Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-06-06 16:45:39 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add support for Upgrade request to a potentially trustworthy URL. (#34986)

Browse source 
* Add support for Upgrade request to a potentially trustworthy URL.

Signed-off-by: Shubham Gupta <shubham13297@gmail.com>

* script: Support inheritable insecure request policy in documents and workers.

Signed-off-by: Josh Matthews <josh@joshmatthews.net>

---------

Signed-off-by: Shubham Gupta <shubham13297@gmail.com>
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Co-authored-by: Shubham Gupta <shubham.gupta@chromium.org>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Shubham Gupta 2025-02-05 20:49:56 +08:00 committed by GitHub
parent 7b36f2beb3
commit 1e164738d8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
57 changed files with 264 additions and 346 deletions
Download patch file Download diff file Expand all files Collapse all files

2
components/constellation/constellation.rs
View file

@ -1350,6 +1350,7 @@ where
Referrer::NoReferrer,
ReferrerPolicy::EmptyString,
None,
None,
);
let ctx_id = BrowsingContextId::from(top_level_browsing_context_id);
let pipeline_id = match self.browsing_contexts.get(&ctx_id) {
@ -2976,6 +2977,7 @@ where
Referrer::NoReferrer,
ReferrerPolicy::EmptyString,
None,
None,
);
let sandbox = IFrameSandboxState::IFrameUnsandboxed;
let is_private = false;

95
components/net/fetch/methods.rs
View file

@ -14,17 +14,17 @@ use crossbeam_channel::Sender;
use devtools_traits::DevtoolsControlMsg;
use headers::{AccessControlExposeHeaders, ContentType, HeaderMapExt};
use http::header::{self, HeaderMap, HeaderName};
use http::{Method, StatusCode};
use http::{HeaderValue, Method, StatusCode};
use ipc_channel::ipc;
use log::warn;
use log::{debug, trace, warn};
use mime::{self, Mime};
use net_traits::filemanager_thread::{FileTokenCheck, RelativePos};
use net_traits::http_status::HttpStatus;
use net_traits::policy_container::{PolicyContainer, RequestPolicyContainer};
use net_traits::request::{
is_cors_safelisted_method, is_cors_safelisted_request_header, BodyChunkRequest,
BodyChunkResponse, CredentialsMode, Destination, Origin, RedirectMode, Referrer, Request,
RequestMode, ResponseTainting, Window,
BodyChunkResponse, CredentialsMode, Destination, InsecureRequestsPolicy, Origin, RedirectMode,
Referrer, Request, RequestMode, ResponseTainting, Window,
};
use net_traits::response::{Response, ResponseBody, ResponseType};
use net_traits::{
@ -251,8 +251,32 @@ pub async fn main_fetch(
// Step 3.
// TODO: handle request abort.
// Step 4.
// TODO: handle upgrade to a potentially secure URL.
// Step 4. Upgrade request to a potentially trustworthy URL, if appropriate.
if should_upgrade_request_to_potentially_trustworty(request, context) {
trace!(
"upgrading {} targeting {:?}",
request.current_url(),
request.destination
);
if let Some(new_scheme) = match request.current_url().scheme() {
"http" => Some("https"),
"ws" => Some("wss"),
_ => None,
} {
request
.current_url_mut()
.as_mut_url()
.set_scheme(new_scheme)
.unwrap();
}
} else {
trace!(
"not upgrading {} targeting {:?} with {:?}",
request.current_url(),
request.destination,
request.insecure_requests_policy
);
}
// Step 5.
if should_be_blocked_due_to_bad_port(&request.current_url()) {
@ -881,3 +905,62 @@ fn is_bad_port(port: u16) -> bool {
BAD_PORTS.binary_search(&port).is_ok()
}
// TODO : Investigate and need to revisit again
pub fn is_form_submission_request(request: &Request) -> bool {
let content_type = request.headers.typed_get::<ContentType>();
content_type.is_some_and(|ct| {
let mime: Mime = ct.into();
mime.type_() == mime::APPLICATION && mime.subtype() == mime::WWW_FORM_URLENCODED
})
}
/// <https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request>
fn should_upgrade_request_to_potentially_trustworty(
request: &mut Request,
context: &FetchContext,
) -> bool {
fn should_upgrade_navigation_request(request: &Request) -> bool {
// Step 2.1 If request is a form submission, skip the remaining substeps, and continue upgrading request.
if is_form_submission_request(request) {
return true;
}
// Step 2.2
// TODO If requests client's target browsing context is a nested browsing context
// Step 2.4
// TODO : check for insecure navigation set after its implemention
// Step 2.5 Return without further modifying request
false
}
// Step 1. If request is a navigation request,
if request.is_navigation_request() {
// Append a header named Upgrade-Insecure-Requests with a value of 1 to
// requests header list if any of the following criteria are met:
// * requests URL is not a potentially trustworthy URL
// * requests URL's host is not a preloadable HSTS host
if !request.current_url().is_origin_trustworthy() ||
!context
.state
.hsts_list
.read()
.unwrap()
.is_host_secure(request.current_url().host_str().unwrap())
{
debug!("Appending the Upgrade-Insecure-Requests header to requests header list");
request
.headers
.insert("Upgrade-Insecure-Requests", HeaderValue::from_static("1"));
}
if !should_upgrade_navigation_request(request) {
return false;
}
}
// Step 4
request.insecure_requests_policy == InsecureRequestsPolicy::Upgrade
}

