// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
module network.mojom;
import "mojo/public/mojom/base/unguessable_token.mojom";
import "services/network/public/mojom/ip_address_space.mojom";
// A policy to decide if CORS-preflight fetch should be performed.
enum CorsPreflightPolicy {
kConsiderPreflight,
kPreventPreflight,
};
// Error conditions of the CORS check.
// These values are used for UMA. Entries should not be renumbered. Please keep
// in sync with "CorsAccessCheckError" in
// src/tools/metrics/histograms/enums.xml.
enum CorsError {
// Access control
kDisallowedByMode,
// This value is only used in warnings reported to DevTools. It indicates that
// the preflight request failed due to a non-CORS net error (for example,
// `net::ERR_EMPTY_RESPONSE`).
kInvalidResponse,
// Not allowed wildcard origin was found in Access-Control-Allow-Origin
// response header when the credentials mode is 'include'.
kWildcardOriginNotAllowed,
// Access-Control-Allow-Origin response header was not found.
kMissingAllowOriginHeader,
// Not allowed multiple origin values was found in Access-Control-Allow-Origin
// response header.
kMultipleAllowOriginValues,
// Invalid origin was found in Access-Control-Allow-Origin response header.
kInvalidAllowOriginValue,
// Not allowed by Access-Control-Allow-Origin response header.
kAllowOriginMismatch,
// Invalid value was found in Access-Control-Allow-Credentials response
// header.
kInvalidAllowCredentials,
// The scheme is not for CORS.
kCorsDisabledScheme,
// Preflight:
// Failed to check HTTP response ok status in a CORS-preflight response.
kPreflightInvalidStatus,
// Redirect is requested in CORS-preflight response, but not allowed.
kPreflightDisallowedRedirect,
// Not allowed wildcard origin was found in Access-Control-Allow-Origin
// CORS-preflight response header when the credentials mode is 'include'.
kPreflightWildcardOriginNotAllowed,
// Access-Control-Allow-Origin response header was not found in a
// CORS-preflight response.
kPreflightMissingAllowOriginHeader,
// Not allowed multiple origin values was found in Access-Control-Allow-Origin
// CORS-preflight response header.
kPreflightMultipleAllowOriginValues,
// Invalid origin was found in Access-Control-Allow-Origin CORS-preflight
// response header.
kPreflightInvalidAllowOriginValue,
// Not allowed by Access-Control-Allow-Origin CORS-preflight response header.
kPreflightAllowOriginMismatch,
// Invalid value was found in Access-Control-Allow-Credentials CORS-preflight
// response header.
kPreflightInvalidAllowCredentials,
// The Access-Control-Allow-Private-Network header was missing from the
// response to a preflight request with the
// Access-Control-Request-Private-Network header set.
//
// Spec: https://wicg.github.io/private-network-access/#headers
kPreflightMissingAllowPrivateNetwork,
// The Access-Control-Allow-Private-Network header on a preflight response
// had a invalid value. This error is only raised when the preflight request
// had the Access-Control-Request-Private-Network header set.
//
// Spec: https://wicg.github.io/private-network-access/#headers
kPreflightInvalidAllowPrivateNetwork,
// Failed to parse Access-Control-Allow-Methods response header field in
// CORS-preflight response.
kInvalidAllowMethodsPreflightResponse,
// Failed to parse Access-Control-Allow-Headers response header field in
// CORS-preflight response.
kInvalidAllowHeadersPreflightResponse,
// Not allowed by Access-Control-Allow-Methods in CORS-preflight response.
kMethodDisallowedByPreflightResponse,
// Not allowed by Access-Control-Allow-Headers in CORS-preflight response.
kHeaderDisallowedByPreflightResponse,
// Cross origin redirect location contains credentials such as 'user:pass'.
kRedirectContainsCredentials,
// Request client is not secure and less private than the request target.
// See: https://wicg.github.io/private-network-access/#secure-context-restriction
kInsecurePrivateNetwork,
// The request carried a `target_ip_address_space` which turned out to
// be different from the IP address space of the remote endpoint.
// See: https://wicg.github.io/private-network-access/#request-target-ip-address-space
kInvalidPrivateNetworkAccess,
// The request did not carry a `target_ip_address_space` yet turned out to be
// a private network request.
// See: https://wicg.github.io/private-network-access/#request-target-ip-address-space
kUnexpectedPrivateNetworkAccess,
// Could not request permission to access the private network from the user,
// because the Private-Network-Access-Id header was missing from the preflight
// response.
// See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
// TODO(crbug.com/40272644): link to the spec.
kPreflightMissingPrivateNetworkAccessId,
// Could not request permission to access the private network from the user,
// because the Private-Network-Access-Name header was missing from the
// preflight response.
// See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
// TODO(crbug.com/40272644): link to the spec.
kPreflightMissingPrivateNetworkAccessName,
// Could not request permission to access the private network from the user.
// See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
// TODO(crbug.com/40272644): link to the spec.
kPrivateNetworkAccessPermissionUnavailable,
// User did not grant permission to access the private network.
//
// Permission is only required for requests that bypass mixed content
// using the `targetAddressSpace` fetch option.
// See: https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md
// TODO(crbug.com/40272644): link to the spec.
kPrivateNetworkAccessPermissionDenied,
};
// Contains additional details about a CORS-related error.
//
// Used to pass extra error details to `URLLoaderClient`s via
// `URLLoaderCompletionStatus`.
struct CorsErrorStatus {
// The error itself.
CorsError cors_error;
// Contains request method name, or header name that didn't pass a CORS check.
string failed_parameter;
// The target IP address space set on the URL request.
// See `ResourceRequest::target_ip_address_space`.
// Set if (but not only if) `cors_error` is one of:
//
// - `kInvalidPrivateNetworkAccess`
// - `kPreflightMissingAllowPrivateNetwork`
// - `kPreflightInvalidAllowPrivateNetwork`
//
IPAddressSpace target_address_space = IPAddressSpace.kUnknown;
// The address space of the requested resource.
// Set iff `cors_error` is one of:
//
// - `kInsecurePrivateNetwork`
// - `kInvalidPrivateNetworkAccess`
// - `kUnexpectedPrivateNetworkAccess`
//
IPAddressSpace resource_address_space = IPAddressSpace.kUnknown;
// True when there is an "authorization" header on the request and it is
// covered by the wildcard in the preflight response.
// TODO(crbug.com/40168475): Remove this once the investigation is done.
bool has_authorization_covered_by_wildcard_on_preflight = false;
mojo_base.mojom.UnguessableToken issue_id;
};
// Describes what happened wrt PNA preflights during a request.
// TODO(crbug.com/40204695): Remove this once preflights are enforced.
enum PrivateNetworkAccessPreflightResult {
// No preflight was sent.
kNone,
// A preflight was sent and succeeded.
kSuccess,
// A preflight was sent in warning-only mode and failed.
kWarning,
// A preflight was sent and failed.
kError,
};
Codebase Browser
chromium