mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-02 15:15:23 +00:00
551 lines
20 KiB
Plaintext
551 lines
20 KiB
Plaintext
/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsISupports.idl"
|
|
|
|
interface mozIDOMWindowProxy;
|
|
interface nsIDocShell;
|
|
interface nsIContent;
|
|
interface nsIFrameLoader;
|
|
interface nsIPrincipal;
|
|
|
|
/**
|
|
* Message managers provide a way for chrome-privileged JS code to
|
|
* communicate with each other, even across process boundaries.
|
|
*
|
|
* Message managers are separated into "parent side" and "child side".
|
|
* These don't always correspond to process boundaries, but can. For
|
|
* each child-side message manager, there is always exactly one
|
|
* corresponding parent-side message manager that it sends messages
|
|
* to. However, for each parent-side message manager, there may be
|
|
* either one or many child-side managers it can message.
|
|
*
|
|
* Message managers that always have exactly one "other side" are of
|
|
* type nsIMessageSender. Parent-side message managers that have many
|
|
* "other sides" are of type nsIMessageBroadcaster.
|
|
*
|
|
* Child-side message managers can send synchronous messages to their
|
|
* parent side, but not the other way around.
|
|
*
|
|
* There are two realms of message manager hierarchies. One realm
|
|
* approximately corresponds to DOM elements, the other corresponds to
|
|
* process boundaries.
|
|
*
|
|
* Message managers corresponding to DOM elements
|
|
* ==============================================
|
|
*
|
|
* In this realm of message managers, there are
|
|
* - "frame message managers" which correspond to frame elements
|
|
* - "window message managers" which correspond to top-level chrome
|
|
* windows
|
|
* - "group message managers" which correspond to named message
|
|
* managers with a specific window MM as the parent
|
|
* - the "global message manager", on the parent side. See below.
|
|
*
|
|
* The DOM-realm message managers can communicate in the ways shown by
|
|
* the following diagram. The parent side and child side can
|
|
* correspond to process boundaries, but don't always.
|
|
*
|
|
* Parent side Child side
|
|
* ------------- ------------
|
|
* global MMg
|
|
* |
|
|
* +-->window MMw1
|
|
* | |
|
|
* | +-->frame MMp1_1<------------>frame MMc1_1
|
|
* | |
|
|
* | +-->frame MMp1_2<------------>frame MMc1_2
|
|
* | |
|
|
* | +-->group MMgr1
|
|
* | | |
|
|
* | | +-->frame MMp2_1<------->frame MMc2_1
|
|
* | | |
|
|
* | | +-->frame MMp2_2<------->frame MMc2_2
|
|
* | |
|
|
* | +-->group MMgr2
|
|
* | | ...
|
|
* | |
|
|
* | ...
|
|
* |
|
|
* +-->window MMw2
|
|
* ...
|
|
*
|
|
* For example: a message sent from MMc1_1, from the child side, is
|
|
* sent only to MMp1_1 on the parent side. However, note that all
|
|
* message managers in the hierarchy above MMp1_1, in this diagram
|
|
* MMw1 and MMg, will also notify their message listeners when the
|
|
* message arrives.
|
|
*
|
|
* A message sent from MMc2_1 will be sent to MMp2_1 and also notify
|
|
* all message managers in the hierarchy above that, including the
|
|
* group message manager MMgr1.
|
|
|
|
* For example: a message broadcast through the global MMg on the
|
|
* parent side would be broadcast to MMw1, which would transitively
|
|
* broadcast it to MMp1_1, MM1p_2. The message would next be
|
|
* broadcast to MMgr1, which would broadcast it to MMp2_1 and MMp2_2.
|
|
* After that it would broadcast to MMgr2 and then to MMw2, and so
|
|
* on down the hierarchy.
|
|
*
|
|
* ***** PERFORMANCE AND SECURITY WARNING *****
|
|
* Messages broadcast through the global MM and window or group MMs
|
|
* can result in messages being dispatched across many OS processes,
|
|
* and to many processes with different permissions. Great care
|
|
* should be taken when broadcasting.
|
|
*
|
|
* Interfaces
|
|
* ----------
|
|
*
|
|
* The global MMg and window MMw's are message broadcasters implementing
|
|
* nsIMessageBroadcaster while the frame MMp's are simple message senders
|
|
* (nsIMessageSender). Their counterparts in the content processes are
|
|
* message senders implementing nsIContentFrameMessageManager.