2
components/net/tests/http_loader.rs
View file

@ -171,6 +171,7 @@ fn test_check_default_headers_loaded_in_every_request() {
HeaderName::from_static("sec-fetch-user"),
HeaderValue::from_static("?1"),
);
headers.insert("Upgrade-Insecure-Requests", HeaderValue::from_static("1"));
*expected_headers.lock().unwrap() = Some(headers.clone());
@ -325,6 +326,7 @@ fn test_request_and_response_data_with_network_messages() {
HeaderName::from_static("sec-fetch-user"),
HeaderValue::from_static("?1"),
);
headers.insert("Upgrade-Insecure-Requests", HeaderValue::from_static("1"));
let httprequest = DevtoolsHttpRequest {
url: url,

11
components/script/dom/dedicatedworkerglobalscope.rs
View file

@ -17,7 +17,8 @@ use js::jsval::UndefinedValue;
use js::rust::{CustomAutoRooter, CustomAutoRooterGuard, HandleValue};
use net_traits::image_cache::ImageCache;
use net_traits::request::{
CredentialsMode, Destination, ParserMetadata, Referrer, RequestBuilder, RequestMode,
CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata, Referrer, RequestBuilder,
RequestMode,
};
use net_traits::IpcSend;
use script_traits::{WorkerGlobalScopeInit, WorkerScriptLoadOrigin};
@ -256,6 +257,7 @@ impl DedicatedWorkerGlobalScope {
browsing_context: Option<BrowsingContextId>,
#[cfg(feature = "webgpu")] gpu_id_hub: Arc<IdentityHub>,
control_receiver: Receiver<DedicatedWorkerControlMsg>,
insecure_requests_policy: InsecureRequestsPolicy,
) -> DedicatedWorkerGlobalScope {
DedicatedWorkerGlobalScope {
workerglobalscope: WorkerGlobalScope::new_inherited(
@ -268,6 +270,7 @@ impl DedicatedWorkerGlobalScope {
closing,
#[cfg(feature = "webgpu")]
gpu_id_hub,
insecure_requests_policy,
),
task_queue: TaskQueue::new(receiver, own_sender.clone()),
own_sender,
@ -295,6 +298,7 @@ impl DedicatedWorkerGlobalScope {
browsing_context: Option<BrowsingContextId>,
#[cfg(feature = "webgpu")] gpu_id_hub: Arc<IdentityHub>,
control_receiver: Receiver<DedicatedWorkerControlMsg>,
insecure_requests_policy: InsecureRequestsPolicy,
) -> DomRoot<DedicatedWorkerGlobalScope> {
let cx = runtime.cx();
let scope = Box::new(DedicatedWorkerGlobalScope::new_inherited(
@ -313,6 +317,7 @@ impl DedicatedWorkerGlobalScope {
#[cfg(feature = "webgpu")]
gpu_id_hub,
control_receiver,
insecure_requests_policy,
));
unsafe { DedicatedWorkerGlobalScopeBinding::Wrap(SafeJSContext::from_ptr(cx), scope) }
}
@ -336,6 +341,7 @@ impl DedicatedWorkerGlobalScope {
#[cfg(feature = "webgpu")] gpu_id_hub: Arc<IdentityHub>,
control_receiver: Receiver<DedicatedWorkerControlMsg>,
context_sender: Sender<ThreadSafeJSContext>,
insecure_requests_policy: InsecureRequestsPolicy,
) -> JoinHandle<()> {
let serialized_worker_url = worker_url.to_string();
let top_level_browsing_context_id = TopLevelBrowsingContextId::installed();
@ -377,6 +383,8 @@ impl DedicatedWorkerGlobalScope {
.use_url_credentials(true)
.pipeline_id(Some(pipeline_id))
.referrer_policy(referrer_policy)
.referrer_policy(referrer_policy)
.insecure_requests_policy(insecure_requests_policy)
.origin(origin);
let runtime = unsafe {
@ -428,6 +436,7 @@ impl DedicatedWorkerGlobalScope {
#[cfg(feature = "webgpu")]
gpu_id_hub,
control_receiver,
insecure_requests_policy,
);
// FIXME(njn): workers currently don't have a unique ID suitable for using in reporter
// registration (#6631), so we instead use a random number and cross our fingers.

