Limit the maximum image allocation size to 2GB to minimize the
possibility of out of memory errors on some `ImageBitmap`, `ImageData`,
`Canvas`, and `OffscreenCanvas` operations such as construction,
`toBlob`, and `toDataURL`. Other browsers have similar limits:
- Chromium: 2^32-1 (~4GB)
- Firefox: 2^31-1 (~2GB)
Testing: Improvements to the following tests:
-
`html/canvas/element/pixel-manipulation/2d.imageData.object.ctor.basics.html`
assert_throws_dom("INDEX_SIZE_ERR", function() { new ImageData(1 << 31,
1 << 31); });
-
`html/canvas/element/manual/imagebitmap/createImageBitmap-invalid-args.html`
makeOversizedCanvas + makeOversizedOffscreenCanvas
Signed-off-by: Andrei Volykhin <andrei.volykhin@gmail.com>
Replace the holder of actual pixel data of the ImageBitmap interface
([[BitmapData]] slot) from Vec<u8> to snapshot::Snapshot (image bitmap
with metadata).
https://html.spec.whatwg.org/multipage/#the-imagebitmap-interface
It will allow to have all required information (e.g. size, pixel format,
alpha mode)
for further drawing processing to/from canvas2D output bitmap.
Testing: No required tests
Fixes: https://github.com/servo/servo/issues/34112
Signed-off-by: Andrei Volykhin <andrei.volykhin@gmail.com>
In https://github.com/servo/servo/pull/36977, when transferring
`TransformStream`, `CrossRealmTransform::Writable` and
`CrossRealmTransform::Readable` are set to different message ports. The
message port will not be readable and writable at the same time when
transferring the stream, so we can now merge
`cross_realm_transform_readable` and `cross_realm_transform_writable`
into a single field `cross_realm_transform`.
Testing: WPT ([passed on try
branch](4278417951))
Fixes: https://github.com/servo/servo/issues/37084
---------
Signed-off-by: Jason Tsai <git@pews.dev>
ImageBitmap::new always returns Ok. Simplify it by changing to return
DomRoot<ImageBitmap> directly.
The #[allow(dead_code)] seems unnecessary. This patch also removes it.
Testing: No test is needed.
Fixes: #37105
Signed-off-by: Kingsley Yung <kingsley@kkoyung.dev>
Before it was only used when converting to a `Record`, using it all the
times allow us to remove two methods.
Plus added a helper method in CodegenRust.py to avoid repeated code.
Testing: a successful build and existing tests should cover the changes.
Fixes: #36410
---------
Signed-off-by: Gae24 <96017547+Gae24@users.noreply.github.com>
All logic is implemented in `report_csp_violations` to avoid
pulling in various element-logic into SecurityManager.
Update the `icon-blocked.sub.html` WPT test to ensure that
the document is the correct target (verified in Firefox and Chrome).
Fixes#36806
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
When slicing a blob that is already sliced we should reference it's
parent's data instead of creating a subview into the sliced blob. This
keeps the blob ancestry chain small and reduces the number of blobs that
we have to resolve.
Testing: Includes a new crashtest
Fixes: https://github.com/servo/servo/issues/36843
[try
run](1484487366)
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
Also update a WPT test to fail-fast if the iframe incorrectly
evaluates the `eval`. Before, it would run into a timeout if
the implementation is correct. Now we reject the promise
when an exception is thrown.
Requires servo/rust-content-security-policy#6
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The only code that calls these methods is in the script thread, and the
code is simpler when we can assume a Window global. Pulling this thread
led to cleaning up a lot of constructors for Window-only WebXR code,
too.
Testing: Existing WPT coverage.
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Implement
[disentangle](https://html.spec.whatwg.org/multipage/#disentangle)
Remove bespoke gc logic which now becomes unnecessary.
Adds a wpt test that hits the "disentangle while in transfer" logic.
Updates streams code, fixing an error where disentanglement is
conditional on an error.
Test coverage: there are existing tests in
`/webmessaging/message-channels/close-event/explicitly-closed.tentative.window.js`
for the no transfer case, and the simple completed transfer case, and
this PR adds a test for the more complicated transfer in progress case.
Fix https://github.com/servo/servo/issues/36465
---------
Signed-off-by: gterzian <2792687+gterzian@users.noreply.github.com>
This turned out to be a full rabbit hole. The new header
is parsed in the new `parse_csp_list_from_metadata` which
sets `disposition` to `report.
I was testing this with
`script-src-report-only-policy-works-with-external-hash-policy.html`
which was blocking the script incorrectly. Turns out that there
were multiple bugs in the CSP library, as well as a missing
check in `fetch` to report violations.
Additionally, in several locations we were manually reporting csp
violations, instead of the new `global.report_csp_violations`. As
a result of that, they would double report, since the report-only
header would be appended as a policy and now would report twice.
Now, all callsides use `global.report_csp_violations`. As a nice
side-effect, I added the code to set source file information,
since that was already present for the `eval` check, but nowhere
else.
