From 2366a67260ea4f50380ab8d88fe511145f708592 Mon Sep 17 00:00:00 2001
From: elomscansio <163124154+elomscansio@users.noreply.github.com>
Date: Sun, 20 Apr 2025 12:54:20 +0100
Subject: [PATCH] Fix missing settings in script module requests (#36606)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR resolves [#36592](https://github.com/servo/servo/issues/36592)
by updating the `RequestBuilder` used in `script_module.rs` to include:
- `insecure_requests_policy`
- `has_trustworthy_ancestor_origin`
- `policy_container`

These fields are critical for enforcing proper fetch behavior under
modern web security models, and were previously omitted from module
script requests.

This change ensures that scripts loaded via `<script type="module">` or
dynamic `import()` correctly reflect the calling document’s security
environment.

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #36592

<!-- Either: -->
- [X] There are tests for these changes

Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
---
 components/script/script_module.rs            |  5 +++-
 .../dynamic-import/code-cache-nonce.html.ini  |  9 ++++++
 .../propagate-nonce-external-classic.html.ini |  3 ++
 .../propagate-nonce-inline-classic.html.ini   |  3 ++
 .../string-compilation-nonce-classic.html.ini | 14 ++++++++-
 .../string-compilation-nonce-module.html.ini  |  7 +++--
 .../dynamic-import/v8-code-cache.html.ini     | 30 +++++++++++++++++++
 7 files changed, 67 insertions(+), 4 deletions(-)
 create mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
 create mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
 create mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
 create mode 100644 tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini

diff --git a/components/script/script_module.rs b/components/script/script_module.rs
index 689f4a3b0a7..c7697adeea6 100644
--- a/components/script/script_module.rs
+++ b/components/script/script_module.rs
@@ -1760,7 +1760,10 @@ fn fetch_single_module_script(
         .integrity_metadata(options.integrity_metadata.clone())
         .credentials_mode(options.credentials_mode)
         .referrer_policy(options.referrer_policy)
-        .mode(mode);
+        .mode(mode)
+        .insecure_requests_policy(global.insecure_requests_policy())
+        .has_trustworthy_ancestor_origin(global.has_trustworthy_ancestor_origin())
+        .policy_container(global.policy_container().to_owned());
 
     let context = Arc::new(Mutex::new(ModuleContext {
         owner,
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
new file mode 100644
index 00000000000..ccad3276c85
--- /dev/null
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini
@@ -0,0 +1,9 @@
+[code-cache-nonce.html]
+  [First dynamic import should use nonce=abc]
+    expected: FAIL
+
+  [Second dynamic import should use nonce=def]
+    expected: FAIL
+
+  [Third dynamic import should use nonce=ghi]
+    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
new file mode 100644
index 00000000000..0080e7908e9
--- /dev/null
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini
@@ -0,0 +1,3 @@
+[propagate-nonce-external-classic.html]
+  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
+    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
new file mode 100644
index 00000000000..74b32cc06dd
--- /dev/null
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini
@@ -0,0 +1,3 @@
+[propagate-nonce-inline-classic.html]
+  [Dynamically imported module should eval when imported from script w/ a valid nonce.]
+    expected: FAIL
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
index 6c4f4e4311b..9b3e3358ad3 100644
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini
@@ -1,6 +1,18 @@
 [string-compilation-nonce-classic.html]
   [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
-    expected: FAIL
+    expected: PASS
 
   [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
+    expected: PASS
+
+  [setTimeout must inherit the nonce from the triggering script, thus execute]
     expected: FAIL
+ 
+  [direct eval must inherit the nonce from the triggering script, thus execute]
+    expected: FAIL
+ 
+  [indirect eval must inherit the nonce from the triggering script, thus execute]
+    expected: FAIL
+ 
+  [the Function constructor must inherit the nonce from the triggering script, thus execute]
+    expected: FAIL
\ No newline at end of file
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
index aef6f76d69e..1d3b047b68b 100644
--- a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini
@@ -1,9 +1,9 @@
 [string-compilation-nonce-module.html]
   [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
-    expected: FAIL
+    expected: PASS
 
   [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
-    expected: FAIL
+    expected: PASS
 
   [direct eval must inherit the nonce from the triggering script, thus execute]
     expected: FAIL
@@ -13,3 +13,6 @@
 
   [the Function constructor must inherit the nonce from the triggering script, thus execute]
     expected: FAIL
+
+  [setTimeout must inherit the nonce from the triggering script, thus execute]
+    expected: FAIL
\ No newline at end of file
diff --git a/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini
new file mode 100644
index 00000000000..64413107401
--- /dev/null
+++ b/tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini
@@ -0,0 +1,30 @@
+[v8-code-cache.html]
+  [text/javascript: Run #1]
+    expected: FAIL
+
+  [text/javascript: Run #2]
+    expected: FAIL
+
+  [text/javascript: Run #3]
+    expected: FAIL
+
+  [text/javascript: Run #4]
+    expected: FAIL
+
+  [text/javascript: Run #5]
+    expected: FAIL
+
+  [module: Run #1]
+    expected: FAIL
+
+  [module: Run #2]
+    expected: FAIL
+
+  [module: Run #3]
+    expected: FAIL
+
+  [module: Run #4]
+    expected: FAIL
+
+  [module: Run #5]
+    expected: FAIL