38
components/script/dom/document.rs
View file

@ -18,7 +18,7 @@ use base::cross_process_instant::CrossProcessInstant;
use base::id::WebViewId;
use canvas_traits::webgl::{self, WebGLContextId, WebGLMsg};
use chrono::Local;
use content_security_policy::{self as csp, CspList};
use content_security_policy::{self as csp, CspList, PolicyDisposition};
use cookie::Cookie;
use cssparser::match_ignore_ascii_case;
use devtools_traits::ScriptToDevtoolsControlMsg;
@ -41,7 +41,7 @@ use metrics::{
use mime::{self, Mime};
use net_traits::policy_container::PolicyContainer;
use net_traits::pub_domains::is_pub_domain;
use net_traits::request::RequestBuilder;
use net_traits::request::{InsecureRequestsPolicy, RequestBuilder};
use net_traits::response::HttpsState;
use net_traits::CookieSource::NonHTTP;
use net_traits::CoreResourceMsg::{GetCookiesForUrl, SetCookiesForUrl};
@ -506,6 +506,9 @@ pub(crate) struct Document {
status_code: Option<u16>,
/// <https://html.spec.whatwg.org/multipage/#is-initial-about:blank>
is_initial_about_blank: Cell<bool>,
/// <https://w3c.github.io/webappsec-upgrade-insecure-requests/#insecure-requests-policy>
#[no_trace]
inherited_insecure_requests_policy: Cell<Option<InsecureRequestsPolicy>>,
}
#[allow(non_snake_case)]
@ -2355,9 +2358,10 @@ impl Document {
pub(crate) fn fetch<Listener: FetchResponseListener + PreInvoke + Send + 'static>(
&self,
load: LoadType,
request: RequestBuilder,
mut request: RequestBuilder,
listener: Listener,
) {
request = request.insecure_requests_policy(self.insecure_requests_policy());
let callback = NetworkListener {
context: std::sync::Arc::new(Mutex::new(listener)),
task_source: self
@ -2373,9 +2377,10 @@ impl Document {
pub(crate) fn fetch_background<Listener: FetchResponseListener + PreInvoke + Send + 'static>(
&self,
request: RequestBuilder,
mut request: RequestBuilder,
listener: Listener,
) {
request = request.insecure_requests_policy(self.insecure_requests_policy());
let callback = NetworkListener {
context: std::sync::Arc::new(Mutex::new(listener)),
task_source: self
@ -3438,6 +3443,7 @@ impl Document {
status_code: Option<u16>,
canceller: FetchCanceller,
is_initial_about_blank: bool,
inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
) -> Document {
let url = url.unwrap_or_else(|| ServoUrl::parse("about:blank").unwrap());
@ -3587,9 +3593,27 @@ impl Document {
visibility_state: Cell::new(DocumentVisibilityState::Hidden),
status_code,
is_initial_about_blank: Cell::new(is_initial_about_blank),
inherited_insecure_requests_policy: Cell::new(inherited_insecure_requests_policy),
}
}
/// Returns a policy value that should be used for fetches initiated by this document.
pub(crate) fn insecure_requests_policy(&self) -> InsecureRequestsPolicy {
if let Some(csp_list) = self.get_csp_list() {
for policy in &csp_list.0 {
if policy.contains_a_directive_whose_name_is("upgrade-insecure-requests") &&
policy.disposition == PolicyDisposition::Enforce
{
return InsecureRequestsPolicy::Upgrade;
}
}
}
self.inherited_insecure_requests_policy
.get()
.unwrap_or(InsecureRequestsPolicy::DoNotUpgrade)
}
/// Note a pending compositor event, to be processed at the next `update_the_rendering` task.
pub(crate) fn note_pending_compositor_event(&self, event: CompositorEvent) {
let mut pending_compositor_events = self.pending_compositor_events.borrow_mut();
@ -3702,6 +3726,7 @@ impl Document {
status_code: Option<u16>,
canceller: FetchCanceller,
is_initial_about_blank: bool,
inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
can_gc: CanGc,
) -> DomRoot<Document> {
Self::new_with_proto(
@ -3720,6 +3745,7 @@ impl Document {
status_code,
canceller,
is_initial_about_blank,
inherited_insecure_requests_policy,
can_gc,
)
}
@ -3741,6 +3767,7 @@ impl Document {
status_code: Option<u16>,
canceller: FetchCanceller,
is_initial_about_blank: bool,
inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
can_gc: CanGc,
) -> DomRoot<Document> {
let document = reflect_dom_object_with_proto(
@ -3759,6 +3786,7 @@ impl Document {
status_code,
canceller,
is_initial_about_blank,
inherited_insecure_requests_policy,
)),
window,
proto,
@ -3890,6 +3918,7 @@ impl Document {
None,
Default::default(),
false,
Some(self.insecure_requests_policy()),
can_gc,
);
new_doc
@ -4454,6 +4483,7 @@ impl DocumentMethods<crate::DomTypeHolder> for Document {
None,
Default::default(),
false,
Some(doc.insecure_requests_policy()),
can_gc,
))
}

2
components/script/dom/domimplementation.rs
View file

@ -105,6 +105,7 @@ impl DOMImplementationMethods<crate::DomTypeHolder> for DOMImplementation {
DocumentActivity::Inactive,
DocumentSource::NotFromParser,
loader,
Some(self.document.insecure_requests_policy()),
);
// Step 2-3.
let maybe_elem = if qname.is_empty() {
@ -165,6 +166,7 @@ impl DOMImplementationMethods<crate::DomTypeHolder> for DOMImplementation {
None,
Default::default(),
false,
Some(self.document.insecure_requests_policy()),
can_gc,
);

2
components/script/dom/domparser.rs
View file

@ -88,6 +88,7 @@ impl DOMParserMethods<crate::DomTypeHolder> for DOMParser {
None,
Default::default(),
false,
Some(doc.insecure_requests_policy()),
can_gc,
);
ServoParser::parse_html_document(&document, Some(s), url, can_gc);
@ -110,6 +111,7 @@ impl DOMParserMethods<crate::DomTypeHolder> for DOMParser {
None,
Default::default(),
false,
Some(doc.insecure_requests_policy()),
can_gc,
);
ServoParser::parse_xml_document(&document, Some(s), url, can_gc);

1
components/script/dom/eventsource.rs
View file

@ -560,6 +560,7 @@ impl EventSourceMethods<crate::DomTypeHolder> for EventSource {
Some(cors_attribute_state),
Some(true),
global.get_referrer(),
global.insecure_requests_policy(),
)
.origin(global.origin().immutable().clone())
.pipeline_id(Some(global.pipeline_id()));