Part of #36437
Requires servo/rust-content-security-policy#5
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Each canvas context returns snapshot instead of just raw bytes. This
allows as to hold off conversions (BGRA <-> RGBA, (un)premultiply) to
when/if they are actually needed. For example when loading snapshot into
webgl we can load both RGBA and BGRA so no conversion is really needed.
Currently whole thing is designed to be able to be extend on
https://github.com/servo/ipc-channel/pull/356, to make less copies.
Hence some commented out code.
Fixes#35759
There are tests for these changes in WPT
---------
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
This makes sure that when workers are created, their global scope has
the correct policy-container set
so that we can do CSP-checks.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
#36361 changed the return type of structuredclone::read, so this code is
just stomping on an error value that is potentially more useful since
#36308 was merged.
Testing: Existing WPT test coverage.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
We now check the sink of script.src for trusted types. This is the first
attribute that we check, other sinks will be implemented in follow-up
changes.
The algorithms currently hardcode various parts. That's because I need
to refactor a couple of algorithms already present in TrustedTypePolicy.
They use callbacks at the moment, which made sense for their initial
use. However, for these new algorithms they don't work. Therefore, I
will align them with the specification by taking in an enum. However,
since that's a bigger refactoring, I left that out of this PR (which is
already quite big).
The other trusted types support (createScript and createHTML) will also
be implemented separately.
Part of #36258
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This also ensures that document now reports all violations and we set
the correct directive.
With these changes, all `script-src-attr-elem` WPT tests pass.
Part of #36437
Requires servo/rust-content-security-policy#3 to land first
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
<!-- Please describe your changes on the following line: -->
Add transfer support to ReadableStream. Part of
https://github.com/servo/servo/issues/34676
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [ ] `./mach build -d` does not report any errors
- [ ] `./mach test-tidy` does not report any errors
- [ ] These changes fix #___ (GitHub issue number if applicable)
<!-- Either: -->
- [ ] There are tests for these changes OR
- [ ] These changes do not require tests because ___
<!-- Also, please make sure that "Allow edits from maintainers" checkbox
is checked, so that we can help you if you get stuck somewhere along the
way.-->
<!-- Pull requests that do not address these steps are welcome, but they
will require additional verification as part of the review process. -->
---------
Signed-off-by: gterzian <2792687+gterzian@users.noreply.github.com>
It also updates the FetchResponseListener to process CSP violations to
ensure that iframe elements (amongst others) properly generate the CSP
events. These iframe elements are used in the Trusted Types tests
themselves and weren't propagating the violations before.
However, the tests themselves are still not passing since they also use
Websockets, which currently aren't using the fetch machinery itself.
That is fixed as part of [1].
[1]: https://github.com/servo/servo/issues/35028
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
- [x] our [DataClone
error](d733abfca0/components/script/dom/bindings/error.rs (L80))
needs to support an optional message
- [x] we need to add support to our DOMException implementation to allow
an optional message to replace the default message
- [x] we need to create a new struct used by both StructuredDataReader
and StructuredDataWriter for storing the error message in the
report_error_callback
- [x] report_error_callback needs to cast the closure pointer to the new
struct
- [x] the code that [throws a DataClone
error](5d1c64dba9/components/script/dom/bindings/structuredclone.rs (L542))
needs to use the stored error message if it's available
Testing: *Describe how this pull request is tested or why it doesn't
require tests*
Fixes: #36191
---------
Signed-off-by: jerensl <54782057+jerensl@users.noreply.github.com>
Current implementation takes arguments for specifying values of
violation report, but is difficult to understand which value should be
passed. These changes create new builder for violation report to address
the issue.
Testing: These changes do not require tests because they just refactor
current code
Signed-off-by: Chocolate Pie <106949016+chocolate-pie@users.noreply.github.com>
add CanGc as argument to methods in ElementInternals, GlobalScope,
HTMLAnchorElement, HTMLAreaElement, HTMLCanvasElement
Testing: These changes do not require tests because they are a refactor.
Addresses part of https://github.com/servo/servo/issues/34573.
Signed-off-by: Yerkebulan Tulibergenov <yerkebulan@gmail.com>
This is the last big change necessary to create the
`constellation_traits` crate. This moves the data structure for messages
that originate from the `ScriptThread` and are sent to the
`Contellation` to `constellation_traits`, effectively splitting
`script_traits` in half. Before, `script_traits` was responsible for
exposing the API of both the `ScriptThread` and the `Constellation` to
the rest of Servo.
- Data structures that are used by `ScriptToConstellationMsg` are moved
to `constellation_traits`. The dependency graph looks a bit like this:
`script_layout_interface` depends on `script_traits` depends on
`constellation_traits` depends on `embedder_traits`.
- Data structures that are used in the embedding layer
(`UntrustedNodeAddress`, `CompositorHitTestResult`, `TouchEventResult`
and `AnimationState`) are moved to embedder_traits, to avoid a
dependency cycle between `webrender_traits` and
`constellation_traits`.
- Types dealing with MessagePorts and serialization are moved to
`constellation_traits::message_port`.
Testing: This is covered by existing tests as it just moves types
around.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Some methods are implemented fully, while others are implemented
partly. With these implementations, there are no observed crashes
when running the trusted-types web-platform-tests.