|
|
*
|
|
* nsIMessageListenerManager
|
|
* / \
|
|
* nsIMessageSender nsIMessageBroadcaster
|
|
* |
|
|
* nsISyncMessageSender (content process/in-process only)
|
|
* |
|
|
* nsIContentFrameMessageManager (content process/in-process only)
|
|
* |
|
|
* nsIInProcessContentFrameMessageManager (in-process only)
|
|
*
|
|
*
|
|
* Message managers in the chrome process can also be QI'ed to nsIFrameScriptLoader.
|
|
*
|
|
*
|
|
* Message managers corresponding to process boundaries
|
|
* ====================================================
|
|
*
|
|
* The second realm of message managers is the "process message
|
|
* managers". With one exception, these always correspond to process
|
|
* boundaries. The picture looks like
|
|
*
|
|
* Parent process Child processes
|
|
* ---------------- -----------------
|
|
* global (GPPMM)
|
|
* |
|
|
* +-->parent in-process PIPMM<-->child in-process CIPPMM
|
|
* |
|
|
* +-->parent (PPMM1)<------------------>child (CPMM1)
|
|
* |
|
|
* +-->parent (PPMM2)<------------------>child (CPMM2)
|
|
* ...
|
|
*
|
|
* Note, PIPMM and CIPPMM both run in the parent process.
|
|
*
|
|
* For example: the parent-process PPMM1 sends messages to the
|
|
* child-process CPMM1.
|
|
*
|
|
* For example: CPMM1 sends messages directly to PPMM1. The global GPPMM
|
|
* will also notify their message listeners when the message arrives.
|
|
*
|
|
* For example: messages sent through the global GPPMM will be
|
|
* dispatched to the listeners of the same-process, CIPPMM, CPMM1,
|
|
* CPMM2, etc.
|
|
*
|
|
* ***** PERFORMANCE AND SECURITY WARNING *****
|
|
* Messages broadcast through the GPPMM can result in messages
|
|
* being dispatched across many OS processes, and to many processes
|
|
* with different permissions. Great care should be taken when
|
|
* broadcasting.
|
|
*
|
|
* Requests sent to parent-process message listeners should usually
|
|
* have replies scoped to the requesting CPMM. The following pattern
|
|
* is common
|
|
*
|
|
* const ParentProcessListener = {
|
|
* receiveMessage: function(aMessage) {
|
|
* let childMM = aMessage.target.QueryInterface(Ci.nsIMessageSender);
|
|
* switch (aMessage.name) {
|
|
* case "Foo:Request":
|
|
* // service request
|
|
* childMM.sendAsyncMessage("Foo:Response", { data });
|
|
* }
|
|
* }
|
|
* };
|
|
*/
|
|
|
|
[scriptable, function, uuid(2b44eb57-a9c6-4773-9a1e-fe0818739a4c)]
|
|
interface nsIMessageListener : nsISupports
|
|
{
|
|
/**
|
|
* This is for JS only.
|
|
* receiveMessage is called with one parameter, which has the following
|
|
* properties:
|
|
* {
|
|
* target: %the target of the message. Either an element owning
|
|
* the message manager, or message manager itself if no
|
|
* element owns it%
|
|
* name: %message name%,
|
|
* sync: %true or false%.
|
|
* data: %structured clone of the sent message data%,
|
|
* json: %same as .data, deprecated%,
|
|
* objects: %named table of jsvals/objects, or null%
|
|
* principal: %principal for the window app
|
|
* }
|
|
*
|
|
* Each listener is invoked with its own copy of the message
|
|
* parameter.
|
|
*
|
|
* When the listener is called, 'this' value is the target of the message.
|
|
*
|
|
* If the message is synchronous, the possible return value is
|
|
* returned as JSON (will be changed to use structured clones).
|
|
* When there are multiple listeners to sync messages, each
|
|
* listener's return value is sent back as an array. |undefined|
|
|
* return values show up as undefined values in the array.
|
|
*/
|
|
void receiveMessage();
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(b949bfec-bb7d-47bc-b387-ac6a9b655072)]
|
|
interface nsIMessageListenerManager : nsISupports
|
|
{
|
|
/**
|
|
* Register |listener| to receive |messageName|. All listener
|
|
* callbacks for a particular message are invoked when that message
|
|
* is received.
|
|
*
|
|
* The message manager holds a strong ref to |listener|.
|
|
*
|
|
* If the same listener registers twice for the same message, the
|
|
* second registration is ignored.
|
|
*
|
|
* Pass true for listenWhenClosed if you want to receive messages
|
|
* during the short period after a frame has been removed from the
|
|
* DOM and before its frame script has finished unloading. This
|
|
* parameter only has an effect for frame message managers in
|
|
* the main process. Default is false.
