DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (a81015259a98)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is mozilla.org code.
 *
 * The Initial Developer of the Original Code is
 * Netscape Communications Corporation.
 * Portions created by the Initial Developer are Copyright (C) 1999
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either of the GNU General Public License Version 2 or later (the "GPL"),
 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */

#include "nsISupports.idl"
#include "nsIPrincipal.idl"
#include "nsIXPCSecurityManager.idl"
interface nsIURI;
interface nsIChannel;

[scriptable, uuid(50eda256-4dd2-4c7c-baed-96983910af9f)]
interface nsIScriptSecurityManager : nsIXPCSecurityManager
{
    ///////////////// Security Checks //////////////////
    /**
     * Checks whether the running script is allowed to access aProperty.
     */
    [noscript] void checkPropertyAccess(in JSContextPtr aJSContext,
                                        in JSObjectPtr aJSObject,
                                        in string aClassName,
                                        in jsid aProperty,
                                        in PRUint32 aAction);

    /**
     * Check that the script currently running in context "cx" can load "uri".
     *
     * Will return error code NS_ERROR_DOM_BAD_URI if the load request
     * should be denied.
     *
     * @param cx the JSContext of the script causing the load
     * @param uri the URI that is being loaded
     */
    [noscript] void checkLoadURIFromScript(in JSContextPtr cx, in nsIURI uri);

    /**
     * Default CheckLoadURI permissions
     */
    // Default permissions
    const unsigned long STANDARD = 0;

    // Indicate that the load is a load of a new document that is not
    // user-triggered.  Here "user-triggered" could be broadly interpreted --
    // for example, scripted sets of window.location.href might be treated as
    // "user-triggered" in some circumstances.  A typical example of a load
    // that is not user-triggered is a <meta> refresh load.  If this flag is
    // set, the load will be denied if the originating principal's URI has the
    // nsIProtocolHandler::URI_FORBIDS_AUTOMATIC_DOCUMENT_REPLACEMENT flag set.
    const unsigned long LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT = 1 << 0;

    // Allow the loading of chrome URLs by non-chrome URLs.  Use with great
    // care!  This will actually allow the loading of any URI which has the
    // nsIProtocolHandler::URI_IS_UI_RESOURCE protocol handler flag set.  Ths
    // probably means at least chrome: and resource:.
    const unsigned long ALLOW_CHROME = 1 << 1;

    // Don't allow URLs which would inherit the caller's principal (such as
    // javascript: or data:) to load.  See
    // nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT.
    const unsigned long DISALLOW_INHERIT_PRINCIPAL = 1 << 2;

    // Alias for DISALLOW_INHERIT_PRINCIPAL for backwards compat with
    // JS-implemented extensions.
    const unsigned long DISALLOW_SCRIPT_OR_DATA = DISALLOW_INHERIT_PRINCIPAL;

    // Don't allow javascript: URLs to load
    //   WARNING: Support for this value was added in Mozilla 1.7.8 and
    //   Firefox 1.0.4.  Use in prior versions WILL BE IGNORED.
    // When using this, make sure that you actually want DISALLOW_SCRIPT, not
    // DISALLOW_INHERIT_PRINCIPAL
    const unsigned long DISALLOW_SCRIPT = 1 << 3;

    /**
     * Check that content with principal aPrincipal can load "uri".
     *
     * Will return error code NS_ERROR_DOM_BAD_URI if the load request
     * should be denied.
     *
     * @param aPrincipal the principal identifying the actor causing the load
     * @param uri the URI that is being loaded
     * @param flags the permission set, see above
     */
    void checkLoadURIWithPrincipal(in nsIPrincipal aPrincipal,
                                   in nsIURI uri,
                                   in unsigned long flags);

    /**
     * Check that content from "from" can load "uri".
     *
     * Will return error code NS_ERROR_DOM_BAD_URI if the load request
     * should be denied.
     *
     * @param from the URI causing the load
     * @param uri the URI that is being loaded
     * @param flags the permission set, see above
     *
     * @deprecated Use checkLoadURIWithPrincipal instead of this function.
     */
    [deprecated] void checkLoadURI(in nsIURI from, in nsIURI uri,
                                   in unsigned long flags);

    /**
     * Similar to checkLoadURIWithPrincipal but there are two differences:
     *
     * 1) The URI is a string, not a URI object.
     * 2) This function assumes that the URI may still be subject to fixup (and
     * hence will check whether fixed-up versions of the URI are allowed to
     * load as well); if any of the versions of this URI is not allowed, this
     * function will return error code NS_ERROR_DOM_BAD_URI.
     */
    void checkLoadURIStrWithPrincipal(in nsIPrincipal aPrincipal,
                                      in AUTF8String uri,
                                      in unsigned long flags);

    /**
     * Same as CheckLoadURI but takes string arguments for ease of use
     * by scripts
     *
     * @deprecated Use checkLoadURIStrWithPrincipal instead of this function.
     */
    [deprecated] void checkLoadURIStr(in AUTF8String from, in AUTF8String uri,
                                      in unsigned long flags);

    /**
     * Check that the function 'funObj' is allowed to run on 'targetObj'
     *
     * Will return error code NS_ERROR_DOM_SECURITY_ERR if the function
     * should not run
     *
     * @param cx The current active JavaScript context.
     * @param funObj The function trying to run..
     * @param targetObj The object the function will run on.
     */
    [noscript] void checkFunctionAccess(in JSContextPtr cx, in voidPtr funObj,
                                        in voidPtr targetObj);

    /**
     * Return true if content from the given principal is allowed to
     * execute scripts.
     */
    [noscript] boolean canExecuteScripts(in JSContextPtr cx,
                                         in nsIPrincipal principal);

