servo

Mirrors/servo

Fork 0

mirror of https://github.com/servo/servo.git synced 2025-06-06 16:45:39 +00:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Tim van der Lippe	4164f76769	Implement all trusted sinks in `HTMLScriptElement` (#36668 ) As a follow-up to the recent introduction of `script.src` as trusted sink, this PR refactors machinery to also support `TrustedScript`. In doing so, all trusted sinks in `HTMLScriptElement` are now covered. Instead of calling the callbacks in `policy.createX`, we now have a `TrustedType` enum that specifies which callback to invoke. Unfortunately we still have the `USVString` vs `DOMString` problem, which is why we need to `.map` twice to retrieve the backing `String` and avoid two different types. Additionally, I saw that `script.text` should have called the "String replace all" algorithm rather than setting the child contents. So that's also now fixed. Part of #36258 Requires servo/html5ever#608 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>	2025-05-03 08:35:46 +00:00
Tim van der Lippe	6bb087e381	Implement trusted types url setter (#36596 ) We now check the sink of script.src for trusted types. This is the first attribute that we check, other sinks will be implemented in follow-up changes. The algorithms currently hardcode various parts. That's because I need to refactor a couple of algorithms already present in TrustedTypePolicy. They use callbacks at the moment, which made sense for their initial use. However, for these new algorithms they don't work. Therefore, I will align them with the specification by taking in an enum. However, since that's a bigger refactoring, I left that out of this PR (which is already quite big). The other trusted types support (createScript and createHTML) will also be implemented separately. Part of #36258 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com> Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com> Co-authored-by: Josh Matthews <josh@joshmatthews.net>	2025-04-21 06:56:40 +00:00
Tim van der Lippe	b87bf0b806	Stub out Trusted Types interfaces (#36355 ) Some methods are implemented fully, while others are implemented partly. With these implementations, there are no observed crashes when running the trusted-types web-platform-tests. Most notably, the tests/wpt/tests/trusted-types/idlharness.window.js is now fully passing. Part of #36258 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>	2025-04-05 13:08:56 +00:00

Tim van der Lippe

4164f76769

Implement all trusted sinks in HTMLScriptElement (#36668 )

As a follow-up to the recent introduction of `script.src`
as trusted sink, this PR refactors machinery to also
support `TrustedScript`. In doing so, all trusted sinks
in `HTMLScriptElement` are now covered.

Instead of calling the callbacks in `policy.createX`,
we now have a `TrustedType` enum that specifies which callback
to invoke. Unfortunately we still have the `USVString` vs
`DOMString` problem, which is why we need to `.map` twice
to retrieve the backing `String` and avoid two different
types.

Additionally, I saw that `script.text` should have called
the "String replace all" algorithm rather than setting the
child contents. So that's also now fixed.

Part of #36258
Requires servo/html5ever#608

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

2025-05-03 08:35:46 +00:00

Tim van der Lippe

6bb087e381

Implement trusted types url setter (#36596 )

We now check the sink of script.src for trusted types. This is the first
attribute that we check, other sinks will be implemented in follow-up
changes.

The algorithms currently hardcode various parts. That's because I need
to refactor a couple of algorithms already present in TrustedTypePolicy.
They use callbacks at the moment, which made sense for their initial
use. However, for these new algorithms they don't work. Therefore, I
will align them with the specification by taking in an enum. However,
since that's a bigger refactoring, I left that out of this PR (which is
already quite big).

The other trusted types support (createScript and createHTML) will also
be implemented separately.

Part of #36258

---------

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>

2025-04-21 06:56:40 +00:00

Tim van der Lippe

b87bf0b806

Stub out Trusted Types interfaces (#36355 )

Some methods are implemented fully, while others are implemented
partly. With these implementations, there are no observed crashes
when running the trusted-types web-platform-tests.

Most notably, the tests/wpt/tests/trusted-types/idlharness.window.js
is now fully passing.

Part of #36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

2025-04-05 13:08:56 +00:00

3 commits