Does not all tests pass because of a mismatch in microtask timing. The
promises are resolved/rejected in the wrong order.
Part of #34866
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Automated downstream sync of changes from upstream as of 21-09-2025
[no-wpt-sync]
---------
Signed-off-by: WPT Sync Bot <ghbot+wpt-sync@servo.org>
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Co-authored-by: Euclid Ye <yezhizhenjiakang@gmail.com>
The first step for aborting fetch calls. It only
has the case where the signal was already aborted
prior to fetch starting.
Part of #34866
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The signal taken from the requestinit is now passed into
the request object with the relevant steps. I added all
spec comments to this method, as I had trouble figuring
out which steps I had to add.
This required implementing the algorithm to create
dependent signals, which is used in the `any()` method.
So that's now implemented as well.
All of that required the machinery to have dependent and
source signals on an AbortSignal. It uses an IndexSet
as the spec requires it to be an ordered set.
Part of #34866
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This sets a baseline of tests for fetch-related implementation of
AbortController.
Part of #34866
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Uses the `zstd` support from `async-compression` to support zstd
Content-Encoding.
Testing: Covered by wpt tests.
Signed-off-by: webbeef <me@webbeef.org>
The concept of a "resource header" is not well specced, since it is
unclear what a "resource" is. That said, it most closely matches a
"response" as part of the navigation params.
With this change, we now delay loading the document until either two
things happen:
1. We reached the end of the file
2. We processed 1445 bytes (as defined by spec)
We initially store bytes in the resource header and then after loading
parse the stored bytes. Any subsequent loading will process as before.
Part of #14024
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
While we don't perform any sniffing yet, it does now
check all relevant mime types. Before, we would only
check specific versions of specific mime types. However,
the specification is more elaborate, which MimeClassifier
already handles.
There are two new test failures, but they actually fail
in the same way in other browsers. These tests are still
being discussed what the correct behavior should be [1]
Part of #14024
[1]:
https://github.com/whatwg/mimesniff/issues/189#issuecomment-2081559661
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Currently the embedding API only provides the embedder with the URL for
a favicon. This is not great, for multiple reasons:
* Loading the icon should happen according to the fetch spec which is
not easy for the embedder to recreate (consider CSP, timing information
etc)
* Rasterizing a svg favicon is not trivial
With this change, servo fetches and rasterizes the icon to a bitmap
which is then passed to the embedder.
Testing: I'm not sure how I can write tests for the embedding api. I've
tested the correctness manually using
https://github.com/servo/servo/pull/36680.
Prepares for https://github.com/servo/servo/pull/36680
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
Bumps [data-url](https://github.com/servo/rust-url) from 0.3.1 to 0.3.2.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/servo/rust-url/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Euclid Ye <euclid.ye@huawei.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Euclid Ye <euclid.ye@huawei.com>
Incorporates the updates from https://github.com/servo/mozjs/pull/584.
Testing: Existing WPT coverage is enough.
Fixes: Part of #36258
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Workers created from Blobs inherit their CSP. Now we inherit the CSP and
set the correct base API url. The base API url should be used when
determining the
report-uri endpoint. Otherwise, the blob URL would be used as a base,
which is invalid and the report wouldn't be sent.
Also create a helper method to concatenate two optionals of CSPList,
which was used in several places.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The specification moved around lately with how it defines its reports
and report bodies. They became dictionaries, but are currently missing
some fields [1].
Most tests won't be passing yet, since the `Reporting-Endpoints` header
isn't used yet. In fact, the specification leaves it up to the browser
to figure out when to run this task [2]. I am not sure if there some
background scheduling we can do here.
Confirmed with content-security-policy/reporting-api/
report-to-directive-allowed-in-meta.https.sub.html that the callback is
invoked. The test doesn't pass, since
the `describe_scripted_caller` is empty for HTML elements. Thus the
`source_file` is empty, whereas it should be equivalent to the current
document URL.
Part of #37328
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
[1]: https://github.com/w3c/reporting/issues/286
[2]: https://w3c.github.io/reporting/#report-delivery
While working on #37209 I discovered that the header was computed
incorrectly. After carefully reading the specification, I realized that
the link in the spec was wrong and we were missing the fact that for
host-domains, we should operate on the registrable domain.
Additionally, the same-site call was missing the negation.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
These changes allow a minimal set of checks for font-src
CSP checks to pass.
Part of #4577
Part of #35035
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This change adds support for rendering static SVG images using the
`resvg` crate, allowing svg sources in the `img` tag and in CSS
`background` and `content` properties. There are some limitations in
using resvg:
1. There is no support for animations or interactivity as these would
require implementing the full DOM layer of SVG specification.
2. Only system fonts can be used for text rendering. There is some
mechanism to provide a custom font resolver to usvg, but that is not
explored in this change.
3. resvg's handling of certain edge cases involving lack of explicit
`width` and `height` on the root svg element deviates from what the
specification expects from browsers. For example, resvg uses the values
in `viewBox` to derive the missing width or height dimension, but
without scaling that dimension to preserve the aspect ratio. It also
doesn't allow overriding this behavior.
