This PR resolves [#36592](https://github.com/servo/servo/issues/36592)
by updating the `RequestBuilder` used in `script_module.rs` to include:
- `insecure_requests_policy`
- `has_trustworthy_ancestor_origin`
- `policy_container`
These fields are critical for enforcing proper fetch behavior under
modern web security models, and were previously omitted from module
script requests.
This change ensures that scripts loaded via `<script type="module">` or
dynamic `import()` correctly reflect the calling document’s security
environment.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36592
<!-- Either: -->
- [X] There are tests for these changes
Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
* Add doc comments to RequestBuilder fields/methods
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Implement Request::cryptographic_nonce_metadata
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Implement HTMLOrSVGElement::nonce
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Set request cryptographic nonce metadata for link elements
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Set request's cryptographic nonce when fetching scripts
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Forward request nonce to rust-content-security-policy
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Update WPT expectations
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Remove the referrer policy from document and rely on its policy container
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* Make ReferrerPolicy non-optional, instead using a new enum value to represent the empty string case
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* Fix clippy issue
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* Fix usage of Option<ReferrerPolicy> in unit test
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
---------
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* Implement PolicyContainer
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* implement small parts of fetch that interact with policy container
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* fix: allow policy container's csp list to be unset
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* fix: use the correct default policy when parsing from a token
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
---------
Signed-off-by: Shane Handley <shanehandley@fastmail.com>
* Update mozjs
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Fix changed readTransfer callback
https://bugzilla.mozilla.org/show_bug.cgi?id=1842713
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Use NewExternalArrayBuffer from glue
https://github.com/servo/mozjs/pull/474/commits/d33454be74ec5b8d8faf51fab3ed477b8913898b
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Fix columnorigin and filename being in latin1
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* fixup newexternalarray
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Float16 (this might require more work for codegen support)
https://bugzilla.mozilla.org/show_bug.cgi?id=1833647
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* js.strict is removed
https://bugzilla.mozilla.org/show_bug.cgi?id=1621603
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* asm options are now somewhere else
https://hg.mozilla.org/mozilla-central/rev/26045c88e3972957087d535e7f259e08857bd2a2
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Comment out offthread compilation
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Set NDK to 26
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Fix 1-origin handling
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Expect `FinalizationRegistry` interface
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Good expectations
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* more expectations
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Add `WeakRef` to interfaces expectation
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* mozjs upgrade: fixes for Android
Android NDK's layout has changed in r26 and 'lib64' no longer exists
under `toolchain/llvm/prebuilt/linux-x86_64`. The libraries that used to
be it are now present in `lib` folder itself.
This patch updates the build configuration to use the `lib` folder
instead when configuring the LIBCLANG_PATH environment variable.
This patch also updates to a newer mozjs version that includes fixes for
linker errors faced on Android (see #32769).
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
* Patch libz-sys & update mozjs
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* update NDK version in README
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
* Use servo/mozjs
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
* Update mozjs again
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
---------
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Co-authored-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Most tests were only being run for layout-2013, not for layout-2020.
This wasn't great since layout-2020 is now the default.
So this patch unifies the lists of included tests for both layouts.
For layout-2013 this implies adding css/css-content/, css/css-logical/
and css/css-masking/clip/.
For layout-2020 this implies adding several additional css tests, and
also tests like dom/, js/, html/, etc.