14
components/script/dom/globalscope.rs
View file

@ -48,7 +48,7 @@ use net_traits::filemanager_thread::{
};
use net_traits::image_cache::ImageCache;
use net_traits::policy_container::PolicyContainer;
use net_traits::request::{Referrer, RequestBuilder};
use net_traits::request::{InsecureRequestsPolicy, Referrer, RequestBuilder};
use net_traits::response::HttpsState;
use net_traits::{
fetch_async, CoreResourceMsg, CoreResourceThread, FetchResponseListener, IpcSend,
@ -2379,6 +2379,18 @@ impl GlobalScope {
self.downcast::<Window>().expect("expected a Window scope")
}
/// Returns a policy that should be used for fetches initiated from this global.
pub(crate) fn insecure_requests_policy(&self) -> InsecureRequestsPolicy {
if let Some(window) = self.downcast::<Window>() {
return window.Document().insecure_requests_policy();
}
if let Some(worker) = self.downcast::<WorkerGlobalScope>() {
return worker.insecure_requests_policy();
}
debug!("unsupported global, defaulting insecure requests policy to DoNotUpgrade");
InsecureRequestsPolicy::DoNotUpgrade
}
/// <https://html.spec.whatwg.org/multipage/#report-the-error>
pub(crate) fn report_an_error(&self, error_info: ErrorInfo, value: HandleValue, can_gc: CanGc) {
// Step 1.

1
components/script/dom/htmlformelement.rs
View file

@ -858,6 +858,7 @@ impl HTMLFormElement {
target_window.as_global_scope().get_referrer(),
target_document.get_referrer_policy(),
Some(target_window.as_global_scope().is_secure_context()),
Some(target_document.insecure_requests_policy()),
);
// Step 22

3
components/script/dom/htmliframeelement.rs
View file

@ -267,6 +267,7 @@ impl HTMLIFrameElement {
window.as_global_scope().get_referrer(),
document.get_referrer_policy(),
Some(window.as_global_scope().is_secure_context()),
Some(document.insecure_requests_policy()),
);
let element = self.upcast::<Element>();
load_data.srcdoc = String::from(element.get_string_attribute(&local_name!("srcdoc")));
@ -357,6 +358,7 @@ impl HTMLIFrameElement {
window.as_global_scope().get_referrer(),
referrer_policy,
Some(window.as_global_scope().is_secure_context()),
Some(document.insecure_requests_policy()),
);
let pipeline_id = self.pipeline_id();
@ -401,6 +403,7 @@ impl HTMLIFrameElement {
window.as_global_scope().get_referrer(),
document.get_referrer_policy(),
Some(window.as_global_scope().is_secure_context()),
Some(document.insecure_requests_policy()),
);
let browsing_context_id = BrowsingContextId::new();
let top_level_browsing_context_id = window.window_proxy().top_level_browsing_context_id();

1
components/script/dom/htmlimageelement.rs
View file

@ -423,6 +423,7 @@ impl HTMLImageElement {
cors_setting_for_element(self.upcast()),
None,
document.global().get_referrer(),
document.insecure_requests_policy(),
)
.origin(document.origin().immutable().clone())
.pipeline_id(Some(document.global().pipeline_id()))

6
components/script/dom/htmllinkelement.rs
View file

@ -14,7 +14,8 @@ use html5ever::{local_name, namespace_url, ns, LocalName, Prefix};
use js::rust::HandleObject;
use net_traits::policy_container::PolicyContainer;
use net_traits::request::{
CorsSettings, Destination, Initiator, Referrer, RequestBuilder, RequestId,
CorsSettings, Destination, Initiator, InsecureRequestsPolicy, Referrer, RequestBuilder,
RequestId,
};
use net_traits::{
FetchMetadata, FetchResponseListener, NetworkError, ReferrerPolicy, ResourceFetchTiming,
@ -78,6 +79,7 @@ struct LinkProcessingOptions {
policy_container: PolicyContainer,
source_set: Option<()>,
base_url: ServoUrl,
insecure_requests_policy: InsecureRequestsPolicy,
// Some fields that we don't need yet are missing
}
@ -326,6 +328,7 @@ impl HTMLLinkElement {
policy_container: document.policy_container().to_owned(),
source_set: None, // FIXME
base_url: document.borrow().base_url(),
insecure_requests_policy: document.insecure_requests_policy(),
};
// Step 3. If el has an href attribute, then set options's href to the value of el's href attribute.
@ -658,6 +661,7 @@ impl LinkProcessingOptions {
self.cross_origin,
None,
Referrer::NoReferrer,
self.insecure_requests_policy,
)
.integrity_metadata(self.integrity)
.policy_container(self.policy_container)

1
components/script/dom/htmlmediaelement.rs
View file

@ -891,6 +891,7 @@ impl HTMLMediaElement {
cors_setting,
None,
self.global().get_referrer(),
document.insecure_requests_policy(),
)
.headers(headers)
.origin(document.origin().immutable().clone())

6
components/script/dom/htmlscriptelement.rs
View file

@ -21,7 +21,8 @@ use js::jsval::UndefinedValue;
use js::rust::{transform_str_to_source_text, CompileOptionsWrapper, HandleObject, Stencil};
use net_traits::http_status::HttpStatus;
use net_traits::request::{
CorsSettings, CredentialsMode, Destination, ParserMetadata, RequestBuilder, RequestId,
CorsSettings, CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata,
RequestBuilder, RequestId,
};
use net_traits::{
FetchMetadata, FetchResponseListener, Metadata, NetworkError, ResourceFetchTiming,
@ -548,6 +549,7 @@ pub(crate) fn script_fetch_request(
origin: ImmutableOrigin,
pipeline_id: PipelineId,
options: ScriptFetchOptions,
insecure_requests_policy: InsecureRequestsPolicy,
) -> RequestBuilder {
// We intentionally ignore options' credentials_mode member for classic scripts.
// The mode is initialized by create_a_potential_cors_request.
@ -558,6 +560,7 @@ pub(crate) fn script_fetch_request(
cors_setting,
None,
options.referrer,
insecure_requests_policy,
)
.origin(origin)
.pipeline_id(Some(pipeline_id))
@ -584,6 +587,7 @@ fn fetch_a_classic_script(
doc.origin().immutable().clone(),
script.global().pipeline_id(),
options.clone(),
doc.insecure_requests_policy(),
);
let request = doc.prepare_request(request);