|
|
*/
|
|
void addMessageListener(in AString messageName,
|
|
in nsIMessageListener listener,
|
|
[optional] in boolean listenWhenClosed);
|
|
|
|
/**
|
|
* Undo an |addMessageListener| call -- that is, calling this causes us to no
|
|
* longer invoke |listener| when |messageName| is received.
|
|
*
|
|
* removeMessageListener does not remove a message listener added via
|
|
* addWeakMessageListener; use removeWeakMessageListener for that.
|
|
*/
|
|
void removeMessageListener(in AString messageName,
|
|
in nsIMessageListener listener);
|
|
|
|
/**
|
|
* This is just like addMessageListener, except the message manager holds a
|
|
* weak ref to |listener|.
|
|
*
|
|
* If you have two weak message listeners for the same message, they may be
|
|
* called in any order.
|
|
*/
|
|
void addWeakMessageListener(in AString messageName,
|
|
in nsIMessageListener listener);
|
|
|
|
/**
|
|
* This undoes an |addWeakMessageListener| call.
|
|
*/
|
|
void removeWeakMessageListener(in AString messageName,
|
|
in nsIMessageListener listener);
|
|
|
|
[notxpcom] boolean markForCC();
|
|
};
|
|
|
|
/**
|
|
* Message "senders" have a single "other side" to which messages are
|
|
* sent. For example, a child-process message manager will send
|
|
* messages that are only delivered to its one parent-process message
|
|
* manager.
|
|
*/
|
|
[scriptable, builtinclass, uuid(bb5d79e4-e73c-45e7-9651-4d718f4b994c)]
|
|
interface nsIMessageSender : nsIMessageListenerManager
|
|
{
|
|
/**
|
|
* Send |messageName| and |obj| to the "other side" of this message
|
|
* manager. This invokes listeners who registered for
|
|
* |messageName|.
|
|
*
|
|
* See nsIMessageListener::receiveMessage() for the format of the
|
|
* data delivered to listeners.
|
|
* @throws NS_ERROR_NOT_INITIALIZED if the sender is not initialized. For
|
|
* example, we will throw NS_ERROR_NOT_INITIALIZED if we try to send
|
|
* a message to a cross-process frame but the other process has not
|
|
* yet been set up.
|
|
* @throws NS_ERROR_FAILURE when the message receiver cannot be found. For
|
|
* example, we will throw NS_ERROR_FAILURE if we try to send a message
|
|
* to a cross-process frame whose process has crashed.
|
|
*/
|
|
[implicit_jscontext, optional_argc]
|
|
void sendAsyncMessage([optional] in AString messageName,
|
|
[optional] in jsval obj,
|
|
[optional] in jsval objects,
|
|
[optional] in nsIPrincipal principal,
|
|
[optional] in jsval transfers);
|
|
|
|
/**
|
|
* For remote browsers there is always a corresponding process message
|
|
* manager. The intention of this attribute is to link leaf level frame
|
|
* message managers on the parent side with the corresponding process
|
|
* message managers (if there is one). For any other cases this property
|
|
* is null.
|
|
*/
|
|
readonly attribute nsIMessageSender processMessageManager;
|
|
};
|
|
|
|
/**
|
|
* Message "broadcasters" don't have a single "other side" that they
|
|
* send messages to, but rather a set of subordinate message managers.
|
|
* For example, broadcasting a message through a window message
|
|
* manager will broadcast the message to all frame message managers
|
|
* within its window.
|
|
*/
|
|
[scriptable, builtinclass, uuid(4d7d62ad-4725-4f39-86cf-8fb22bf9c1d8)]
|
|
interface nsIMessageBroadcaster : nsIMessageListenerManager
|
|
{
|
|
/**
|
|
* Like |sendAsyncMessage()|, but also broadcasts this message to
|
|
* all "child" message managers of this message manager. See long
|
|
* comment above for details.
|
|
*
|
|
* WARNING: broadcasting messages can be very expensive and leak
|
|
* sensitive data. Use with extreme caution.
|
|
*/
|
|
[implicit_jscontext, optional_argc]
|
|
void broadcastAsyncMessage([optional] in AString messageName,
|
|
[optional] in jsval obj,
|
|
[optional] in jsval objects);
|
|
|
|
/**
|
|
* Number of subordinate message managers.
|
|
*/
|
|
readonly attribute unsigned long childCount;
|
|
|
|
/**
|
|
* Return a single subordinate message manager.