    ///////////////// Principals ///////////////////////
    /**
     * Return the principal of the innermost frame of the currently
     * executing script. Will return null if there is no script
     * currently executing.
     */
    [noscript] nsIPrincipal getSubjectPrincipal();

    /**
     * Return the all-powerful system principal.
     */
    nsIPrincipal getSystemPrincipal();

    /**
     * Return a principal with the specified certificate fingerprint, subject
     * name (the full name or concatenated set of names of the entity
     * represented by the certificate), pretty name, certificate, and
     * codebase URI.  The certificate fingerprint and subject name MUST be
     * nonempty; otherwise an error will be thrown.  Similarly, aCert must
     * not be null.
     */
    [noscript] nsIPrincipal
         getCertificatePrincipal(in AUTF8String aCertFingerprint,
                                 in AUTF8String aSubjectName,
                                 in AUTF8String aPrettyName,
                                 in nsISupports aCert,
                                 in nsIURI aURI);

    /**
     * Return a principal that has the same origin as aURI.
     */
    nsIPrincipal getCodebasePrincipal(in nsIURI aURI);

    ///////////////// Capabilities API /////////////////////
    /**
     * Request that 'capability' can be enabled by scripts or applets
     * running with 'principal'. Will prompt user if
     * necessary. Returns nsIPrincipal::ENABLE_GRANTED or
     * nsIPrincipal::ENABLE_DENIED based on user's choice.
     */
    [noscript] short requestCapability(in nsIPrincipal principal,
                                       in string capability);

    /**
     * Return true if the currently executing script has 'capability' enabled.
     */
    boolean isCapabilityEnabled(in string capability);

    /**
     * Enable 'capability' in the innermost frame of the currently executing
     * script.
     */
    void enableCapability(in string capability);

    /**
     * Remove 'capability' from the innermost frame of the currently
     * executing script. Any setting of 'capability' from enclosing
     * frames thus comes into effect.
     */
    void revertCapability(in string capability);

    /**
     * Disable 'capability' in the innermost frame of the currently executing
     * script.
     */
    void disableCapability(in string capability);

    //////////////// Master Certificate Functions ////////////////////
    /**
     * Allow 'certificateID' to enable 'capability.' Can only be performed
     * by code signed by the system certificate.
     */
    // XXXbz Capabilities can't have non-ascii chars?
    // XXXbz ideally we'd pass a subjectName here too, and the nsISupports
    // cert we're enabling for...
    void setCanEnableCapability(in AUTF8String certificateFingerprint,
                                in string capability,
                                in short canEnable);

    ///////////////////////
    /**
     * Return the principal of the specified object in the specified context.
     */
    [noscript] nsIPrincipal getObjectPrincipal(in JSContextPtr cx,
                                               in JSObjectPtr obj);

    /**
     * Returns true if the principal of the currently running script is the
     * system principal, false otherwise.
     */
    [noscript] boolean subjectPrincipalIsSystem();

    /**
     * Returns OK if aJSContext and target have the same "origin"
     * (scheme, host, and port).
     */
    [noscript] void checkSameOrigin(in JSContextPtr aJSContext,
                                    in nsIURI aTargetURI);

    /**
     * Returns OK if aSourceURI and target have the same "origin"
     * (scheme, host, and port).
     * ReportError flag suppresses error reports for functions that
     * don't need reporting.
     */
    void checkSameOriginURI(in nsIURI aSourceURI,
                            in nsIURI aTargetURI,
                            in boolean reportError);

    /**
     * Returns the principal of the global object of the given context, or null
     * if no global or no principal.
     */
    [noscript] nsIPrincipal getPrincipalFromContext(in JSContextPtr cx);

    /**
     * Get the principal for the given channel.  This will typically be the
     * channel owner if there is one, and the codebase principal for the
     * channel's URI otherwise.  aChannel must not be null.
     */
    nsIPrincipal getChannelPrincipal(in nsIChannel aChannel);

    /**
     * Check whether a given principal is a system principal.  This allows us
     * to avoid handing back the system principal to script while allowing
     * script to check whether a given principal is system.
     */
    boolean isSystemPrincipal(in nsIPrincipal aPrincipal);

    /**
     * Same as getSubjectPrincipal(), only faster. cx must *never* be
     * passed null, and it must be the context on the top of the
     * context stack. Does *not* reference count the returned
     * principal.
     */
    [noscript,notxpcom] nsIPrincipal getCxSubjectPrincipal(in JSContextPtr cx);
    [noscript,notxpcom] nsIPrincipal getCxSubjectPrincipalAndFrame(in JSContextPtr cx,
                                                                   out JSStackFramePtr fp);

    /**
     * If no scripted code is running "above" (or called from) fp, then
     * instead of looking at cx->globalObject, we will return |principal|.
     * This function only affects |cx|. If someone pushes another context onto
     * the context stack, then it supersedes this call.
     * NOTE: If |fp| is non-null popContextPrincipal must be called before fp
     * has finished executing.
     *
     * @param cx The context to clamp.
     * @param fp The frame pointer to clamp at. May be 'null'.
     * @param principal The principal to clamp to.
     */
    [noscript] void pushContextPrincipal(in JSContextPtr cx,
                                         in JSStackFramePtr fp,
                                         in nsIPrincipal principal);

    /**
     * Removes a clamp set by pushContextPrincipal from cx. This must be
     * called in a stack-like fashion (e.g., given two contexts |a| and |b|,
     * it is not legal to do: push(a) push(b) pop(a)).
     */
    [noscript] void popContextPrincipal(in JSContextPtr cx);
};

%{C++
#define NS_SCRIPTSECURITYMANAGER_CONTRACTID "@mozilla.org/scriptsecuritymanager;1"
#define NS_SCRIPTSECURITYMANAGER_CLASSNAME "scriptsecuritymanager"
%}