1
components/script/dom/location.rs
View file

@ -129,6 +129,7 @@ impl Location {
referrer,
referrer_policy,
None, // Top navigation doesn't inherit secure context
Some(source_document.insecure_requests_policy()),
);
self.window
.load_url(history_handling, reload_triggered, load_data, can_gc);

1
components/script/dom/node.rs
View file

@ -2490,6 +2490,7 @@ impl Node {
document.status_code(),
Default::default(),
false,
Some(document.insecure_requests_policy()),
can_gc,
);
DomRoot::upcast::<Node>(document)

1
components/script/dom/request.rs
View file

@ -112,6 +112,7 @@ fn net_request_from_global(global: &GlobalScope, url: ServoUrl) -> NetTraitsRequ
.origin(global.get_url().origin())
.pipeline_id(Some(global.pipeline_id()))
.https_state(global.get_https_state())
.insecure_requests_policy(global.insecure_requests_policy())
.build()
}

7
components/script/dom/serviceworkerglobalscope.rs
View file

@ -15,7 +15,9 @@ use ipc_channel::ipc::{IpcReceiver, IpcSender};
use ipc_channel::router::ROUTER;
use js::jsapi::{JSContext, JS_AddInterruptCallback};
use js::jsval::UndefinedValue;
use net_traits::request::{CredentialsMode, Destination, ParserMetadata, Referrer, RequestBuilder};
use net_traits::request::{
CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata, Referrer, RequestBuilder,
};
use net_traits::{CustomResponseMediator, IpcSend};
use script_traits::{ScopeThings, ServiceWorkerMsg, WorkerGlobalScopeInit, WorkerScriptLoadOrigin};
use servo_config::pref;
@ -224,6 +226,8 @@ impl ServiceWorkerGlobalScope {
closing,
#[cfg(feature = "webgpu")]
Arc::new(IdentityHub::default()),
InsecureRequestsPolicy::DoNotUpgrade, // FIXME: investigate what environment this value comes from for
// service workers.
),
task_queue: TaskQueue::new(receiver, own_sender.clone()),
own_sender,
@ -341,6 +345,7 @@ impl ServiceWorkerGlobalScope {
.use_url_credentials(true)
.pipeline_id(Some(pipeline_id))
.referrer_policy(referrer_policy)
.insecure_requests_policy(scope.insecure_requests_policy())
.origin(origin);
let (_url, source) = match load_whole_resource(

1
components/script/dom/servoparser/mod.rs
View file

@ -216,6 +216,7 @@ impl ServoParser {
None,
Default::default(),
false,
Some(context_document.insecure_requests_policy()),
can_gc,
);

10
components/script/dom/servoparser/prefetch.rs
View file

@ -13,7 +13,9 @@ use html5ever::tokenizer::{
};
use html5ever::{local_name, Attribute, LocalName};
use js::jsapi::JSTracer;
use net_traits::request::{CorsSettings, CredentialsMode, ParserMetadata, Referrer};
use net_traits::request::{
CorsSettings, CredentialsMode, InsecureRequestsPolicy, ParserMetadata, Referrer,
};
use net_traits::{CoreResourceMsg, FetchChannels, IpcSend, ReferrerPolicy, ResourceThreads};
use servo_url::{ImmutableOrigin, ServoUrl};
@ -53,6 +55,7 @@ impl Tokenizer {
// true after the first script tag, since that is what will
// block the main parser.
prefetching: Cell::new(false),
insecure_requests_policy: document.insecure_requests_policy(),
};
let options = Default::default();
let inner = HtmlTokenizer::new(sink, options);
@ -83,6 +86,8 @@ struct PrefetchSink {
#[no_trace]
resource_threads: ResourceThreads,
prefetching: Cell<bool>,
#[no_trace]
insecure_requests_policy: InsecureRequestsPolicy,
}
/// The prefetch tokenizer produces trivial results
@ -118,6 +123,7 @@ impl TokenSink for PrefetchSink {
credentials_mode: CredentialsMode::CredentialsSameOrigin,
parser_metadata: ParserMetadata::ParserInserted,
},
self.insecure_requests_policy,
);
let _ = self
.resource_threads
@ -135,6 +141,7 @@ impl TokenSink for PrefetchSink {
self.get_cors_settings(tag, local_name!("crossorigin")),
None,
self.referrer.clone(),
self.insecure_requests_policy,
)
.origin(self.origin.clone())
.pipeline_id(Some(self.pipeline_id))
@ -168,6 +175,7 @@ impl TokenSink for PrefetchSink {
cors_setting,
None,
self.referrer.clone(),
self.insecure_requests_policy,
)
.origin(self.origin.clone())
.pipeline_id(Some(self.pipeline_id))

