Setting the filter property on a CanvasRenderingContext2D would crash
with a null pointer dereference if the canvas element had no layout
node (e.g. a detached canvas not in the document).
Instead of forcing a full layout update and requiring a layout node,
we now only update style if needed and resolve lengths via the
element's computed properties when available, falling back to
document-level defaults otherwise. This matches the pattern used by
CanvasTextDrawingStyles.
The getter compares the current entry index against the entry
list's size, but valid indices are in the range [0, size - 1].
An index equal to size is a past-the-end state that never occurs
in practice, so the function always returns true for any valid
index. This means it reports forward navigation is possible even
when the current entry is the last one in the list, where
forward() immediately throws an InvalidStateError.
The symmetric can_go_back() correctly checks against index 0,
and forward() correctly checks against size - 1. This brings
can_go_forward() in line with both.
Previously, the label called `HTMLElement::click()` which dispatched a
synthetic event with all properties set to their default values. We now
preserve the properties of the original mouse event.
Add 6 text tests that verify correct behavior when image loading
callbacks fire after a document has been destroyed. These tests
check that load/error events are properly suppressed and that
no additional network activity occurs after the document becomes
inactive.
Otherwise, the remote port will lose its transport and not receive
queued messages. The remote port will automatically close anyway when
EOF is received on the socket.
This allows https://www.tripadvisor.com/ to load, where it instantiates
a module by creating a MessageChannel, setting port1's onmessage to the
module's instantiation function, posting an undefined message on port2
and then immediately closing port2.
Issue #6294 describes an edge case where the browser crash if the same
module is loaded three times in a document, but all attempts fail.
Failure scenario:
1. Module load 1 set the state to "Fetching"
2. Module load 2 registers a callback to `on_complete` since the
current state is "Fetching"
3. Module load 1 finish with a failure, invoking the callback for load
number 2
4. Module load 3 cause a crash. The state is neither "Fetching" or
"ModuleScript", so we'll reset the state to "Fetching". This invokes
the callback for module load 2 again, now with an unexpected state
which will cause an assert violation.
Proposed fix is to remove the condition that invokes `on_complete`
immediately for successfully loaded modules only, the callback should
be invoked regardless of whether the fetch succeeded or failed.
This reveals a separate bug in HTMLScriptElement, where
`mark_as_ready()` can be invoked before
`m_steps_to_run_when_the_result_is_ready` is assigned.
This appears to be a spec bug, reported as
https://github.com/whatwg/html/issues/12073 and addressed by delaying
the callback by a task, similar to the issue was resolved for inline
scripts.
Previously, when creating a policy container from a fetch response, the
Referrer-Policy HTTP header was not being parsed. This meant documents
loaded with a Referrer-Policy header would ignore the policy and use the
default.
I had completely managed to forget about the special case of Window
where a WindowProxy is what is received over IDL. This was caught
by the origin-from-window WPT test, but unfortunately this cannot
be imported as it relies on a web server running and other
surroundsing WPT infrastructure.
We don't discern between opaque and non-opaque alpha types in LibGfx,
which at some point we might need to do. But for now, assume all opaque
Skia surfaces have premultiplied alpha.
Fixes#6892.
One MessagePort can be entangled with another MessagePort, either in the
same agent, or in another agent.
In the same-agent case, the MessagePort objects point to each other via
the MessagePort::m_remote_port field.
In the separate-agent case, they live in separate processes entirely and
thus can't point at each other.
In both cases, the MessagePorts have an underlying transport channel,
which means they are "entangled". However, we can't assume that being
entangled means having a non-null m_remote_port.
This patch simply adds a missing null check for m_remote_port and thus
makes https://vscode.dev/ stop crashing with a null dereference.
To make {,de}serialization of ImageBitmap work we also had to add
support for creating an ImageBitmap from a HTMLCanvasElement in
WindowOrWorkerGlobalScopeMixin::create_image_bitmap_impl().
We were failing to actually climb up the containing block chain,
causing this API to infinite loop for anything but the most
trivial cases.
By fixing the loop structure, we also make a bunch of the already
imported WPT tests pass. :^)
The `muted` content attribute should only affect the state of the
`muted` IDL property when the media element is first created. The
attribute should have no dynamic effect.
Opaque origins are meant to be unique in terms of equality from
one another. Since this uniqueness needs to be across processes,
use a nonce to implement the uniqueness check.
Documents created via DOMParser.parseFromString()
are parsed synchronously and do not participate in the
browsing context's loading pipeline.
This patch ensures that if the document has no browsing context
(i.e. was parsed via DOMParser),
its readiness is set to "complete" synchronously.
Fixes WPT:
domparsing/xmldomparser.html
The text track processing model would previously spin forever waiting
for the track URL to change. It would then recursively invoke itself
to handle the new URL, again entering the spin loop. This meant that
tracks could easily cause event loop hangs.
We now have an observer system to be notified when the track state
changes instead. This lets us exit the processing model and move on.
When serializing CSS declarations we now support combining multiple
properties into a single shorthand property in some cases.
This comes with a healthy dose of FIXMEs, including work to be done
around supporting:
- Nested shorthands (e.g. background, border, etc)
- Shorthands which aren't represented by the ShorthandStyleValue type
- Subproperties pending substitution
This gains us a bunch of new test passes, both for WPT and in-tree
156c1083e9 introduced a text blocks cache
for better performance when searching through text on a page, but when
we partially recreate the layout tree, this cache does not get
invalidated. We now rebuild the entire text blocks cache after a layout
update.
Browsers such as Chrome and Firefox apply an arbitrary scale to the
current font size if `normal` is used for `line-height`. Firefox uses
1.2 while Chrome uses 1.15. Let's go with the latter for now, it's
relatively easy to change if we ever want to go back on that decision.
This also requires updating the expectations for a lot of layout tests.
The upside of this is that it's a bit easier to compare our layout
results to other browsers', especially Chrome.
We were handling removing the style sheet from the shadow root, but not
appending to it. Fixing this also revealed a bug that a removed link
element would always try to remove from the document's list, as the
root is no longer the shadow root it's in. The fix is to use the passed
in old root to remove the style sheet from.
Fixes the cookie banner on https://nos.nl/
This fixes the frame-ancestors WPT tests from crashing when an iframe
is blocked from loading. This is because it would get an undefined
location.href from the cross-origin iframe, which causes a crash as it
expects it to be there.
A Storage object may be created with an existing storage bottle. For
example, if you navigate from site.com/page1 to site.com/page2, they
will have different localStorage objects, but will use the same bottle
for actual storage.
Previously, if page1 set some key/value item, we would initialize the
byte count to 0 on page2 despite having a non-empty bottle. Thus, if
page2 set a smaller value with the same key, we would overflow the
computed byte count, and all subsequent writes would be rejected.
This was seen navigating from the chess.com home page to the daily
puzzle page.
JavaScript URLs run in the same document context the navigation was
started in, so they're not eligible to be moved to a new WebContent
process.
Fixes the "Login as demo user" link on https://demo.immich.app/
