mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-01-13 07:24:47 +00:00
93808be553
Note that this patch changes the semantics of javascript.enabled so that changes to the pref do not apply to compartments that have already been created. This is a significant change, but is necessary to support the new domain policy API. After one cycle or so, we'll rip out the old API.
260 lines
10 KiB
Plaintext
260 lines
10 KiB
Plaintext
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsISupports.idl"
|
|
#include "nsIPrincipal.idl"
|
|
#include "nsIXPCSecurityManager.idl"
|
|
interface nsIURI;
|
|
interface nsIChannel;
|
|
interface nsIDocShell;
|
|
interface nsIDomainPolicy;
|
|
|
|
[scriptable, uuid(2911ae60-1b5f-47e6-941e-1bb7b53a167d)]
|
|
interface nsIScriptSecurityManager : nsIXPCSecurityManager
|
|
{
|
|
///////////////// Security Checks //////////////////
|
|
/**
|
|
* Checks whether the running script is allowed to access aProperty.
|
|
*/
|
|
[noscript] void checkPropertyAccess(in JSContextPtr aJSContext,
|
|
in JSObjectPtr aJSObject,
|
|
in string aClassName,
|
|
in jsid aProperty,
|
|
in uint32_t aAction);
|
|
|
|
/**
|
|
* Check that the script currently running in context "cx" can load "uri".
|
|
*
|
|
* Will return error code NS_ERROR_DOM_BAD_URI if the load request
|
|
* should be denied.
|
|
*
|
|
* @param cx the JSContext of the script causing the load
|
|
* @param uri the URI that is being loaded
|
|
*/
|
|
[noscript] void checkLoadURIFromScript(in JSContextPtr cx, in nsIURI uri);
|
|
|
|
/**
|
|
* Default CheckLoadURI permissions
|
|
*/
|
|
// Default permissions
|
|
const unsigned long STANDARD = 0;
|
|
|
|
// Indicate that the load is a load of a new document that is not
|
|
// user-triggered. Here "user-triggered" could be broadly interpreted --
|
|
// for example, scripted sets of window.location.href might be treated as
|
|
// "user-triggered" in some circumstances. A typical example of a load
|
|
// that is not user-triggered is a <meta> refresh load. If this flag is
|
|
// set, the load will be denied if the originating principal's URI has the
|
|
// nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set.
|
|
const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0;
|
|
|
|
// Allow the loading of chrome URLs by non-chrome URLs. Use with great
|
|
// care! This will actually allow the loading of any URI which has the
|
|
// nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set. Ths
|
|
// probably means at least chrome: and resource:.
|
|
const unsigned long ALLOW_CHROME = 1 << 1;
|
|
|
|
// Don't allow URLs which would inherit the caller's principal (such as
|
|
// javascript: or data:) to load. See
|
|
// nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT.
|
|
const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2;
|
|
|
|
// Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with
|
|
// JS-implemented extensions.
|
|
const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL;
|
|
|
|
// Don't allow javascript: URLs to load
|
|
// WARNING: Support for this value was added in Mozilla 1.7.8 and
|
|
// Firefox 1.0.4. Use in prior versions WILL BE IGNORED.
|
|
// When using this, make sure that you actually want DISALLOW_SCRIPT, not
|
|
// DISALLOW_INHERIT_PRINCIPAL
|
|
const unsigned long DISALLOW_SCRIPT = 1 << 3;
|
|
|
|
// Do not report errors if we just want to check if a principal can load
|
|
// a URI to not unnecessarily spam the error console.
|
|
const unsigned long DONT_REPORT_ERRORS = 1 << 4;
|
|
|
|
/**
|
|
* Check that content with principal aPrincipal can load "uri".
|
|
*
|
|
* Will return error code NS_ERROR_DOM_BAD_URI if the load request
|
|
* should be denied.
