Part of #36258
Built on top of #36668
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Implements the Document.write algorithm covering
Trusted HTML.
Part of #36258
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This follows the rules as defined in
https://w3c.github.io/webappsec-csp/#security-inherit-csp
where local iframes (about:blank and about:srcdoc) should
initially start with the CSP rules of the parent. After
that, all new CSP headers should only be set on the
policy container of the iframe.
Part of #36437
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
As a follow-up to the recent introduction of `script.src`
as trusted sink, this PR refactors machinery to also
support `TrustedScript`. In doing so, all trusted sinks
in `HTMLScriptElement` are now covered.
Instead of calling the callbacks in `policy.createX`,
we now have a `TrustedType` enum that specifies which callback
to invoke. Unfortunately we still have the `USVString` vs
`DOMString` problem, which is why we need to `.map` twice
to retrieve the backing `String` and avoid two different
types.
Additionally, I saw that `script.text` should have called
the "String replace all" algorithm rather than setting the
child contents. So that's also now fixed.
Part of #36258
Requires servo/html5ever#608
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Also update a WPT test to fail-fast if the iframe incorrectly
evaluates the `eval`. Before, it would run into a timeout if
the implementation is correct. Now we reject the promise
when an exception is thrown.
Requires servo/rust-content-security-policy#6
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
`PositioningContext` held two vectors, one inside an `Option`, to
differentiate between the version used for a containing block for all
descendants (including `position: absolute` and `position: fixed`) or
only for `position: absolute` descendants. This distinction was really
hard to reason about and required a lot of bookkeeping about what kind
of `PositioningContext` a layout box's parent expected. In addition, it
led to a lot of mistakes.
This change simplifies things so that `PositioningContext` only holds a
single vector. When it comes time to lay out hoisted absolutely
positioned
fragments, the code then:
- lays out all of them (in the case of a `PositioningContext` for all
descendants), or
- only lays out the `position: absolute` descendants and preserves the
`position: fixed` descendants (in the case the `PositioningContext`
is only for `position: absolute`.), or
- lays out none of them if the `PositioningContext` was created for
box that did not establish a containing block for absolutes.
It's possible that this way of dealing with hoisted absolutes is a bit
less efficient, but, the number of these descendants is typically quite
small, so it should not be significant. In addition, this decreases the
size in memory of all `PositioningContexts` which are created in more
situations as time goes on.
Testing: There is a new WPT test with this change.
Fixes: #36696.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Non-initial values for the `scale`, `rotate` and `translate` properties
should establish a stacking context, just like `transform`.
Testing: adding new WPT tests.
Signed-off-by: Oriol Brufau <obrufau@igalia.com>
https://github.com/web-platform-tests/wpt/pull/50041 allows us to start
running the webdriver conformance tests in Servo, which will make it
easier for us to track regressions/improvements in our webdriver server
implementation.
---
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes are part of #15274
- [x] There are tests for these changes
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Previously, spans were partially clamped during layout, but this means
that accessing and setting these properties via script wouldn't behave
according to the HTML specification. In addition, the value wasn't
floored in layout, so could lead to panics. This change improves
clamping and moves it to script.
Testing: This change includes a new WPT test.
Fixes#36699.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Fixes: #36717.
Testing: This is covered by existing tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Implement
[disentangle](https://html.spec.whatwg.org/multipage/#disentangle)
Remove bespoke gc logic which now becomes unnecessary.
Adds a wpt test that hits the "disentangle while in transfer" logic.
Updates streams code, fixing an error where disentanglement is
conditional on an error.
Test coverage: there are existing tests in
`/webmessaging/message-channels/close-event/explicitly-closed.tentative.window.js`
for the no transfer case, and the simple completed transfer case, and
this PR adds a test for the more complicated transfer in progress case.
Fix https://github.com/servo/servo/issues/36465
---------
Signed-off-by: gterzian <2792687+gterzian@users.noreply.github.com>
As per
[w3.org/TR/filter-effects-1#FilterProperty](https://www.w3.org/TR/filter-effects-1/#FilterProperty),
`filter` shouldn't make the root element establish a containing block
for absolute and fixed positioned descendants. `will-change: filter` has
matching behavior.
This PR adds a check for if we are the root element before establishing
such a block.
To know if we are the root element, we look at the `FragmentFlags`
passed in. Previously for our function, these were dummy flags, always
constructed as empty. Thus, this PR also makes sure the correct
FragmentFlags are passed down the chain to the function
`establishes_containing_block_for_all_descendants`.
