mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-12-12 00:50:40 +00:00
fa06a45b28
Before this change, the trusted URI schemes, based on a string whitelist, were: https, file, resource, app, moz-extension and wss. This change removes "app" from the list (since we don't implement it), and adds "about" to the list (because we control the delivery of that).
340 lines
13 KiB
Plaintext
340 lines
13 KiB
Plaintext
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#include "nsISupports.idl"
|
|
|
|
%{C++
|
|
#include "nsCOMPtr.h"
|
|
|
|
/**
|
|
* Protocol handlers are registered with XPCOM under the following CONTRACTID prefix:
|
|
*/
|
|
#define NS_NETWORK_PROTOCOL_CONTRACTID_PREFIX "@mozilla.org/network/protocol;1?name="
|
|
/**
|
|
* For example, "@mozilla.org/network/protocol;1?name=http"
|
|
*/
|
|
|
|
#if defined(MOZ_THUNDERBIRD) || defined(MOZ_SUITE)
|
|
#define IS_ORIGIN_IS_FULL_SPEC_DEFINED 1
|
|
#endif
|
|
%}
|
|
|
|
interface nsIURI;
|
|
interface nsIChannel;
|
|
interface nsILoadInfo;
|
|
|
|
/**
|
|
* nsIProtocolHandlerWithDynamicFlags
|
|
*
|
|
* Protocols that wish to return different flags depending on the URI should
|
|
* implement this interface.
|
|
*/
|
|
[scriptable, builtinclass, uuid(65a8e823-0591-4fc0-a56a-03265e0a4ce8)]
|
|
interface nsIProtocolHandlerWithDynamicFlags : nsISupports
|
|
{
|
|
/*
|
|
* Returns protocol flags for the given URI, which may be different from the
|
|
* flags for another URI of the same scheme.
|
|
*/
|
|
unsigned long getFlagsForURI(in nsIURI aURI);
|
|
};
|
|
|
|
/**
|
|
* nsIProtocolHandler
|
|
*/
|
|
[scriptable, uuid(a87210e6-7c8c-41f7-864d-df809015193e)]
|
|
interface nsIProtocolHandler : nsISupports
|
|
{
|
|
/**
|
|
* The scheme of this protocol (e.g., "file").
|
|
*/
|
|
readonly attribute ACString scheme;
|
|
|
|
/**
|
|
* The default port is the port that this protocol normally uses.
|
|
* If a port does not make sense for the protocol (e.g., "about:")
|
|
* then -1 will be returned.
|
|
*/
|
|
readonly attribute long defaultPort;
|
|
|
|
/**
|
|
* Returns the protocol specific flags (see flag definitions below).
|
|
*/
|
|
readonly attribute unsigned long protocolFlags;
|
|
|
|
%{C++
|
|
// Helper method to get the protocol flags in the right way.
|
|
nsresult DoGetProtocolFlags(nsIURI* aURI, uint32_t* aFlags)
|
|
{
|
|
nsCOMPtr<nsIProtocolHandlerWithDynamicFlags> dh = do_QueryInterface(this);
|
|
nsresult rv = dh ? dh->GetFlagsForURI(aURI, aFlags) : GetProtocolFlags(aFlags);
|
|
if (NS_SUCCEEDED(rv)) {
|
|
#if !IS_ORIGIN_IS_FULL_SPEC_DEFINED
|
|
MOZ_RELEASE_ASSERT(!(*aFlags & nsIProtocolHandler::ORIGIN_IS_FULL_SPEC),
|
|
"ORIGIN_IS_FULL_SPEC is unsupported but used");
|
|
#endif
|
|
}
|
|
return rv;
|
|
}
|
|
%}
|
|
|
|
/**
|
|
* Makes a URI object that is suitable for loading by this protocol,
|
|
* where the URI string is given as an UTF-8 string. The caller may
|
|
* provide the charset from which the URI string originated, so that
|
|
* the URI string can be translated back to that charset (if necessary)
|
|
* before communicating with, for example, the origin server of the URI
|
|
* string. (Many servers do not support UTF-8 IRIs at the present time,
|
|
* so we must be careful about tracking the native charset of the origin
|
|
* server.)
|
|
*
|
|
* @param aSpec - the URI string in UTF-8 encoding. depending
|
|
* on the protocol implementation, unicode character
|
|
* sequences may or may not be %xx escaped.
|
|
* @param aOriginCharset - the charset of the document from which this URI
|
|
* string originated. this corresponds to the
|
|
* charset that should be used when communicating
|
|
* this URI to an origin server, for example. if
|
|
* null, then UTF-8 encoding is assumed (i.e.,
|
|
* no charset transformation from aSpec).
|
|
* @param aBaseURI - if null, aSpec must specify an absolute URI.
|
|
* otherwise, aSpec may be resolved relative
|
|
* to aBaseURI, depending on the protocol.
|
|
* If the protocol has no concept of relative
|
|
* URI aBaseURI will simply be ignored.
|
|
*/
|
|
nsIURI newURI(in AUTF8String aSpec,
|
|
[optional] in string aOriginCharset,
|
|
[optional] in nsIURI aBaseURI);
|
|
|
|
/**
|
|
* Constructs a new channel from the given URI for this protocol handler and
|
|
* sets the loadInfo for the constructed channel.