|
|
*/
|
|
nsIMessageListenerManager getChildAt(in unsigned long aIndex);
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(0e602c9e-1977-422a-a8e4-fe0d4a4f78d0)]
|
|
interface nsISyncMessageSender : nsIMessageSender
|
|
{
|
|
/**
|
|
* Like |sendAsyncMessage()|, except blocks the sender until all
|
|
* listeners of the message have been invoked. Returns an array
|
|
* containing return values from each listener invoked.
|
|
*/
|
|
[implicit_jscontext, optional_argc]
|
|
jsval sendSyncMessage([optional] in AString messageName,
|
|
[optional] in jsval obj,
|
|
[optional] in jsval objects,
|
|
[optional] in nsIPrincipal principal);
|
|
|
|
/**
|
|
* Like |sendSyncMessage()|, except re-entrant. New RPC messages may be
|
|
* issued even if, earlier on the call stack, we are waiting for a reply
|
|
* to an earlier sendRpcMessage() call.
|
|
*
|
|
* Both sendSyncMessage and sendRpcMessage will block until a reply is
|
|
* received, but they may be temporarily interrupted to process an urgent
|
|
* incoming message (such as a CPOW request).
|
|
*/
|
|
[implicit_jscontext, optional_argc]
|
|
jsval sendRpcMessage([optional] in AString messageName,
|
|
[optional] in jsval obj,
|
|
[optional] in jsval objects,
|
|
[optional] in nsIPrincipal principal);
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(13f3555f-769e-44ea-b607-5239230c3162)]
|
|
interface nsIMessageManagerGlobal : nsISyncMessageSender
|
|
{
|
|
/**
|
|
* Print a string to stdout.
|
|
*/
|
|
void dump(in DOMString aStr);
|
|
|
|
/**
|
|
* If leak detection is enabled, print a note to the leak log that this
|
|
* process will intentionally crash.
|
|
*/
|
|
void privateNoteIntentionalCrash();
|
|
|
|
/**
|
|
* Ascii base64 data to binary data and vice versa
|
|
*/
|
|
DOMString atob(in DOMString aAsciiString);
|
|
DOMString btoa(in DOMString aBase64Data);
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(694e367c-aa25-4446-8499-2c527c4bd838)]
|
|
interface nsIContentFrameMessageManager : nsIMessageManagerGlobal
|
|
{
|
|
/**
|
|
* The current top level window in the frame or null.
|
|
*/
|
|
readonly attribute mozIDOMWindowProxy content;
|
|
|
|
/**
|
|
* The top level docshell or null.
|
|
*/
|
|
readonly attribute nsIDocShell docShell;
|
|
};
|
|
|
|
[uuid(b39a3324-b574-4f85-8cdb-274d04f807ef)]
|
|
interface nsIInProcessContentFrameMessageManager : nsIContentFrameMessageManager
|
|
{
|
|
[notxpcom] nsIContent getOwnerContent();
|
|
[notxpcom] void cacheFrameLoader(in nsIFrameLoader aFrameLoader);
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(6d12e467-2446-46db-9965-e4e93cb87ca5)]
|
|
interface nsIContentProcessMessageManager : nsIMessageManagerGlobal
|
|
{
|
|
/**
|
|
* Read out a copy of the object that was initialized in the parent
|
|
* process via nsIProcessScriptLoader.initialProcessData.
|
|
*/
|
|
[implicit_jscontext]
|
|
readonly attribute jsval initialProcessData;
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(bf61446b-ba24-4b1d-88c7-4f94724b9ce1)]
|
|
interface nsIFrameScriptLoader : nsISupports
|
|
{
|
|
/**
|
|
* Load a script in the (remote) frame. aURL must be the absolute URL.
|
|
* data: URLs are also supported. For example data:,dump("foo\n");
|
|
* If aAllowDelayedLoad is true, script will be loaded when the
|
|
* remote frame becomes available. Otherwise the script will be loaded
|
|
* only if the frame is already available.
|
|
*/
|
|
void loadFrameScript(in AString aURL, in boolean aAllowDelayedLoad,
|
|
[optional] in boolean aRunInGlobalScope);
|
|
|
|
/**
|
|
* Removes aURL from the list of scripts which support delayed load.
|
|
*/
|
|
void removeDelayedFrameScript(in AString aURL);
|
|
|
|
/**
|
|
* Returns all delayed scripts that will be loaded once a (remote)
|
|
* frame becomes available. The return value is a list of pairs
|
|
* [<URL>, <WasLoadedInGlobalScope>].
