nsIContentSecurityPolicy
Describes an XPCOM component used to model and enforce CSPs. Instances of
this class may have multiple policies within them, but there should only be
one of these per document/principal.
Accessor method for a read-only string version of the policy at a given
index.
Remove a policy associated with this CSP context.
@throws NS_ERROR_FAILURE if the index is out of bounds or invalid.
Parse and install a CSP policy.
| aPolicy | String representation of the policy (e.g., header value) |
| reportOnly | Should this policy affect content, script and style processing or just send reports if it is violated? |
Whether this policy allows in-page script.
| shouldReportViolations | Whether or not the use of inline script should be reported. This function always returns "true" for report-only policies, but when any policy (report-only or otherwise) is violated, shouldReportViolations is true as well. |
| Whether or not the effects of the inline script should be allowed (block the compilation if false). |
whether this policy allows eval and eval-like functions
such as setTimeout(“code string”, time).
| shouldReportViolations | Whether or not the use of eval should be reported. This function returns "true" when violating report-only policies, but when any policy (report-only or otherwise) is violated, shouldReportViolations is true as well. |
| Whether or not the effects of the eval call should be allowed (block the call if false). |
Whether this policy allows in-page styles.
This includes
| shouldReportViolations | Whether or not the use of inline style should be reported. If there are report-only policies, this function may return true (don't block), but one or more policy may still want to send violation reports so shouldReportViolations will be true even if the inline style should be permitted. |
| Whether or not the effects of the inline style should be allowed (block the rules if false). |
Whether this policy accepts the given nonce
| aNonce | The nonce string to check against the policy |
| aContentType | The type of element on which we encountered this nonce |
| shouldReportViolation | Whether or not the use of an incorrect nonce should be reported. This function always returns "true" for report-only policies, but when the report-only policy is violated, shouldReportViolation is true as well. |
| Whether or not this nonce is valid |
Whether this policy accepts the given inline resource based on the hash
of its content.
| aContent | The content of the inline resource to hash (and compare to the hashes listed in the policy) |
| aContentType | The type of inline element (script or style) |
| shouldReportViolation | Whether this inline resource should be reported as a hash-source violation. If there are no hash-sources in the policy, this is always false. |
| Whether or not this inline resource is whitelisted by a hash-source |
For each violated policy (of type violationType), log policy violation on
the Error Console and send a report to report-uris present in the violated
policies.
| violationType | one of the VIOLATION_TYPE_* constants, e.g. inline-script or eval |
| sourceFile | name of the source file containing the violation (if available) |
| contentSample | sample of the violating content (to aid debugging) |
| lineNum | source line number of the violation (if available) |
| aNonce | (optional) If this is a nonce violation, include the nonce so we can recheck to determine which policies were violated and send the appropriate reports. |
| aContent | (optional) If this is a hash violation, include contents of the inline resource in the question so we can recheck the hash in order to determine which policies were violated and send the appropriate reports. |
Called after the CSP object is created to fill in appropriate request
context and give it a reference to its owning principal for violation
report generation.
This will use whatever data is available, choosing earlier arguments first
if multiple are available. Either way, it will attempt to obtain the URI,
referrer and the principal from whatever is available. If the channel is
available, it’ll also store that for processing policy-uri directives.
Verifies ancestry as permitted by the policy.
NOTE: Calls to this may trigger violation reports when queried, so this
value should not be cached.
| docShell | containing the protected resource |
| true if the frame's ancestors are all allowed by policy (except for report-only policies, which will send reports and then return true here when violated). |
Whether this policy allows setting the document’s base URI to
a given value.
| Whether or not the provided URI is allowed to be used as the document's base URI. (block the setting if false). |
Delegate method called by the service when sub-elements of the protected
document are being loaded. Given a bit of information about the request,
decides whether or not the policy is satisfied.
Calls to this may trigger violation reports when queried, so
this value should not be cached.
Returns the number of policies attached to this CSP instance. Useful with
getPolicy().