Background:
> JavaScript strings are potentially ill-formed UTF-16 (arbitrary
> Vec<u16>) and can contain unpaired surrogates. Rust’s String type is
> well-formed UTF-8 and can not contain any surrogate. Surrogates are
> never emitted when decoding bytes from the network, but they can sneak
> in through document.write, the Element.innerHtml setter, or other DOM
> APIs.
In 2015, Servo launched an experiment to see if unpaired surrogates
cropped up in page content. That experiment caused Servo to panic if
unpaired surrogates were encountered with a request to report the page
to bug #6564. During that time several pages were reported with unpaired
surrogates, causing Servo to panic. In addition, when running the WPT
tests Servo will never panic due to the `-Z replace-surrogates` option
being passed by the test driver.
Motivation:
After this 10 year experiment, it's clear that unpaired surrogates are a
real concern in page content. Several reports were filed of Servo
panicking after encountering them in real world pages. A complete fix for
this issue would be to somehow maintain unpaired surrogates in the DOM,
but that is a much larger task than simply emitting U+FFD instead of an
unpaired surrogate.
Since it is clear that this kind of content exists, it is better for
Servo to try its best to handle the content rather than crash as
production browsers should not crash due to user content when possible.
In this change, I modify Servo to always replace unpaired surrogates.
It would have been ideal to only crash when debug assertions are
enabled, but debug assertions are enabled by default in release mode --
so this wouldn't be effective for WPT tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
* Handle slots in an event's path
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Update WPT expectations
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
This is only used in servoshell, even though it was plumbed through
script previously. It's just about how the `RenderingContext` is set up,
which is something managed entirely outside of servo itself.
In addition, make the name of `servo_shell_preferences` in `app.rs` more
consistent with the rest of the codebase.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
In addition to some small API changes, this downstream version of
WebRender no longer depends on a very old version of time. This is the
last step toward removing the dependency on `time0.1`.
The review for this commit should also include: 9f552bebab
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Add a `ClipboardDelegate` to the `WebView` API and a default
implementation in libservo for this delegate that works on Mac, Windows,
and Linux. Support for Android will be added in the future. This means
that embedders do not need to do anything special to get clipboard
support, but can choose to override it or implement it for other
platforms.
In addition, this adds support for handling fetches of clipboard contents
and renames things to reflect that eventually other types of clipboard
content will be supported. Part of this is removing the string
argument from the `ClipboardEventType::Paste` enum because script will
need to get other types of content from the clipboard than just a
string. It now talks to the embedder to get this information directly.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This fixes common crash related to slottables, currently present on wpt.fyi.
Previously, the traversal parent of `Text` nodes was incorrectly
assumed to always be the parent or shadow host. That caused crashes
inside stylo's bloom filter. Now the traversal parent is the slot
that the node is assigned to, if any, and the parent/shadow host otherwise.
The slottable data for Text/Element nodes is now stored in NodeRareData.
This is very cheap, because NodeRareData will already be instantiated
for assigned slottables anyways, because the containing_shadow_root
field will be set (since assigned slottables are always in a shadow
tree). This change is necessary because we need to hand out references
to the assigned slot to stylo and that is not possible to do (without
unsafe code) if we need to downcast the node first.
As a side effect, this reduces the size of `Text` from 256 to 232 bytes,
because the slottable data is no longer stored there.
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
Blocking a fetch due to a bad port should be grouped together
with CSP blocks as per the spec, but these steps were previously
seperated.
Additionally, remove handling of ftp in
should_request_be_blocked_due_to_a_bad_port, since it did nothing
anyways.
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
This is a useful feature to have in a browser engine, so I think it
should be enabled by default. I believe that the original concern was
that there was a security issue, but this certainly has the same
security concerns as normal file loading.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This will prevent rust-analyzer from suggesting the import of these
types when dealing with `crossbeam` channels.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
* script: Make DOM proxy handlers generic over DOM types.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make finalize and trace hooks generic over DOM types.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
There are a few methods are still difficult to implement without
the help of surfman. To simplify the trait methods, all methods that
return surfman types are removed. They are either handled by
embedders themselves or abstract to simpler types that servo
components need. The most noticeable changes are:
- Methods related to native surface are moved to servo_glue. The
embedder should decide when to remove/replace the surface and it's
outside of servo's scope.
- Methods required by servo media now return exact media types for it.
The other major change is sevevral difficult trait methods that are
reuiqred by WebGL and Servo media have default implementation. So they
can be optional for users to implement.
Signed-off-by: Wu Wayne <yuweiwu@pm.me>
This change adds the second major part of the new API: delegates which
have methods called by the Servo loop. When a delegate is set on a
`WebView` or on `Servo` itself, the event loop will call into
appropriate delegate methods. Applications can implement the delegate on
their own structs to add special behavior per-`WebView` or for all
`WebView`s.
In addition, each delegate has a default implementation, which
automatically exposes "reasonable" behavior such as by-default allowing
navigation.
There's a lot more work to do here, such as refining the delegate
methods so that they all have nice interfaces, particulary with regard
to delegate methods that need an asynchronous response. This will be
handed gradually as we keep working on the API.
Signed-off-by: Delan Azabani <dazabani@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Mukilan Thiyagarajan <mukilan@igalia.com>
A box is usually sized by the formatting context in which it participates.
However, tables have some special sizing behaviors that we implemented
with a `content_inline_size_for_table` override.
However, breaking the assumptions of the formatting context isn't great.
It was also bad for performance that we could try to layout a table
among floats even though it wouldn't en up fitting because of a larger
min-content size.
Therefore, this changes the logic so that formatting contexts use some
special sizing for tables, and then tables only override that amount
when there are collapsed columns. Eventually, we should try to remove
that case too, see https://github.com/w3c/csswg-drafts/issues/11408
Signed-off-by: Oriol Brufau <obrufau@igalia.com>
* Make traverse_preorder follow children of shadow hosts
Children of shadow hosts are not displayed, but they
still exist in the DOM and must be traversed.
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Fix traverse_preorder over shadow roots
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Update WPT expectations
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
Remove this event which is completely unused. In addition, lots of code
becomes dead once this happens, so remove that as well. It may be
possible that a different behavior is necessary immediately following a
window resize, but the new API will handle this in a different way than
this embedder event -- which complicates how the event loop is spun in
both the API and servoshell.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
* change http-network-or-cache-fetch to take FetchParams argument instead of request
Signed-off-by: Lloyd Massiah <artmis9@protonmail.com>
* change http-network-fetch to take fetchParams as an argument
Signed-off-by: Lloyd Massiah <artmis9@protonmail.com>
* run formatter
Signed-off-by: Lloyd Massiah <artmis9@protonmail.com>
* renaming variable to be similar to step in spec
Signed-off-by: Lloyd Massiah <artmis9@protonmail.com>
* refixing usage of http_request after rebasing
Signed-off-by: Lloyd Massiah <artmis9@protonmail.com>
---------
Signed-off-by: Lloyd Massiah <artmis9@protonmail.com>