|
|
*/
|
|
[implicit_jscontext]
|
|
jsval getDelayedFrameScripts();
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(7e1e1a20-b24f-11e4-ab27-0800200c9a66)]
|
|
interface nsIProcessScriptLoader : nsISupports
|
|
{
|
|
/**
|
|
* Load a script in the (possibly remote) process. aURL must be the absolute URL.
|
|
* data: URLs are also supported. For example data:,dump("foo\n");
|
|
* If aAllowDelayedLoad is true, script will be loaded when the
|
|
* remote frame becomes available. Otherwise the script will be loaded
|
|
* only if the frame is already available.
|
|
*/
|
|
void loadProcessScript(in AString aURL, in boolean aAllowDelayedLoad);
|
|
|
|
/**
|
|
* Removes aURL from the list of scripts which support delayed load.
|
|
*/
|
|
void removeDelayedProcessScript(in AString aURL);
|
|
|
|
/**
|
|
* Returns all delayed scripts that will be loaded once a (remote)
|
|
* frame becomes available. The return value is a list of URLs.
|
|
*/
|
|
[implicit_jscontext]
|
|
jsval getDelayedProcessScripts();
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(5b390753-abb3-49b0-ae3b-b803dab58144)]
|
|
interface nsIGlobalProcessScriptLoader : nsIProcessScriptLoader
|
|
{
|
|
/**
|
|
* Allows the parent process to set the initial process data for
|
|
* new, not-yet-created child processes. This attribute should only
|
|
* be used by the global parent process message manager. When a new
|
|
* process is created, it gets a copy of this data (via structured
|
|
* cloning). It can access the data via the initialProcessData
|
|
* attribute of its childprocessmessagemanager.
|
|
*
|
|
* This value will always be a JS object. Different users are
|
|
* expected to set properties on this object. The property name
|
|
* should be unique enough that other Gecko consumers won't
|
|
* accidentally choose it.
|
|
*/
|
|
[implicit_jscontext]
|
|
readonly attribute jsval initialProcessData;
|
|
};
|
|
|
|
[scriptable, builtinclass, uuid(637e8538-4f8f-4a3d-8510-e74386233e19)]
|
|
interface nsIProcessChecker : nsISupports
|
|
{
|
|
bool killChild();
|
|
|
|
/**
|
|
* Return true if the "remote" process has |aPermission|. This is
|
|
* intended to be used by JS implementations of cross-process DOM
|
|
* APIs, like so
|
|
*
|
|
* recvFooRequest: function(message) {
|
|
* if (!message.target.assertPermission("foo")) {
|
|
* return false;
|
|
* }
|
|
* // service foo request
|
|
*
|
|
* This interface only returns meaningful data when our content is
|
|
* in a separate process. If it shares the same OS process as us,
|
|
* then applying this permission check doesn't add any security,
|
|
* though it doesn't hurt anything either.
|
|
*
|
|
* Note: If the remote content process does *not* have |aPermission|,
|
|
* it will be killed as a precaution.
|
|
*/
|
|
boolean assertPermission(in DOMString aPermission);
|
|
|
|
/**
|
|
* Return true if the "remote" process has |aManifestURL|. This is
|
|
* intended to be used by JS implementations of cross-process DOM
|
|
* APIs, like so
|
|
*
|
|
* recvFooRequest: function(message) {
|
|
* if (!message.target.assertContainApp("foo")) {
|
|
* return false;
|
|
* }
|
|
* // service foo request
|
|
*
|
|
* This interface only returns meaningful data when our content is
|
|
* in a separate process. If it shares the same OS process as us,
|
|
* then applying this manifest URL check doesn't add any security,
|
|
* though it doesn't hurt anything either.
|
|
*
|
|
* Note: If the remote content process does *not* contain |aManifestURL|,
|
|
* it will be killed as a precaution.
|
|
*/
|
|
boolean assertContainApp(in DOMString aManifestURL);
|
|
|
|
boolean assertAppHasPermission(in DOMString aPermission);
|
|
|
|
/**
|
|
* Return true if the "remote" process' principal has an appStatus equal to
|
|
* |aStatus|.
|
|
*
|
|
* This interface only returns meaningful data when our content is
|
|
* in a separate process. If it shares the same OS process as us,
|
|
* then applying this permission check doesn't add any security,
|
|
* though it doesn't hurt anything either.
|
|
*
|
|
* Note: If the remote content process does *not* has the |aStatus|,
|
|
* it will be killed as a precaution.
|
|
*/
|
|
boolean assertAppHasStatus(in unsigned short aStatus);
|
|
|
|
};
|