNumber
,
155 in unsigned long aColumnNumber
);
158 * Whether this policy allows eval and eval-like functions
159 * such as setTimeout("code string", time).
160 * @param shouldReportViolations
161 * Whether or not the use of eval should be reported.
162 * This function returns "true" when violating report-only policies, but
163 * when any policy (report-only or otherwise) is violated,
164 * shouldReportViolations is true as well.
166 * Whether or not the effects of the eval call should be allowed
167 * (block the call if false).
169 boolean getAllowsEval
(out boolean shouldReportViolations
);
172 * Whether this policy allows the evaluation (and compilation) of
173 * WASM code from functions like `WebAssembly.compile`.
174 * @param shouldReportViolations
175 * Whether or not the use of WASM evaluation should be reported.
176 * This function returns "true" when violating report-only policies, but
177 * when any policy (report-only or otherwise) is violated,
178 * shouldReportViolations is true as well.
180 * Whether or not the effects of the WASM evaluation should be allowed
181 * (block the call if false).
183 boolean getAllowsWasmEval
(out boolean shouldReportViolations
);
186 * Delegate method called by the service when the protected document is loaded.
187 * Returns the union of all the sandbox flags contained in CSP policies. This is the most
188 * restrictive interpretation of flags set in multiple policies.
189 * See nsSandboxFlags.h for the possible flags.
192 * sandbox flags or SANDBOXED_NONE if no sandbox directive exists
194 uint32_t getCSPSandboxFlags
();
197 * For each violated policy (of type violationType), log policy violation on
198 * the Error Console and send a report to report-uris present in the violated
201 * @param violationType
202 * one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
203 * @param triggeringElement
204 * the element that triggers this CSP violation. It can be null.
206 * name of the source file containing the violation (if available)
207 * @param contentSample
208 * sample of the violating content (to aid debugging)
210 * source line number of the violation (if available)
212 * source column number of the violation (if available)
214 * (optional) If this is a nonce violation, include the nonce so we can
215 * recheck to determine which policies were violated and send the
216 * appropriate reports.
218 * (optional) If this is a hash violation, include contents of the inline
219 * resource in the question so we can recheck the hash in order to
220 * determine which policies were violated and send the appropriate
223 void logViolationDetails
(in unsigned short violationType
,
224 in Element triggeringElement
,
225 in nsICSPEventListener aCSPEventListener
,
226 in AString sourceFile
,
227 in AString scriptSample
,
229 in int32_t columnNum
,
230 [optional] in AString nonce
,
231 [optional] in AString content
);
233 const unsigned short VIOLATION_TYPE_EVAL
= 1;
234 const unsigned short VIOLATION_TYPE_WASM_EVAL
= 2;
237 * Called after the CSP object is created to fill in appropriate request
238 * context. Either use
239 * * aDocument (preferred), or if no document is available, then provide
240 * * aPrincipal, aSelfURI, aReferrer, aInnerWindowId explicitly.
242 [must_use
] void setRequestContextWithDocument
(in Document aDocument
);
243 [must_use
] void setRequestContextWithPrincipal
(in nsIPrincipal aRequestPrincipal
,
245 in ACString aReferrer
,
246 in unsigned long long aInnerWindowId
);
249 * Get the various arguments needed to create a new request context for a CSP.
251 [noscript
, notxpcom
, nostdcall
] readonly attribute nsIPrincipal requestPrincipal
;
252 [noscript
, notxpcom
, nostdcall
] readonly attribute nsIURI selfURI
;
253 [noscript
] readonly attribute ACString referrer
;
254 [noscript
, notxpcom
, nostdcall
] readonly attribute
unsigned long long innerWindowID
;
257 * Warning: Do not set that attribute unless you know exactly what you are doing!
259 * Primarily used to allow Devtools to edit inline styles!
261 [noscript
, notxpcom
, nostdcall
] attribute
boolean skipAllowInlineStyleCheck
;
264 * Ensure we have a nsIEventTarget to use to label CSPReportSenderRunnable
266 [noscript
] void ensureEventTarget
(in nsIEventTarget aEventTarget
);
270 * Verifies ancestry as permitted by the policy.
272 * NOTE: Calls to this may trigger violation reports when queried, so this
273 * value should not be cached.
276 * The loadinfo of the channel containing the protected resource
278 * true if the frame's ancestors are all allowed by policy (except for
279 * report-only policies, which will send reports and then return true
280 * here when violated).
282 boolean permitsAncestry
(in nsILoadInfo aLoadInfo
);
286 * Checks if a specific directive permits loading of a URI.
288 * @param aTriggeringElement
289 * The element that triggers this CSP check. It can be null.
291 * The URI about to be loaded or used.
293 * The CSPDirective to query (see above constants *_DIRECTIVE).
295 * If "true" and the directive is specified to fall back to "default-src"
296 * when it's not explicitly provided, directivePermits will NOT try
297 * default-src when the specific directive is not used. Setting this to
298 * "false" allows CSP to fall back to default-src. This function
299 * behaves the same for both values of canUseDefault when querying
300 * directives that don't fall-back.
301 * @param aSendViolationReports
302 * If `true` and the uri is not allowed then trigger violation reports.
303 * This should be `false` for caching or preloads.
305 * Whether or not the provided URI is allowed by CSP under the given
306 * directive. (block the pending operation if false).
308 boolean permits
(in Element aTriggeringElement
,
309 in nsICSPEventListener aCSPEventListener
,
311 in nsIContentSecurityPolicy_CSPDirective aDir
,
312 in boolean aSpecific
,
313 in boolean aSendViolationReports
);
316 * Delegate method called by the service when sub-elements of the protected
317 * document are being loaded. Given a bit of information about the request,
318 * decides whether or not the policy is satisfied.
320 * Calls to this may trigger violation reports when queried, so
321 * this value should not be cached.
323 * aOriginalURIIfRedirect must be passed only if this loading is the result
324 * of a redirect. In this case, aOriginalURIIfRedirect must be the original
327 short shouldLoad
(in nsContentPolicyType aContentType
,
328 in nsICSPEventListener aCSPEventListener
,
329 in nsILoadInfo aLoadInfo
,
330 in nsIURI aContentLocation
,
331 in nsIURI aOriginalURIIfRedirect
,
332 in boolean aSendViolationReports
);
335 // nsIObserver topic to fire when the policy encounters a violation.
336 #define CSP_VIOLATION_TOPIC
"csp-on-violate-policy"
340 * Returns the CSP in JSON notation.
345 * Ensure policies from IPC are read/parsed.
347 [noscript
] void EnsureIPCPoliciesRead
();
351 typedef nsIContentSecurityPolicy_CSPDirective CSPDirective
;
353 /* Listener for security policy violation event */
354 [function
, scriptable
, uuid(c3163b14
-3a8f
-46dd
-a4af
-bd04680364cd
)]
355 interface nsICSPEventListener
: nsISupports
357 // aJSON is the JSON format of SecurityPolicyViolationEventInit dictionary.
358 void onCSPViolationEvent
(in AString aJSON
);