|
|
*/
|
|
nsIChannel newChannel2(in nsIURI aURI, in nsILoadInfo aLoadinfo);
|
|
|
|
/**
|
|
* Constructs a new channel from the given URI for this protocol handler.
|
|
*/
|
|
nsIChannel newChannel(in nsIURI aURI);
|
|
|
|
/**
|
|
* Allows a protocol to override blacklisted ports.
|
|
*
|
|
* This method will be called when there is an attempt to connect to a port
|
|
* that is blacklisted. For example, for most protocols, port 25 (Simple Mail
|
|
* Transfer) is banned. When a URI containing this "known-to-do-bad-things"
|
|
* port number is encountered, this function will be called to ask if the
|
|
* protocol handler wants to override the ban.
|
|
*/
|
|
boolean allowPort(in long port, in string scheme);
|
|
|
|
|
|
/**************************************************************************
|
|
* Constants for the protocol flags (the first is the default mask, the
|
|
* others are deviations):
|
|
*
|
|
* NOTE: Implementation must ignore any flags they do not understand.
|
|
*/
|
|
|
|
/**
|
|
* standard full URI with authority component and concept of relative
|
|
* URIs (http, ftp, ...)
|
|
*/
|
|
const unsigned long URI_STD = 0;
|
|
|
|
/**
|
|
* no concept of relative URIs (about, javascript, finger, ...)
|
|
*/
|
|
const unsigned long URI_NORELATIVE = (1<<0);
|
|
|
|
/**
|
|
* no authority component (file, ...)
|
|
*/
|
|
const unsigned long URI_NOAUTH = (1<<1);
|
|
|
|
/**
|
|
* This protocol handler can be proxied via a proxy (socks or http)
|
|
* (e.g., irc, smtp, http, etc.). If the protocol supports transparent
|
|
* proxying, the handler should implement nsIProxiedProtocolHandler.
|
|
*
|
|
* If it supports only HTTP proxying, then it need not support
|
|
* nsIProxiedProtocolHandler, but should instead set the ALLOWS_PROXY_HTTP
|
|
* flag (see below).
|
|
*
|
|
* @see nsIProxiedProtocolHandler
|
|
*/
|
|
const unsigned long ALLOWS_PROXY = (1<<2);
|
|
|
|
/**
|
|
* This protocol handler can be proxied using a http proxy (e.g., http,
|
|
* ftp, etc.). nsIIOService::newChannelFromURI will feed URIs from this
|
|
* protocol handler to the HTTP protocol handler instead. This flag is
|
|
* ignored if ALLOWS_PROXY is not set.
|
|
*/
|
|
const unsigned long ALLOWS_PROXY_HTTP = (1<<3);
|
|
|
|
/**
|
|
* The URIs for this protocol have no inherent security context, so
|
|
* documents loaded via this protocol should inherit the security context
|
|
* from the document that loads them.
|
|
*/
|
|
const unsigned long URI_INHERITS_SECURITY_CONTEXT = (1<<4);
|
|
|
|
/**
|
|
* "Automatic" loads that would replace the document (e.g. <meta> refresh,
|
|
* certain types of XLinks, possibly other loads that the application
|
|
* decides are not user triggered) are not allowed if the originating (NOT
|
|
* the target) URI has this protocol flag. Note that the decision as to
|
|
* what constitutes an "automatic" load is made externally, by the caller
|
|
* of nsIScriptSecurityManager::CheckLoadURI. See documentation for that
|
|
* method for more information.
|
|
*
|
|
* A typical protocol that might want to set this flag is a protocol that
|
|
* shows highly untrusted content in a viewing area that the user expects
|
|
* to have a lot of control over, such as an e-mail reader.
|
|
*/
|
|
const unsigned long URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT = (1<<5);
|
|
|
|
/**
|
|
* +-------------------------------------------------------------------+
|
|
* | |
|
|
* | ALL PROTOCOL HANDLERS MUST SET ONE OF THE FOLLOWING FIVE FLAGS. |
|
|
* | |
|
|
* +-------------------------------------------------------------------+
|
|
*
|
|
* These flags are used to determine who is allowed to load URIs for this
|
|
* protocol. Note that if a URI is nested, only the flags for the
|
|
* innermost URI matter. See nsINestedURI.
|
|
*
|
|
* If none of these five flags are set, the URI must be treated as if it
|
|
* had the URI_LOADABLE_BY_ANYONE flag set, for compatibility with protocol
|
|
* handlers written against Gecko 1.8 or earlier. In this case, there may
|
|
* be run-time warning messages indicating that a "default insecure"
|
|
* assumption is being made. At some point in the futures (Mozilla 2.0,
|
|
* most likely), these warnings will become errors.
|
|
*/
|
|
|
|
/**
|
|
* The URIs for this protocol can be loaded by anyone. For example, any
|
|
* website should be allowed to trigger a load of a URI for this protocol.
|
|
* Web-safe protocols like "http" should set this flag.