Demo screenshot:
<details>
<summary>Source</summary>
```
<style>
#svg1 {
border: 1px solid red;
}
#svg2 {
border: 1px solid red;
width: 300px;
}
#svg3 {
border: 1px solid red;
width: 300px;
height: 200px;
object-fit: contain;
}
#svg4 {
border: 1px solid red;
width: 300px;
height: 200px;
object-fit: cover;
}
#svg5 {
border: 1px solid red;
width: 300px;
height: 200px;
object-fit: fill;
}
#svg6 {
border: 1px solid red;
width: 300px;
height: 200px;
object-fit: none;
}
</style>
</head>
<body>
<div>
<img id="svg1" src="https://raw.githubusercontent.com/servo/servo/refs/heads/main/resources/servo.svg" alt="Servo logo">
</div>
<div>
<img id="svg2" src="https://raw.githubusercontent.com/servo/servo/refs/heads/main/resources/servo.svg" alt="Servo logo">
<img id="svg3" src="https://raw.githubusercontent.com/servo/servo/refs/heads/main/resources/servo.svg" alt="Servo logo">
<img id="svg4" src="https://raw.githubusercontent.com/servo/servo/refs/heads/main/resources/servo.svg" alt="Servo logo">
</div>
<div>
<img id="svg5" src="https://raw.githubusercontent.com/servo/servo/refs/heads/main/resources/servo.svg" alt="Servo logo">
<img id="svg6" src="https://raw.githubusercontent.com/servo/servo/refs/heads/main/resources/servo.svg" alt="Servo logo">
</div>
</body>
```
</details>
---------
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
This includes removing an implementation of normalize for `ByteString`,
because it is effectively duplicated in net under
`trim_http_whitespace`. This is part of an attempt to cleanup and
centralize code for header parsing and manipulation.
Testing: Covered by existing WPT tests
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
This changes includes two semi-related things:
1. Fixes some specification compliance issues when parsing mime
types and charsets for `XMLHttpRequest`.
2. Implements a `<stylesheet>` parsing quirk involving mime types.
Testing: There are tests for these changes.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
Add mock SVGImageElement interface to fix TIMEOUT WPT tests
which are related to ImageBitmap (html/canvas/*).
https://svgwg.org/svg2-draft/embedded.html#InterfaceSVGImageElement
Rationality of this change to fire event "error" on any attempt to fetch
image resource on href attribute change to not block WPT tests
execution.
Some WPT tests use the legacy namespace attribute "xlink:href", so
support for it was added to source code.
https://svgwg.org/svg2-draft/linking.html#XLinkHrefAttribute
- setAttributeNS("http://www.w3.org/1999/xlink", 'xlink:href', src);
Testing: Covered by existed WPT tests
- fetch/metadata/generated/svg-image*
- html/canvas/element/manual/*
- html/dom/idlharness.https.html
- html/semantics/embedded-content/the-canvas-element/*
- html/webappapis/scripting/events/event-handler-all-global-events.html
- mozilla/interfaces.https.html
Fixes: https://github.com/servo/servo/issues/35881
Signed-off-by: Andrei Volykhin <andrei.volykhin@gmail.com>
All logic is implemented in `report_csp_violations` to avoid
pulling in various element-logic into SecurityManager.
Update the `icon-blocked.sub.html` WPT test to ensure that
the document is the correct target (verified in Firefox and Chrome).
Fixes#36806
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Rather than sharing the full image cache in a script_thread, the image
cache is now unique per document. This ensures that CSP factors no
longer affect whether the image is retrieved from the cache incorrectly.
To do so, the thread_pool is shared across all caches, but the store is
fresh. Except for the place_holder{image,url}, which are cloned. That's
because the `rippy_data` is only available in the constellation and no
longer accessible at the point that we need to create the document in
the script_thread.
Contrary to the description in #36505, the script_thread still has an
image_cache for this reason: so it has access to the store and
thread_pool to clone it.
With these changes, the two CSP tests no longer flake. Confirmed with
running the following commmand:
```
./mach test-wpt tests/wpt/tests/content-security-policy/generic/ --rerun=10
```
Fixes#36505
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Implements https://fetch.spec.whatwg.org/#dom-response-json
Restructured the constructor to follow the spec more closely with a
separate "initialize the response" algorithm.
Testing: There are existing WPT tests for this.
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
This makes sure that when workers are created, their global scope has
the correct policy-container set
so that we can do CSP-checks.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
headers library will join values with `, ` (comma space) but
Access-Control-Request-Headers specifies that it does not use the normal
combining algorithm and values should be joined with `,` (comma).
Testing: WPT tests exist
Fixes: temporary fix for #36451 until hyperium/headers#207 is fixed
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
Move parsing of Refresh values to Document.
Send Refresh header to Document and have meta tags reuse the logic.
I transplanted the existing Regex and made some updates so that it
passed all the existing parser tests.
I added the comments that made sense but it is not very clean to add
many comments within the regex.
Testing: There are existing WPT tests
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
Propagate through documents a flag that represents if any of the
ancestor navigables has a potentially trustworthy origin.
The "potentially trustworthy origin" concept appears to have gotten
confused in a couple of places and we were instead testing if a URL had
"potentially trustworthy" properties.
The main test for the ancestor navigables is
[mixed-content/nested-iframes](https://github.com/web-platform-tests/wpt/blob/master/mixed-content/nested-iframes.window.js)
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36108
<!-- Either: -->
- [X] There are tests for these changes
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
Ensure there is an active realm when dispatching the `activation` DOM
event to the ServiceWorker global.
Testing: Existing WPT coverage.
Fixes: #36114Fixes: #36235Fixes: #36231
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
