/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsISerializable.idl" interface nsIURI; interface nsIChannel; interface nsIDocShell; interface nsIPrincipal; /** * nsIContentSecurityPolicy * Describes an XPCOM component used to model and enforce CSPs. Instances of * this class may have multiple policies within them, but there should only be * one of these per document/principal. */ [scriptable, uuid(8b91f829-b1bf-4327-8ece-4000aa823394)] interface nsIContentSecurityPolicy : nsISerializable { /** * Set to true when the CSP has been read in and parsed and is ready to * enforce. This is a barrier for the nsDocument so it doesn't load any * sub-content until either it knows that a CSP is ready or will not be used. */ attribute boolean isInitialized; /** * Accessor method for a read-only string version of the policy at a given * index. */ AString getPolicy(in unsigned long index); /** * Returns the number of policies attached to this CSP instance. Useful with * getPolicy(). */ attribute long policyCount; /** * Remove a policy associated with this CSP context. * @throws NS_ERROR_FAILURE if the index is out of bounds or invalid. */ void removePolicy(in unsigned long index); /** * Parse and install a CSP policy. * @param aPolicy * String representation of the policy (e.g., header value) * @param selfURI * the URI of the protected document/principal * @param reportOnly * Should this policy affect content, script and style processing or * just send reports if it is violated? * @param specCompliant * Whether or not the policy conforms to the W3C specification. * If this is false, that indicates this policy is from the older * implementation with different semantics and directive names. */ void appendPolicy(in AString policyString, in nsIURI selfURI, in boolean reportOnly, in boolean specCompliant); /** * Whether this policy allows in-page script. * @param shouldReportViolations * Whether or not the use of inline script should be reported. * This function always returns "true" for report-only policies, but when * any policy (report-only or otherwise) is violated, * shouldReportViolations is true as well. * @return * Whether or not the effects of the inline script should be allowed * (block the compilation if false). */ boolean getAllowsInlineScript(out boolean shouldReportViolations); /** * whether this policy allows eval and eval-like functions * such as setTimeout("code string", time). * @param shouldReportViolations * Whether or not the use of eval should be reported. * This function returns "true" when violating report-only policies, but * when any policy (report-only or otherwise) is violated, * shouldReportViolations is true as well. * @return * Whether or not the effects of the eval call should be allowed * (block the call if false). */ boolean getAllowsEval(out boolean shouldReportViolations); /** * Whether this policy allows in-page styles. * This includes