Readonly blockReadonly enforcesReturns whether this policy enforces the frame-ancestors directive.
Readonly innerReadonly policyReturns the number of policies attached to this CSP instance. Useful with getPolicy().
Readonly referrerReadonly requestGet the various arguments needed to create a new request context for a CSP.
Readonly selfURIWarning: Do not set that attribute unless you know exactly what you are doing!
Primarily used to allow Devtools to edit inline styles!
Readonly upgradeReturns whether this policy uses the directive upgrade-insecure-requests. Please note that upgrade-insecure-reqeusts also applies if the parent or including document (context) makes use of the directive.
Optional aInstancePtr: objectA run time mechanism for interface discovery.
NS_OK if the interface is supported by the associated instance, NS_NOINTERFACE if it is not.
aInstancePtr must not be null.
[in] A requested interface IID
[out] A pointer to an interface pointer to receive the result.
Parse and install a CSP policy.
Should this policy affect content, script and style processing or just send reports if it is violated?
Indicates whether the policy was delivered via the meta tag.
Whether this policy allows eval and eval-like functions such as setTimeout("code string", time).
Whether or not the effects of the eval call should be allowed (block the call if false).
Whether or not the use of eval should be reported. This function returns "true" when violating report-only policies, but when any policy (report-only or otherwise) is violated, shouldReportViolations is true as well.
Whether this policy allows inline script or style.
Whether or not the effects of the inline style should be allowed (block the rules if false).
Only hash this when the 'unsafe-hashes' directive is also specified.
The nonce string to check against the policy
If the script element was created by the HTML Parser
The script element of the inline resource to hash. It can be null.
The content of the psuedo-script to compare to hash (and compare to the hashes listed in the policy)
The line number of the inline resource (used for reporting)
The column number of the inline resource (used for reporting)
Whether this policy allows a navigation subject to the navigate-to policy.
Whether or not the effects of the navigation is allowed
The target URI
True if the navigation was initiated by a form submission. This is important since the form-action directive overrides navigate-to in that case.
True if the allowlist of allowed targets must be enforced. If this is true, the allowlist must be enforced even if 'unsafe-allow-redirects' is used. If 'unsafe-allow-redirects' is not used then the allowlist is always enforced
Whether this policy allows the evaluation (and compilation) of
WASM code from functions like WebAssembly.compile.
Whether or not the effects of the WASM evaluation should be allowed (block the call if false).
Whether or not the use of WASM evaluation should be reported. This function returns "true" when violating report-only policies, but when any policy (report-only or otherwise) is violated, shouldReportViolations is true as well.
Delegate method called by the service when the protected document is loaded. Returns the union of all the sandbox flags contained in CSP policies. This is the most restrictive interpretation of flags set in multiple policies. See nsSandboxFlags.h for the possible flags.
sandbox flags or SANDBOXED_NONE if no sandbox directive exists
For each violated policy (of type violationType), log policy violation on the Error Console and send a report to report-uris present in the violated policies.
one of the VIOLATION_TYPE_* constants, e.g. eval or wasm-eval
the element that triggers this CSP violation. It can be null.
name of the source file containing the violation (if available)
source line number of the violation (if available)
source column number of the violation (if available)
Checks if a specific directive permits loading of a URI.
Whether or not the provided URI is allowed by CSP under the given directive. (block the pending operation if false).
The element that triggers this CSP check. It can be null.
The URI about to be loaded or used.
The CSPDirective to query (see above constants *_DIRECTIVE).
If "true" and the directive is specified to fall back to "default-src" when it's not explicitly provided, directivePermits will NOT try default-src when the specific directive is not used. Setting this to "false" allows CSP to fall back to default-src. This function behaves the same for both values of canUseDefault when querying directives that don't fall-back.
If true and the uri is not allowed then trigger violation reports.
This should be false for caching or preloads.
Verifies ancestry as permitted by the policy.
NOTE: Calls to this may trigger violation reports when queried, so this value should not be cached.
true if the frame's ancestors are all allowed by policy (except for report-only policies, which will send reports and then return true here when violated).
The loadinfo of the channel containing the protected resource
Initialize the object implementing nsISerializable, which must have been freshly constructed via CreateInstance. All data members that can't be set to default values must have been serialized by write, and should be read from aInputStream in the same order by this method.
Called after the CSP object is created to fill in appropriate request context. Either use
Delegate method called by the service when sub-elements of the protected document are being loaded. Given a bit of information about the request, decides whether or not the policy is satisfied.
Calls to this may trigger violation reports when queried, so this value should not be cached.
aOriginalURIIfRedirect must be passed only if this loading is the result of a redirect. In this case, aOriginalURIIfRedirect must be the original URL.
Serialize the object implementing nsISerializable to aOutputStream, by writing each data member that must be recovered later to reconstitute a working replica of this object, in a canonical member and byte order, to aOutputStream.
NB: a class that implements nsISerializable must also implement nsIClassInfo, in particular nsIClassInfo::GetClassID.
Generated using TypeDoc
Returns whether this policy uses the directive block-all-mixed-content. Please note that block-all-mixed-content takes presedence in case the directive upgrade-insecure-requests is defined in the same policy and will therefore block all mixed content without even trying to perform an upgrade.