Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-23 15:23:42 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix missing settings in script module requests (#36606)

Browse source 
This PR resolves [#36592](https://github.com/servo/servo/issues/36592)
by updating the `RequestBuilder` used in `script_module.rs` to include:
- `insecure_requests_policy`
- `has_trustworthy_ancestor_origin`
- `policy_container`

These fields are critical for enforcing proper fetch behavior under
modern web security models, and were previously omitted from module
script requests.

This change ensures that scripts loaded via `<script type="module">` or
dynamic `import()` correctly reflect the calling document’s security
environment.

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #36592

<!-- Either: -->
- [X] There are tests for these changes

Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
This commit is contained in:
elomscansio 2025-04-20 12:54:20 +01:00 committed by GitHub
parent c915bf05fc
commit 2366a67260
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 67 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
components/script/script_module.rs
View file

@ -1760,7 +1760,10 @@ fn fetch_single_module_script(
.integrity_metadata(options.integrity_metadata.clone()) .integrity_metadata(options.integrity_metadata.clone())
.credentials_mode(options.credentials_mode) .credentials_mode(options.credentials_mode)
.referrer_policy(options.referrer_policy) .referrer_policy(options.referrer_policy)
.mode(mode); .mode(mode)
.insecure_requests_policy(global.insecure_requests_policy())
.has_trustworthy_ancestor_origin(global.has_trustworthy_ancestor_origin())
.policy_container(global.policy_container().to_owned());
let context = Arc::new(Mutex::new(ModuleContext { let context = Arc::new(Mutex::new(ModuleContext {
owner, owner,

9
tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/code-cache-nonce.html.ini vendored Normal file
View file

@ -0,0 +1,9 @@
[code-cache-nonce.html]
[First dynamic import should use nonce=abc]
expected: FAIL
[Second dynamic import should use nonce=def]
expected: FAIL
[Third dynamic import should use nonce=ghi]
expected: FAIL

3
tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-external-classic.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[propagate-nonce-external-classic.html]
[Dynamically imported module should eval when imported from script w/ a valid nonce.]
expected: FAIL

3
tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/propagate-nonce-inline-classic.html.ini vendored Normal file
View file

@ -0,0 +1,3 @@
[propagate-nonce-inline-classic.html]
[Dynamically imported module should eval when imported from script w/ a valid nonce.]
expected: FAIL

14
tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic.html.ini vendored
View file

@ -1,6 +1,18 @@
[string-compilation-nonce-classic.html] [string-compilation-nonce-classic.html]
[reflected inline event handlers must not inherit the nonce from the triggering script, thus fail] [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
expected: FAIL expected: PASS
[inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail] [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
expected: PASS
[setTimeout must inherit the nonce from the triggering script, thus execute]
expected: FAIL expected: FAIL
[direct eval must inherit the nonce from the triggering script, thus execute]
expected: FAIL
[indirect eval must inherit the nonce from the triggering script, thus execute]
expected: FAIL
[the Function constructor must inherit the nonce from the triggering script, thus execute]
expected: FAIL

7
tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module.html.ini vendored
View file

@ -1,9 +1,9 @@
[string-compilation-nonce-module.html] [string-compilation-nonce-module.html]
[reflected inline event handlers must not inherit the nonce from the triggering script, thus fail] [reflected inline event handlers must not inherit the nonce from the triggering script, thus fail]
expected: FAIL expected: PASS
[inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail] [inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail]
expected: FAIL expected: PASS
[direct eval must inherit the nonce from the triggering script, thus execute] [direct eval must inherit the nonce from the triggering script, thus execute]
expected: FAIL expected: FAIL
@ -13,3 +13,6 @@
[the Function constructor must inherit the nonce from the triggering script, thus execute] [the Function constructor must inherit the nonce from the triggering script, thus execute]
expected: FAIL expected: FAIL
[setTimeout must inherit the nonce from the triggering script, thus execute]
expected: FAIL

30
tests/wpt/meta/html/semantics/scripting-1/the-script-element/module/dynamic-import/v8-code-cache.html.ini vendored Normal file
View file

@ -0,0 +1,30 @@
[v8-code-cache.html]
[text/javascript: Run #1]
expected: FAIL
[text/javascript: Run #2]
expected: FAIL
[text/javascript: Run #3]
expected: FAIL
[text/javascript: Run #4]
expected: FAIL
[text/javascript: Run #5]
expected: FAIL
[module: Run #1]
expected: FAIL
[module: Run #2]
expected: FAIL
[module: Run #3]
expected: FAIL
[module: Run #4]
expected: FAIL
[module: Run #5]
expected: FAIL