1
components/script/dom/websocket.rs
View file

@ -257,6 +257,7 @@ impl WebSocketMethods<crate::DomTypeHolder> for WebSocket {
let request = RequestBuilder::new(global.webview_id(), url_record, Referrer::NoReferrer)
.origin(global.origin().immutable().clone())
.insecure_requests_policy(global.insecure_requests_policy())
.mode(RequestMode::WebSocket { protocols });
let channels = FetchChannels::WebSocket {

2
components/script/dom/windowproxy.rs
View file

@ -312,6 +312,7 @@ impl WindowProxy {
document.global().get_referrer(),
document.get_referrer_policy(),
None, // Doesn't inherit secure context
None,
);
let load_info = AuxiliaryBrowsingContextLoadInfo {
load_data: load_data.clone(),
@ -524,6 +525,7 @@ impl WindowProxy {
referrer,
referrer_policy,
Some(secure),
Some(target_document.insecure_requests_policy()),
);
let history_handling = if new {
NavigationHistoryBehavior::Replace

1
components/script/dom/worker.rs
View file

@ -239,6 +239,7 @@ impl WorkerMethods<crate::DomTypeHolder> for Worker {
global.wgpu_id_hub(),
control_receiver,
context_sender,
global.insecure_requests_policy(),
);
let context = context_receiver

14
components/script/dom/workerglobalscope.rs
View file

@ -20,7 +20,8 @@ use js::panic::maybe_resume_unwind;
use js::rust::{HandleValue, MutableHandleValue, ParentRuntime};
use net_traits::policy_container::PolicyContainer;
use net_traits::request::{
CredentialsMode, Destination, ParserMetadata, RequestBuilder as NetRequestInit,
CredentialsMode, Destination, InsecureRequestsPolicy, ParserMetadata,
RequestBuilder as NetRequestInit,
};
use net_traits::IpcSend;
use script_traits::WorkerGlobalScopeInit;
@ -127,6 +128,9 @@ pub(crate) struct WorkerGlobalScope {
/// Timers are handled in the service worker event loop.
#[no_trace]
timer_scheduler: RefCell<TimerScheduler>,
#[no_trace]
insecure_requests_policy: InsecureRequestsPolicy,
}
impl WorkerGlobalScope {
@ -140,6 +144,7 @@ impl WorkerGlobalScope {
devtools_receiver: Receiver<DevtoolScriptControlMsg>,
closing: Arc<AtomicBool>,
#[cfg(feature = "webgpu")] gpu_id_hub: Arc<IdentityHub>,
insecure_requests_policy: InsecureRequestsPolicy,
) -> Self {
// Install a pipeline-namespace in the current thread.
PipelineNamespace::auto_install();
@ -181,9 +186,15 @@ impl WorkerGlobalScope {
navigation_start: CrossProcessInstant::now(),
performance: Default::default(),
timer_scheduler: RefCell::default(),
insecure_requests_policy,
}
}
/// Returns a policy value that should be used by fetches initiated by this worker.
pub(crate) fn insecure_requests_policy(&self) -> InsecureRequestsPolicy {
self.insecure_requests_policy
}
/// Clear various items when the worker event-loop shuts-down.
pub(crate) fn clear_js_runtime(&self) {
self.upcast::<GlobalScope>()
@ -288,6 +299,7 @@ impl WorkerGlobalScopeMethods<crate::DomTypeHolder> for WorkerGlobalScope {
.parser_metadata(ParserMetadata::NotParserInserted)
.use_url_credentials(true)
.origin(global_scope.origin().immutable().clone())
.insecure_requests_policy(self.insecure_requests_policy())
.pipeline_id(Some(self.upcast::<GlobalScope>().pipeline_id()));
let (url, source) = match fetch::load_whole_resource(

5
components/script/dom/xmldocument.rs
View file

@ -4,6 +4,7 @@
use dom_struct::dom_struct;
use mime::Mime;
use net_traits::request::InsecureRequestsPolicy;
use script_traits::DocumentActivity;
use servo_url::{MutableOrigin, ServoUrl};
@ -41,6 +42,7 @@ impl XMLDocument {
activity: DocumentActivity,
source: DocumentSource,
doc_loader: DocumentLoader,
inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
) -> XMLDocument {
XMLDocument {
document: Document::new_inherited(
@ -58,6 +60,7 @@ impl XMLDocument {
None,
Default::default(),
false,
inherited_insecure_requests_policy,
),
}
}
@ -74,6 +77,7 @@ impl XMLDocument {
activity: DocumentActivity,
source: DocumentSource,
doc_loader: DocumentLoader,
inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
) -> DomRoot<XMLDocument> {
let doc = reflect_dom_object(
Box::new(XMLDocument::new_inherited(
@ -87,6 +91,7 @@ impl XMLDocument {
activity,
source,
doc_loader,
inherited_insecure_requests_policy,
)),
window,
CanGc::note(),

2
components/script/dom/xmlhttprequest.rs
View file

@ -692,6 +692,7 @@ impl XMLHttpRequestMethods<crate::DomTypeHolder> for XMLHttpRequest {
.use_url_credentials(use_url_credentials)
.origin(self.global().origin().immutable().clone())
.referrer_policy(self.referrer_policy)
.insecure_requests_policy(self.global().insecure_requests_policy())
.pipeline_id(Some(self.global().pipeline_id()));
// step 4 (second half)
@ -1508,6 +1509,7 @@ impl XMLHttpRequest {
None,
Default::default(),
false,
Some(doc.insecure_requests_policy()),
can_gc,
)
}

