layout_image: Include missing request settings in layout-initiated image loads (#36621)

This PR updates the `fetch_image_for_layout` function to include missing
security-related request settings:

- `insecure_requests_policy`
- `has_trustworthy_ancestor_origin`
- `policy_container`

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #36591

<!-- Either: -->
- [X] There are tests for these changes

Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
This commit is contained in:
elomscansio 2025-04-24 13:12:39 +01:00 committed by GitHub
parent 878d595035
commit 189214810e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 45 additions and 1 deletions

View file

@ -12755,6 +12755,13 @@
{}
]
],
"background_image_csp.sub.html": [
"c326f54de52c6a36cbaf4871c947c5b785cac83d",
[
null,
{}
]
],
"binding_keyword.html": [
"818d2aa29471026c1b4215dfcd1b9939a052b1ea",
[

View file

@ -0,0 +1,34 @@
<!doctype html>
<meta http-equiv="content-security-policy" content="img-src 'self'">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<style>
#target {
width: 100px;
height: 100px;
background-size: cover;
}
</style>
<div id="target"></div>
<img id="control">
<script>
// This test sets up a cross-origin background-image on a div and checks that it's blocked by CSP.
// It also uses a regular <img> to control when the test should end.
async_test(t => {
const pathparts = location.pathname.split('/');
const testfile = pathparts[pathparts.length - 1];
const url = location.href.replace(location.hostname, "{{hosts[alt][]}}").replace(testfile, "poster.png");
const target = document.getElementById("target");
target.style.backgroundImage = `url('${url}')`;
// control image load
const control = document.getElementById("control");
control.src = url;
control.onload = t.unreached_func("Control image should not load (CSP should block it)");
control.onerror = t.step_timeout(() => {
// No way to assert background-image load failure directly, just ensure no crash / test timeout
t.done();
}, 500);
});
</script>