Testing:
- `/css/filter-effects/filtered-html-is-not-container.html` now passes
- `/css/css-will-change/will-change-fixedpos-cb-003.html` now passes
- Manual tests are working
Fixes: #35391
---------
Signed-off-by: haval0 <56519858+haval0@users.noreply.github.com>
Signed-off-by: Oriol Brufau <obrufau@igalia.com>
Co-authored-by: Oriol Brufau <obrufau@igalia.com>
fix crash occurs when the focus element is adopted.
Testing: wpt dom/nodes/insertion-removing-steps/blur-event.window.html
not crash
Fixes: #36607#32972
---------
Signed-off-by: kongbai1996 <1782765876@qq.com>
To prevent any potential crash/OOM issues with "canvas" element
from "rogue" applications let's apply large size limitations for context
canvas2d's draw target to Servo (similar approach in Firefox/Chromium -
they limits width and height to 32767/65535 pixels).
Fixes: #36155, #34117, #30164, #24710
--
- [x] ./mach build -d does not report any errors
- [x] ./mach test-tidy does not report any errors
- [x] There are tests for these changes
tests/wpt/tests/html/canvas/element/canvas-host/2d.canvas.host.size.large.html
tests/wpt/tests/html/canvas/offscreen/canvas-host/2d.canvas.host.size.large.html
tests/wpt/tests/html/canvas/offscreen/canvas-host/2d.canvas.host.size.large.worker.js
Signed-off-by: Andrei Volykhin <andrei.volykhin@gmail.com>
In the scrollable overflow calcutation, apply CSS transforms to boxes
and scrollable overflow of the descendant. Clip unreachable scrollable
overflow according to it's block start and inline start scrolling
direction. And, renamed `Fragment::scrolling_overflow` to
`Fragment::scrolling_overflow_for_parent` as it was calculating the
scrolling overflow contribution from a child.
Add several WPT tests, testing the transform interaction `rotate`,
`scale`, and `skew` with scrollable overflow. There are several WPT test
that are testing the interaction that not expected from current browsers
implementation according to the spec.
Testing: Existing and new WPT.
Fixes: #36031
---------
Signed-off-by: stevennovaryo <steven.novaryo@gmail.com>
Per [spec](https://dom.spec.whatwg.org/#concept-node-insert), adoption
of new node should be done while inserting the node. This patch moves
the call site of `adopt` to inside `insert` to match it.
It also rewrites some existing code to better match the spec without any
behavioral changes.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #___ (GitHub issue number if applicable)
<!-- Either: -->
- [X] There are tests for these changes OR
- [ ] These changes do not require tests because ___
<!-- Also, please make sure that "Allow edits from maintainers" checkbox
is checked, so that we can help you if you get stuck somewhere along the
way.-->
<!-- Pull requests that do not address these steps are welcome, but they
will require additional verification as part of the review process. -->
---------
Signed-off-by: Xiaocheng Hu <xiaochengh.work@gmail.com>
This PR updates the validity state revalidation behavior for radio input
elements, ensuring consistent logic regardless of tree connectivity.
---
**What’s changed:**
- we now always update the validity state.
- Handled more edge cases for disconnected trees, shadow roots, and
cross-tree movement.
- Ensured that radio group updates still trigger when a parent is moved
into a different root.
- Updated test expectations in
`radio-disconnected-group-owner.html.ini`.
---
**Why this matters:**
The updated logic aligns better with the [HTML
specification](https://html.spec.whatwg.org/multipage/input.html#radio-button-group),
especially regarding radio group behavior in disconnected trees or
shadow DOM.
These changes improve validity propagation in scenarios like:
- Appending inputs into a disconnected form
- Shadow roots acting as radio group containers
- Cross-tree movement of radio buttons
---
**Tests:**
- Modified `radio-disconnected-group-owner.html.ini`
- Removed a test that now passes
- Added a failing test expectation caused by a spec bug: the fragment
parsing algorithm uses the connected tree for HTML set via `innerHTML`,
affecting radio group computation
---
**Spec reference:**
https://html.spec.whatwg.org/multipage/input.html#radio-button-group
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report an errors
- [ ] These changes fix #
<!-- Either: -->
- [X] There are tests for these changes
Signed-off-by: Emmanuel Paul Elom <elomemmanuel007@gmail.com>
Spec says to check If target is not an auxiliary browsing context before
performing ResizeTo.
