Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-07-22 14:53:49 +01:00
Code Issues Projects Releases Packages Wiki Activity

Check all ancestor navigable trustworthiness for mixed content (#36157)

Browse source 
Propagate through documents a flag that represents if any of the
ancestor navigables has a potentially trustworthy origin.

The "potentially trustworthy origin" concept appears to have gotten
confused in a couple of places and we were instead testing if a URL had
"potentially trustworthy" properties.

The main test for the ancestor navigables is
[mixed-content/nested-iframes](https://github.com/web-platform-tests/wpt/blob/master/mixed-content/nested-iframes.window.js)

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #36108 

<!-- Either: -->
- [X] There are tests for these changes

---------

Signed-off-by: Sebastian C <sebsebmc@gmail.com>
This commit is contained in:
Sebastian C 2025-04-05 00:38:24 -05:00 committed by GitHub
parent 478e876f6d
commit 76edcff202
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
84 changed files with 384 additions and 525 deletions
Download patch file Download diff file Expand all files Collapse all files

4
components/script/fetch.rs
View file

@ -123,6 +123,7 @@ fn request_init_from_request(request: NetTraitsRequest) -> RequestBuilder {
initiator: request.initiator,
policy_container: request.policy_container,
insecure_requests_policy: request.insecure_requests_policy,
has_trustworthy_ancestor_origin: request.has_trustworthy_ancestor_origin,
https_state: request.https_state,
response_tainting: request.response_tainting,
crash: None,
@ -374,6 +375,7 @@ pub(crate) fn load_whole_resource(
}
/// <https://html.spec.whatwg.org/multipage/#create-a-potential-cors-request>
#[allow(clippy::too_many_arguments)]
pub(crate) fn create_a_potential_cors_request(
webview_id: Option<WebViewId>,
url: ServoUrl,
@ -382,6 +384,7 @@ pub(crate) fn create_a_potential_cors_request(
same_origin_fallback: Option<bool>,
referrer: Referrer,
insecure_requests_policy: InsecureRequestsPolicy,
has_trustworthy_ancestor_origin: bool,
) -> RequestBuilder {
RequestBuilder::new(webview_id, url, referrer)
// https://html.spec.whatwg.org/multipage/#create-a-potential-cors-request
@ -401,4 +404,5 @@ pub(crate) fn create_a_potential_cors_request(
.destination(destination)
.use_url_credentials(true)
.insecure_requests_policy(insecure_requests_policy)
.has_trustworthy_ancestor_origin(has_trustworthy_ancestor_origin)
}