Check all ancestor navigable trustworthiness for mixed content (#36157)

Propagate through documents a flag that represents if any of the ancestor navigables has a potentially trustworthy origin. The "potentially trustworthy origin" concept appears to have gotten confused in a couple of places and we were instead testing if a URL had "potentially trustworthy" properties. The main test for the ancestor navigables is [mixed-content/nested-iframes](https://github.com/web-platform-tests/wpt/blob/master/mixed-content/nested-iframes.window.js) ---  - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix #36108  - [X] There are tests for these changes --------- Signed-off-by: Sebastian C <sebsebmc@gmail.com>
2025-08-12 00:45:33 +01:00 · 2025-04-05 00:38:24 -05:00 · 2025-04-05 00:38:24 -05:00 · 76edcff202
commit 76edcff202
parent 478e876f6d
84 changed files with 384 additions and 525 deletions
--- a/components/script/dom/dedicatedworkerglobalscope.rs
+++ b/components/script/dom/dedicatedworkerglobalscope.rs
@ -355,6 +355,8 @@ impl DedicatedWorkerGlobalScope {
        let referrer = current_global.get_referrer();
        let parent = current_global.runtime_handle();
        let current_global_https_state = current_global.get_https_state();
+        let current_global_ancestor_trustworthy = current_global.has_trustworthy_ancestor_origin();
+        let is_secure_context = current_global.is_secure_context();

        thread::Builder::new()
            .name(format!("WW:{}", worker_url.debug_compact()))
@ -384,8 +386,8 @@ impl DedicatedWorkerGlobalScope {
                    .use_url_credentials(true)
                    .pipeline_id(Some(pipeline_id))
                    .referrer_policy(referrer_policy)
-                    .referrer_policy(referrer_policy)
                    .insecure_requests_policy(insecure_requests_policy)
+                    .has_trustworthy_ancestor_origin(current_global_ancestor_trustworthy)
                    .origin(origin);

                let runtime = unsafe {
@ -418,7 +420,12 @@ impl DedicatedWorkerGlobalScope {
                // > scope`'s url's scheme is "data", and `inherited origin`
                // > otherwise.
                if worker_url.scheme() == "data" {
-                    init.origin = ImmutableOrigin::new_opaque();
+                    // Workers created from a data: url are secure if they were created from secure contexts
+                    if is_secure_context {
+                        init.origin = ImmutableOrigin::new_opaque_data_url_worker();
+                    } else {
+                        init.origin = ImmutableOrigin::new_opaque();
+                    }
                }

                let global = DedicatedWorkerGlobalScope::new(