Fixes: #36701
Signed-off-by: Taym Haddadi <haddadi.taym@gmail.com>
The blob data is encoded asynchronously, therefore the canvas size may
have changed since it's data was saved to a snapshot. Using the canvas
size confuses the encoder, because the provided data does not match the
expected size anymore.
Testing: This change includes a new web platform test
Fixes https://github.com/servo/servo/issues/36702
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
This change switches `offsetParent`, `offsetLeft`, etc queries to use
the BoxTree fragments instead of walking the entire fragment tree. In
addition, fragments are stored for columns and colgroups. In general,
this greatly simplifies the flow of the query and prevents having to do
expensive tree walks.
Testing: This change is covered by newly passing WPT tests and three new
failures:
- /css/filter-effects/backdrop-filter-edge-clipping-2.html
- /css/filter-effects/backdrop-filter-edge-mirror.html
- /css/filter-effects/backdrop-filter-edge-pixels-2.html
These failures are actually progressions, because now the references
start
to render properly whereas before they did not.
Fixes: This is part of #36525 and #36665.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Oriol Brufau <obrufau@igalia.com>
This turned out to be a full rabbit hole. The new header
is parsed in the new `parse_csp_list_from_metadata` which
sets `disposition` to `report.
I was testing this with
`script-src-report-only-policy-works-with-external-hash-policy.html`
which was blocking the script incorrectly. Turns out that there
were multiple bugs in the CSP library, as well as a missing
check in `fetch` to report violations.
Additionally, in several locations we were manually reporting csp
violations, instead of the new `global.report_csp_violations`. As
a result of that, they would double report, since the report-only
header would be appended as a policy and now would report twice.
Now, all callsides use `global.report_csp_violations`. As a nice
side-effect, I added the code to set source file information,
since that was already present for the `eval` check, but nowhere
else.
Part of #36437
Requires servo/rust-content-security-policy#5
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
This is a followup to #36629, continuing to implement script-based
layout queries using the `Fragment`s attached to the `BoxTree`. In this
change, geometry queris (apart from parent offset) are calculated using
`Fragment`s hanging of the `BoxTree`.
In order to make this work, all `Fragment`s for inlines split by blocks,
need to be accessible in the `BoxTree`. This required some changes to
the way that box tree items were stored in DOM `BoxSlot`s. Now every
inline level item can have more than a single `BoxTree` item. These are
carefully collected by the `InlineFormattingContextBuilder` -- currently
a bit fragile, but with more documentation.
Testing: There are tests for these changes.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Oriol Brufau <obrufau@igalia.com>
https://drafts.csswg.org/css-align/#justify-block
Testing: Improves various WPT tests. `justify-self-auto-margins-2.html`
fails but I think the test is wrong.
Signed-off-by: Oriol Brufau <obrufau@igalia.com>
Implements https://fetch.spec.whatwg.org/#dom-response-json
Restructured the constructor to follow the spec more closely with a
separate "initialize the response" algorithm.
Testing: There are existing WPT tests for this.
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
This PR updates the `fetch_image_for_layout` function to include missing
security-related request settings:
- `insecure_requests_policy`
- `has_trustworthy_ancestor_origin`
- `policy_container`
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36591
<!-- Either: -->
- [X] There are tests for these changes
Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
https://github.com/servo/servo/pull/36335 enabled all experimental
features for all wpt tests, but `dom_serviceworker_enabled` makes all
CTS tests fail, because servo reports working service worker impl, but
CTS pre-setup of worker fails due too incomplete impl. The solution is
that we disable service workers in CTS `__dir__.ini` (thus avoiding any
CTS worker code) until impl is stable enough.
Testing: This makes tests works again
Fixes: #36657
---------
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
Each canvas context returns snapshot instead of just raw bytes. This
allows as to hold off conversions (BGRA <-> RGBA, (un)premultiply) to
when/if they are actually needed. For example when loading snapshot into
webgl we can load both RGBA and BGRA so no conversion is really needed.
Currently whole thing is designed to be able to be extend on
https://github.com/servo/ipc-channel/pull/356, to make less copies.
Hence some commented out code.
Fixes#35759
There are tests for these changes in WPT
---------
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
Fixes an error where a promise was rejected where it should have been
resolved.
Follow-up to
https://github.com/servo/servo/pull/36588/files#r2049437506; the initial
diagnosis was wrong.