Most notably, the tests/wpt/tests/trusted-types/idlharness.window.js
is now fully passing.
Part of #36258
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Propagate through documents a flag that represents if any of the
ancestor navigables has a potentially trustworthy origin.
The "potentially trustworthy origin" concept appears to have gotten
confused in a couple of places and we were instead testing if a URL had
"potentially trustworthy" properties.
The main test for the ancestor navigables is
[mixed-content/nested-iframes](https://github.com/web-platform-tests/wpt/blob/master/mixed-content/nested-iframes.window.js)
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36108
<!-- Either: -->
- [X] There are tests for these changes
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
Messages that are sent to the `Constellation` have pretty ambiguous
names.
This change does two renames:
- `ConstellationMsg` → `EmbedderToConstellationMessage`
- `ScriptMsg` → `ScriptToConstellationMessage`
This naming reflects that the `Constellation` stands in between the
embedding layer and the script layer and can receive messages from both.
Soon both of these message types will live in `constellation_traits`,
reflecting the idea that the `_traits` variant for a crate is
responsible for exposing the API for that crate.
Testing: No new tests are necessary here as this just renames two enums.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This breaks the `script_traits` dependency on `webgpu`. In general, the
`traits` crates shouldn't depend on Servo non-`traits` crates. This is
necessary to move "script to constellation" messages to the
`constellation_traits` crate, making it the entire API for talking to
the
constellation. This will break a circular dependency when that happens.
Testing: Successfully building is enough of a test for this one as
it is mainly moving types around.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This is the final step of #1799, where the majority of the generated
code for the JS bindings is now compiled as part of the script_bindings
build step. The remaining pieces in script must live there because they
refer to concrete DOM types; all code in script_bindings is generic over
the
[DomTypes](https://doc.servo.org/script/dom/bindings/codegen/DomTypes/trait.DomTypes.html)
trait.
My testing with incremental builds shows me a 12 second reduction in
build times on my 2024 M4 Macbook Pro when modifying code in the script
crate after these changes. Before this PR those changes took 20 seconds
to rebuild Servo, and now they take 8 seconds.
Testing: Existing WPT tests ensure no regressions.
Fixes: #1799
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
- Remove `EmbedderMethods::get_user_agent_string`. This is now part of
the `Preferences` data structure, which should allow it to be
per-`WebView` in the future.
- Remove `EmbedderMethods::get_version_string`. This was used to include
some data along with WebRender captures about the Servo version. This
isn't really necessary and it was done to replace code in the past
that output the WebRender version, so also isn't what the original
code did. I think we can just remove this entirely.
The idea with these changes is that `EmbedderMethods` can be removed
in a followup and the rest of the methods can be added to
`ServoDelegate`. These two methods are ones that cannot be added to a
delegate as they are used during `Servo` initialization.
Testing: There is currently no testing for libservo. These changes are
meant
as preparation for adding a suite of `WebView` unit tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
* script: Move HasParent to script_bindings and update imports for InheritTypes.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make principal creation generic over DOM interface.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Move a bunch of proxy-related code to script_bindings.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make some proxy-related code generic over the DOM interface.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Move DomSlice to script_bindings.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Move some utility bindings code to script_bindings.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make enumerating and resolving globals generic over the DOM interface.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make realm helpers generic over the DOM interface.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Move implementations on concrete DOM types to concrete bindings.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make additional codegen helpers generic over the DOM interface.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make iterator creation generic over the DOM interface.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Make reporting an exception a generic operation.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* script: Move AsCCharPtrPtr to script_bindings.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* Formatting.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* Address clippy warnings.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
* Migrate to 2024 edition
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Allow unsafe_op_in_unsafe_fn lint
This lint warns by default in the 2024
edition, but is *way* too noisy for servo.
We might enable it in the future, but not now.
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Compile using the 2024 edition
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Use 2024 style edition
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
* Reformat all code
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
- Update the script crate to better reflect the modern Permission
specifcation -- removing the necessity for an `Insecure` variant of
the permissions prompt.
- Have all allow/deny type requests in the internal API use an
`AllowOrDeny` enum for clarity.
- Expose `PermissionsRequest` and `PermissionFeature` data types to the
API and use them in the delegate method.
- Update both servoshell implementations to use the API.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Mukilan Thiyagarajan <mukilan@igalia.com>
This is only used in servoshell, even though it was plumbed through
script previously. It's just about how the `RenderingContext` is set up,
which is something managed entirely outside of servo itself.
In addition, make the name of `servo_shell_preferences` in `app.rs` more
consistent with the rest of the codebase.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
`EmbedderMsg` was previously paired with an implicit
`Option<WebViewId>`, even though almost all variants were either always
`Some` or always `None`, depending on whether there was a `WebView
involved.
This patch adds the `WebViewId` to as many `EmbedderMsg` variants as
possible, so we can call their associated `WebView` delegate methods
without needing to check and unwrap the `Option`. In many cases, this
required more changes to plumb through the `WebViewId`.
Notably, all `Request`s now explicitly need a `WebView` or not, in order
to ensure that it is passed when appropriate.
Signed-off-by: Delan Azabani <dazabani@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