|
|
*
|
|
* @param aPrincipal the principal identifying the actor causing the load
|
|
* @param uri the URI that is being loaded
|
|
* @param flags the permission set, see above
|
|
*/
|
|
void checkLoadURIWithPrincipal(in nsIPrincipal aPrincipal,
|
|
in nsIURI uri,
|
|
in unsigned long flags);
|
|
|
|
/**
|
|
* Similar to checkLoadURIWithPrincipal but there are two differences:
|
|
*
|
|
* 1) The URI is a string, not a URI object.
|
|
* 2) This function assumes that the URI may still be subject to fixup (and
|
|
* hence will check whether fixed-up versions of the URI are allowed to
|
|
* load as well); if any of the versions of this URI is not allowed, this
|
|
* function will return error code NS_ERROR_DOM_BAD_URI.
|
|
*/
|
|
void checkLoadURIStrWithPrincipal(in nsIPrincipal aPrincipal,
|
|
in AUTF8String uri,
|
|
in unsigned long flags);
|
|
|
|
/**
|
|
* Return true if scripts may be executed in the scope of the given global.
|
|
*/
|
|
[noscript,notxpcom] boolean scriptAllowed(in JSObjectPtr aGlobal);
|
|
|
|
///////////////// Principals ///////////////////////
|
|
/**
|
|
* Return the principal of the innermost frame of the currently
|
|
* executing script. Will return null if there is no script
|
|
* currently executing.
|
|
*/
|
|
[noscript] nsIPrincipal getSubjectPrincipal();
|
|
|
|
/**
|
|
* Return the all-powerful system principal.
|
|
*/
|
|
nsIPrincipal getSystemPrincipal();
|
|
|
|
/**
|
|
* Return a principal that has the same origin as aURI.
|
|
* This principals should not be used for any data/permission check, it will
|
|
* have appId = UNKNOWN_APP_ID.
|
|
*/
|
|
nsIPrincipal getSimpleCodebasePrincipal(in nsIURI aURI);
|
|
|
|
/**
|
|
* Returns a principal that has the given information.
|
|
* @param appId is the app id of the principal. It can't be UNKNOWN_APP_ID.
|
|
* @param inMozBrowser is true if the principal has to be considered as
|
|
* inside a mozbrowser frame.
|
|
*/
|
|
nsIPrincipal getAppCodebasePrincipal(in nsIURI uri,
|
|
in unsigned long appId,
|
|
in boolean inMozBrowser);
|
|
|
|
/**
|
|
* Returns a principal that has the appId and inMozBrowser of the docshell
|
|
* inside a mozbrowser frame.
|
|
* @param docShell to get appId/inMozBrowser from.
|
|
*/
|
|
nsIPrincipal getDocShellCodebasePrincipal(in nsIURI uri,
|
|
in nsIDocShell docShell);
|
|
|
|
/**
|
|
* Returns a principal with that has the same origin as uri and is not part
|
|
* of an appliction.
|
|
* The returned principal will have appId = NO_APP_ID.
|
|
*/
|
|
nsIPrincipal getNoAppCodebasePrincipal(in nsIURI uri);
|
|
|
|
/**
|
|
* Legacy name for getNoAppCodebasePrincipal.
|
|
*
|
|
* @deprecated use getNoAppCodebasePrincipal instead.
|
|
*/
|
|
[deprecated] nsIPrincipal getCodebasePrincipal(in nsIURI uri);
|
|
|
|
///////////////////////
|
|
/**
|
|
* Return the principal of the specified object in the specified context.
|
|
*/
|
|
[noscript] nsIPrincipal getObjectPrincipal(in JSContextPtr cx,
|
|
in JSObjectPtr obj);
|
|
|
|
/**
|
|
* Returns true if the principal of the currently running script is the
|
|
* system principal, false otherwise.
|
|
*/
|
|
[noscript] boolean subjectPrincipalIsSystem();
|
|
|
|
/**
|
|
* Returns OK if aJSContext and target have the same "origin"
|
|
* (scheme, host, and port).