7
components/script/fetch.rs
View file

@ -9,8 +9,8 @@ use base::id::WebViewId;
use ipc_channel::ipc;
use net_traits::policy_container::RequestPolicyContainer;
use net_traits::request::{
CorsSettings, CredentialsMode, Destination, Referrer, Request as NetTraitsRequest,
RequestBuilder, RequestId, RequestMode, ServiceWorkersMode,
CorsSettings, CredentialsMode, Destination, InsecureRequestsPolicy, Referrer,
Request as NetTraitsRequest, RequestBuilder, RequestId, RequestMode, ServiceWorkersMode,
};
use net_traits::{
cancel_async_fetch, CoreResourceMsg, CoreResourceThread, FetchChannels, FetchMetadata,
@ -121,6 +121,7 @@ fn request_init_from_request(request: NetTraitsRequest) -> RequestBuilder {
parser_metadata: request.parser_metadata,
initiator: request.initiator,
policy_container: request.policy_container,
insecure_requests_policy: request.insecure_requests_policy,
https_state: request.https_state,
response_tainting: request.response_tainting,
crash: None,
@ -373,6 +374,7 @@ pub(crate) fn create_a_potential_cors_request(
cors_setting: Option<CorsSettings>,
same_origin_fallback: Option<bool>,
referrer: Referrer,
insecure_requests_policy: InsecureRequestsPolicy,
) -> RequestBuilder {
RequestBuilder::new(webview_id, url, referrer)
// https://html.spec.whatwg.org/multipage/#create-a-potential-cors-request
@ -391,4 +393,5 @@ pub(crate) fn create_a_potential_cors_request(
// Step 5
.destination(destination)
.use_url_credentials(true)
.insecure_requests_policy(insecure_requests_policy)
}

1
components/script/links.rs
View file

@ -425,6 +425,7 @@ pub(crate) fn follow_hyperlink(
referrer,
referrer_policy,
Some(secure),
Some(document.insecure_requests_policy()),
);
let target = Trusted::new(target_window);
let task = task!(navigate_follow_hyperlink: move || {

9
components/script/navigation.rs
View file

@ -13,7 +13,9 @@ use base::id::{BrowsingContextId, PipelineId, TopLevelBrowsingContextId};
use content_security_policy::Destination;
use crossbeam_channel::Sender;
use http::header;
use net_traits::request::{CredentialsMode, RedirectMode, RequestBuilder, RequestMode};
use net_traits::request::{
CredentialsMode, InsecureRequestsPolicy, RedirectMode, RequestBuilder, RequestMode,
};
use net_traits::response::ResponseInit;
use net_traits::{
fetch_async, set_default_accept_language, BoxedFetchCallback, CoreResourceThread,
@ -204,6 +206,11 @@ impl InProgressLoad {
.use_url_credentials(true)
.pipeline_id(Some(id))
.referrer_policy(self.load_data.referrer_policy)
.insecure_requests_policy(
self.load_data
.inherited_insecure_requests_policy
.unwrap_or(InsecureRequestsPolicy::DoNotUpgrade),
)
.headers(self.load_data.headers.clone())
.body(self.load_data.data.clone())
.redirect_mode(RedirectMode::Manual)

1
components/script/script_thread.rs
View file

@ -3233,6 +3233,7 @@ impl ScriptThread {
Some(metadata.status.raw_code()),
incomplete.canceller,
is_initial_about_blank,
incomplete.load_data.inherited_insecure_requests_policy,
can_gc,
);

1
components/script/stylesheet_loader.rs
View file

@ -350,6 +350,7 @@ impl StylesheetLoader<'_> {
cors_setting,
None,
self.elem.global().get_referrer(),
document.insecure_requests_policy(),
)
.origin(document.origin().immutable().clone())
.pipeline_id(Some(self.elem.global().pipeline_id()))

29
components/shared/net/request.rs
View file

@ -233,6 +233,12 @@ impl RequestBody {
}
}
#[derive(Clone, Copy, Debug, Deserialize, MallocSizeOf, PartialEq, Serialize)]
pub enum InsecureRequestsPolicy {
DoNotUpgrade,
Upgrade,
}
#[derive(Clone, Debug, Deserialize, MallocSizeOf, Serialize)]
pub struct RequestBuilder {
pub id: RequestId,
@ -262,6 +268,7 @@ pub struct RequestBuilder {
pub use_url_credentials: bool,
pub origin: ImmutableOrigin,
pub policy_container: RequestPolicyContainer,
pub insecure_requests_policy: InsecureRequestsPolicy,
// XXXManishearth these should be part of the client object
pub referrer: Referrer,
pub referrer_policy: ReferrerPolicy,
@ -298,6 +305,7 @@ impl RequestBuilder {
use_url_credentials: false,
origin: ImmutableOrigin::new_opaque(),
policy_container: RequestPolicyContainer::default(),
insecure_requests_policy: InsecureRequestsPolicy::DoNotUpgrade,
referrer,
referrer_policy: ReferrerPolicy::EmptyString,
pipeline_id: None,
@ -418,6 +426,14 @@ impl RequestBuilder {
self
}
pub fn insecure_requests_policy(
mut self,
insecure_requests_policy: InsecureRequestsPolicy,
) -> RequestBuilder {
self.insecure_requests_policy = insecure_requests_policy;
self
}
pub fn build(self) -> Request {
let mut request = Request::new(
self.id,
@ -454,6 +470,7 @@ impl RequestBuilder {
request.response_tainting = self.response_tainting;
request.crash = self.crash;
request.policy_container = self.policy_container;
request.insecure_requests_policy = self.insecure_requests_policy;
request
}
}
@ -525,6 +542,8 @@ pub struct Request {
pub parser_metadata: ParserMetadata,
/// <https://fetch.spec.whatwg.org/#concept-request-policy-container>
pub policy_container: RequestPolicyContainer,
/// <https://w3c.github.io/webappsec-upgrade-insecure-requests/#insecure-requests-policy>
pub insecure_requests_policy: InsecureRequestsPolicy,
pub https_state: HttpsState,
/// Servo internal: if crash details are present, trigger a crash error page with these details.
pub crash: Option<String>,
@ -570,6 +589,7 @@ impl Request {
redirect_count: 0,
response_tainting: ResponseTainting::Basic,
policy_container: RequestPolicyContainer::Client,
insecure_requests_policy: InsecureRequestsPolicy::DoNotUpgrade,
https_state,
crash: None,
}
@ -592,7 +612,14 @@ impl Request {
/// <https://fetch.spec.whatwg.org/#navigation-request>
pub fn is_navigation_request(&self) -> bool {
self.destination == Destination::Document
matches!(
self.destination,
Destination::Document |
Destination::Embed |
Destination::Frame |
Destination::IFrame |
Destination::Object
)
}
/// <https://fetch.spec.whatwg.org/#subresource-request>