|
|
*/
|
|
const unsigned long URI_LOADABLE_BY_ANYONE = (1<<6);
|
|
|
|
/**
|
|
* The URIs for this protocol are UNSAFE if loaded by untrusted (web)
|
|
* content and may only be loaded by privileged code (for example, code
|
|
* which has the system principal). Various internal protocols should set
|
|
* this flag.
|
|
*/
|
|
const unsigned long URI_DANGEROUS_TO_LOAD = (1<<7);
|
|
|
|
/**
|
|
* The URIs for this protocol point to resources that are part of the
|
|
* application's user interface. There are cases when such resources may
|
|
* be made accessible to untrusted content such as web pages, so this is
|
|
* less restrictive than URI_DANGEROUS_TO_LOAD but more restrictive than
|
|
* URI_LOADABLE_BY_ANYONE. See the documentation for
|
|
* nsIScriptSecurityManager::CheckLoadURI.
|
|
*/
|
|
const unsigned long URI_IS_UI_RESOURCE = (1<<8);
|
|
|
|
/**
|
|
* Loading of URIs for this protocol from other origins should only be
|
|
* allowed if those origins should have access to the local filesystem.
|
|
* It's up to the application to decide what origins should have such
|
|
* access. Protocols like "file" that point to local data should set this
|
|
* flag.
|
|
*/
|
|
const unsigned long URI_IS_LOCAL_FILE = (1<<9);
|
|
|
|
/**
|
|
* The URIs for this protocol can be loaded only by callers with a
|
|
* principal that subsumes this uri. For example, privileged code and
|
|
* websites that are same origin as this uri.
|
|
*/
|
|
const unsigned long URI_LOADABLE_BY_SUBSUMERS = (1<<10);
|
|
|
|
/**
|
|
* Channels using this protocol never call OnDataAvailable
|
|
* on the listener passed to AsyncOpen and they therefore
|
|
* do not return any data that we can use.
|
|
*/
|
|
const unsigned long URI_DOES_NOT_RETURN_DATA = (1<<11);
|
|
|
|
/**
|
|
* URIs for this protocol are considered to be local resources. This could
|
|
* be a local file (URI_IS_LOCAL_FILE), a UI resource (URI_IS_UI_RESOURCE),
|
|
* or something else that would not hit the network.
|
|
*/
|
|
const unsigned long URI_IS_LOCAL_RESOURCE = (1<<12);
|
|
|
|
/**
|
|
* URIs for this protocol execute script when they are opened.
|
|
*/
|
|
const unsigned long URI_OPENING_EXECUTES_SCRIPT = (1<<13);
|
|
|
|
/**
|
|
* Loading channels from this protocol has side-effects that make
|
|
* it unsuitable for saving to a local file.
|
|
*/
|
|
const unsigned long URI_NON_PERSISTABLE = (1<<14);
|
|
|
|
/**
|
|
* This protocol handler forbids accessing cookies e.g. for mail related
|
|
* protocols.
|
|
*/
|
|
const unsigned long URI_FORBIDS_COOKIE_ACCESS = (1<<15);
|
|
|
|
/**
|
|
* URIs for this protocol require the webapps permission on the principal
|
|
* when opening URIs for a different domain. See bug#773886
|
|
*/
|
|
const unsigned long URI_CROSS_ORIGIN_NEEDS_WEBAPPS_PERM = (1<<16);
|
|
|
|
/**
|
|
* Channels for this protocol don't need to spin the event loop to handle
|
|
* Open() and reads on the resulting stream.
|
|
*/
|
|
const unsigned long URI_SYNC_LOAD_IS_OK = (1<<17);
|
|
|
|
/**
|
|
* All the origins whose URI has this scheme are considered potentially
|
|
* trustworthy.
|
|
* Per the SecureContext spec, https: and wss: should be considered
|
|
* a priori secure, and implementations may consider other,
|
|
* implementation-specific URI schemes as secure.
|
|
*/
|
|
const unsigned long URI_IS_POTENTIALLY_TRUSTWORTHY = (1<<18);
|
|
|
|
/**
|
|
* This URI may be fetched and the contents are visible to anyone. This is
|
|
* semantically equivalent to the resource being served with all-access CORS
|
|
* headers.
|
|
*/
|
|
const unsigned long URI_FETCHABLE_BY_ANYONE = (1 << 19);
|
|
|
|
/**
|
|
* If this flag is set, then the origin for this protocol is the full URI
|
|
* spec, not just the scheme + host + port.
|
|
*
|
|
* Note: this is not supported in Firefox. It is currently only available
|
|
* in Thunderbird and SeaMonkey.
|
|
*/
|
|
const unsigned long ORIGIN_IS_FULL_SPEC = (1 << 20);
|
|
|
|
/**
|
|
* If this flag is set, the URI does not always allow content using the same
|
|
* protocol to link to it.
|
|
*/
|
|
const unsigned long URI_SCHEME_NOT_SELF_LINKABLE = (1 << 21);
|
|
|
|
/**
|
|
* The URIs for this protocol can be loaded by extensions.
|
|
*/
|
|
const unsigned long URI_LOADABLE_BY_EXTENSIONS = (1 << 22);
|
|
};
|