|
|
*/
|
|
[noscript] void checkSameOrigin(in JSContextPtr aJSContext,
|
|
in nsIURI aTargetURI);
|
|
|
|
/**
|
|
* Returns OK if aSourceURI and target have the same "origin"
|
|
* (scheme, host, and port).
|
|
* ReportError flag suppresses error reports for functions that
|
|
* don't need reporting.
|
|
*/
|
|
void checkSameOriginURI(in nsIURI aSourceURI,
|
|
in nsIURI aTargetURI,
|
|
in boolean reportError);
|
|
/**
|
|
* Get the principal for the given channel. This will typically be the
|
|
* channel owner if there is one, and the codebase principal for the
|
|
* channel's URI otherwise. aChannel must not be null.
|
|
*/
|
|
nsIPrincipal getChannelPrincipal(in nsIChannel aChannel);
|
|
|
|
/**
|
|
* Check whether a given principal is a system principal. This allows us
|
|
* to avoid handing back the system principal to script while allowing
|
|
* script to check whether a given principal is system.
|
|
*/
|
|
boolean isSystemPrincipal(in nsIPrincipal aPrincipal);
|
|
%{C++
|
|
bool IsSystemPrincipal(nsIPrincipal* aPrincipal) {
|
|
bool isSystem = false;
|
|
IsSystemPrincipal(aPrincipal, &isSystem);
|
|
return isSystem;
|
|
}
|
|
%}
|
|
|
|
/**
|
|
* Same as getSubjectPrincipal(), only faster. cx must *never* be
|
|
* passed null, and it must be the context on the top of the
|
|
* context stack. Does *not* reference count the returned
|
|
* principal.
|
|
*/
|
|
[noscript,notxpcom] nsIPrincipal getCxSubjectPrincipal(in JSContextPtr cx);
|
|
|
|
const unsigned long NO_APP_ID = 0;
|
|
const unsigned long UNKNOWN_APP_ID = 4294967295; // UINT32_MAX
|
|
const unsigned long SAFEBROWSING_APP_ID = 4294967294; // UINT32_MAX - 1
|
|
|
|
/**
|
|
* Returns the jar prefix for the app.
|
|
* appId can be NO_APP_ID or a valid app id. appId should not be
|
|
* UNKNOWN_APP_ID.
|
|
* inMozBrowser has to be true if the app is inside a mozbrowser iframe.
|
|
*/
|
|
AUTF8String getJarPrefix(in unsigned long appId, in boolean inMozBrowser);
|
|
|
|
/**
|
|
* Per-domain controls to enable and disable script. This system is designed
|
|
* to be used by at most one consumer, and enforces this with its semantics.
|
|
*
|
|
* Initially, domainPolicyActive is false. When activateDomainPolicy() is
|
|
* invoked, domainPolicyActive becomes true, and subsequent calls to
|
|
* activateDomainPolicy() will fail until deactivate() is invoked on the
|
|
* nsIDomainPolicy returned from activateDomainPolicy(). At this point,
|
|
* domainPolicyActive becomes false again, and a new consumer may acquire
|
|
* control of the system by invoking activateDomainPolicy().
|
|
*/
|
|
nsIDomainPolicy activateDomainPolicy();
|
|
readonly attribute boolean domainPolicyActive;
|
|
|
|
/**
|
|
* Query mechanism for the above policy.
|
|
*
|
|
* If domainPolicyEnabled is false, this simply returns the current value
|
|
* of javascript.enabled. Otherwise, it returns the same value, but taking
|
|
* the various blacklist/whitelist exceptions into account.
|
|
*/
|
|
bool policyAllowsScript(in nsIURI aDomain);
|
|
};
|
|
|
|
%{C++
|
|
#define NS_SCRIPTSECURITYMANAGER_CONTRACTID "@mozilla.org/scriptsecuritymanager;1"
|
|
%}
|