6
components/shared/script/lib.rs
View file

@ -48,7 +48,7 @@ use malloc_size_of::malloc_size_of_is_0;
use malloc_size_of_derive::MallocSizeOf;
use media::WindowGLContext;
use net_traits::image_cache::ImageCache;
use net_traits::request::{Referrer, RequestBody};
use net_traits::request::{InsecureRequestsPolicy, Referrer, RequestBody};
use net_traits::storage_thread::StorageType;
use net_traits::{ReferrerPolicy, ResourceThreads};
use pixels::{Image, PixelFormat};
@ -163,6 +163,8 @@ pub struct LoadData {
pub srcdoc: String,
/// The inherited context is Secure, None if not inherited
pub inherited_secure_context: Option<bool>,
/// The inherited policy for upgrading insecure requests; None if not inherited.
pub inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
/// Servo internal: if crash details are present, trigger a crash error page with these details.
pub crash: Option<String>,
@ -187,6 +189,7 @@ impl LoadData {
referrer: Referrer,
referrer_policy: ReferrerPolicy,
inherited_secure_context: Option<bool>,
inherited_insecure_requests_policy: Option<InsecureRequestsPolicy>,
) -> LoadData {
LoadData {
load_origin,
@ -201,6 +204,7 @@ impl LoadData {
srcdoc: "".to_string(),
inherited_secure_context,
crash: None,
inherited_insecure_requests_policy,
}
}
}

1
components/webdriver_server/lib.rs
View file

@ -669,6 +669,7 @@ impl Handler {
Referrer::NoReferrer,
ReferrerPolicy::EmptyString,
None,
None,
);
let cmd_msg = WebDriverCommandMsg::LoadUrl(
top_level_browsing_context_id,

18
tests/wpt/meta/upgrade-insecure-requests/gen/iframe-blank-inherit.meta/upgrade/fetch.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[fetch.https.html]
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/iframe-blank-inherit.meta/upgrade/img-tag.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[img-tag.https.html]
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/iframe-blank-inherit.meta/upgrade/worker-classic.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-classic.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/iframe-blank-inherit.meta/upgrade/worker-module.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-module.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/iframe-blank-inherit.meta/upgrade/xhr.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[xhr.https.html]
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/srcdoc-inherit.meta/upgrade/fetch.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[fetch.https.html]
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/srcdoc-inherit.meta/upgrade/img-tag.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[img-tag.https.html]
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/srcdoc-inherit.meta/upgrade/worker-classic.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-classic.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/srcdoc-inherit.meta/upgrade/worker-module.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-module.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/srcdoc-inherit.meta/upgrade/xhr.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[xhr.https.html]
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/top.http-rp/upgrade/fetch.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[fetch.https.html]
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/top.http-rp/upgrade/img-tag.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[img-tag.https.html]
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/top.http-rp/upgrade/worker-classic.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-classic.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/top.http-rp/upgrade/worker-module.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-module.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/top.http-rp/upgrade/xhr.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[xhr.https.html]
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/top.meta/upgrade/fetch.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[fetch.https.html]
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/top.meta/upgrade/img-tag.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[img-tag.https.html]
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for img-tag to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/top.meta/upgrade/worker-classic.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-classic.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-classic to same-https origin and downgrade redirection from https context.]
expected: FAIL

9
tests/wpt/meta/upgrade-insecure-requests/gen/top.meta/upgrade/worker-module.https.html.ini vendored
View file

@ -1,9 +0,0 @@
[worker-module.https.html]
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for worker-module to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/top.meta/upgrade/xhr.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[xhr.https.html]
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/worker-classic-data.meta/upgrade/fetch.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[fetch.https.html]
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for fetch to same-https origin and downgrade redirection from https context.]
expected: FAIL

18
tests/wpt/meta/upgrade-insecure-requests/gen/worker-classic-data.meta/upgrade/xhr.https.html.ini vendored
View file

@ -1,18 +0,0 @@
[xhr.https.html]
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to cross-https origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and downgrade redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-http-downgrade origin and no-redirect redirection from https context.]
expected: FAIL
[Upgrade-Insecure-Requests: Expects allowed for xhr to same-https origin and downgrade redirection from https context.]
expected: FAIL