Signed-off-by: gterzian <2792687+gterzian@users.noreply.github.com>
This makes sure that when workers are created, their global scope has
the correct policy-container set
so that we can do CSP-checks.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The logic in LoadBlocker::terminate was modified in #34122 to `clone`
the LoadBlocker's inner `load` member instead of `take`ing it. However,
this member serves as a flag so that `LoadBlocker`'s Drop impl can avoid
calling `doc.finish_load` on already terminated loads. The change
results in
unnecessary 'unknown completed load' warnings when Servo is run with
logging enabled.
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
We now check the sink of script.src for trusted types. This is the first
attribute that we check, other sinks will be implemented in follow-up
changes.
The algorithms currently hardcode various parts. That's because I need
to refactor a couple of algorithms already present in TrustedTypePolicy.
They use callbacks at the moment, which made sense for their initial
use. However, for these new algorithms they don't work. Therefore, I
will align them with the specification by taking in an enum. However,
since that's a bigger refactoring, I left that out of this PR (which is
already quite big).
The other trusted types support (createScript and createHTML) will also
be implemented separately.
Part of #36258
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
These changes make us match Gecko's setup for how Window and non-Window
globals are initialized. Since Window globals are much more common than
Worker globals, using lazy interface definitions can be a useful memory
optimization at the expense of increased complexity for property
lookups.
Also adds the MayResolve hook for all globals, which is an optimization
for the JIT to avoid calling resolve hooks unnecessarily.
Testing: Existing test coverage on global interfaces should suffice.
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
This PR resolves [#36592](https://github.com/servo/servo/issues/36592)
by updating the `RequestBuilder` used in `script_module.rs` to include:
- `insecure_requests_policy`
- `has_trustworthy_ancestor_origin`
- `policy_container`
These fields are critical for enforcing proper fetch behavior under
modern web security models, and were previously omitted from module
script requests.
This change ensures that scripts loaded via `<script type="module">` or
dynamic `import()` correctly reflect the calling document’s security
environment.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36592
<!-- Either: -->
- [X] There are tests for these changes
Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
This PR addresses [#36593](https://github.com/servo/servo/issues/36593),
where the poster image request for `<video>` elements lacked several
settings introduced in `RequestBuilder`. These settings —
`insecure_requests_policy`, `has_trustworthy_ancestor_origin`, and
`policy_container` — are now forwarded from the document, aligning
poster requests with other fetches using the correct policy container
and trust assessment.
This ensures that poster images are requested under the same security
assumptions as other media or resource loads.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36593
<!-- Either: -->
- [X] There are tests for these changes
Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
When layout encounters a CSS image, the script thread is responsible for
fetching the image from the image cache. When the image is not yet
available, the script thread creates image cache listeners to perform
actions in response to future updates from the image cache.
In the current implementation, a cache listener would iterate over all
nodes using a particular image and mark them as dirty. However, we
mistakenly added one cache listener per node, leading to n^2 runtime
while performing lots of redundant work. For cases like #36480 with over
1000 elements using the same image, this led to a completely
unresponsive script thread.
Testing: Manual testing on the provided testcase, and a new WPT test
that times out without this PR's changes.
Fixes: #36480
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Sets the navigator.onLine attribute to true.
Testing:
Ran `./mach run https://pinterest.com
--enable-experimental-web-platform-features`. This doesn't show the
"Hmm..you're not connected to the internet" text anymore.
<img width="1027" alt="Screenshot 2025-04-16 at 11 31 02 AM"
src="https://github.com/user-attachments/assets/3745077b-dc51-42ce-88a0-38d5f157fc0c"
/>
part of: #36554
---------
Signed-off-by: Siddhant N. Trivedi <sidntrivedi012@gmail.com>
Signed-off-by: Siddhant N Trivedi <sidntrivedi012@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
Updates wgpu to v25 and remove some verbose logging from CTS (that also
causes OOM).
Testing: WebGPU CTS
---------
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
This also ensures that document now reports all violations and we set
the correct directive.
With these changes, all `script-src-attr-elem` WPT tests pass.
Part of #36437
Requires servo/rust-content-security-policy#3 to land first
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
These tests were locally failing for me, both on Servo and Gecko,
because these browsers choose a different default font than Blink,
making the flex items a bit bigger, and thus only fitting 2 items on the
first flex line, instead of 3 items.
Manually setting the `line-height` provides consistent results.
Testing: This doesn't affect CI, but fixes the local problem for me.
Signed-off-by: Oriol Brufau <obrufau@igalia.com>
