Renamed StyleSheetsActor variable names in browsing_context
Testing: Ran `./mach test-devtools` locally.
Fixes: Part of #43606
---------
Signed-off-by: Sabb <sarafaabbas@gmail.com>
This change adds support for `background-blend-mode` to Servo by
creating one stacking context per blend and a single stacking context to
serve as the blend container. This matches the approach that Gecko
takes.
Stylo PR: servo/stylo#344
Testing: This change causes some WPT tests to start passing. In general
this feature
is not well exercised by tests. I suspect that blending is hard to test
properly.
Fixes: #43621
Signed-off-by: Martin Robinson <mrobinson@fastmail.fm>
Co-authored-by: Martin Robinson <mrobinson@fastmail.fm>
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5
to 46.0.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's
changelog</a>.</em></p>
<blockquote>
<p>46.0.6 - 2026-03-25</p>
<pre><code>
* **SECURITY ISSUE**: Fixed a bug where name constraints were not
applied
to peer names during verification when the leaf certificate contains a
wildcard DNS SAN. Ordinary X.509 topologies are not affected by this
bug,
including those used by the Web PKI. Credit to **Oleh Konko (1seal)**
for
reporting the issue. **CVE-2026-34073**
<p>.. _v46-0-5:<br />
</code></pre></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="91d728897b"><code>91d7288</code></a>
Cherry-pick <a
href="https://redirect.github.com/pyca/cryptography/issues/14542">#14542</a>
(<a
href="https://redirect.github.com/pyca/cryptography/issues/14543">#14543</a>)</li>
<li>See full diff in <a
href="https://github.com/pyca/cryptography/compare/46.0.5...46.0.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We were previously conflating the concept of a navigation request's
origin with the origin of the resulting document. These changes ensure
that the navigation request's origin is based on the navigation
initiator's origin, and the document's origin is not computed until
after the navigation response is received.
The most visible effect of these changes is that documents in sandboxed
iframes now correctly have an opaque origin.
Testing: Lots of new passing tets.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Requires communication between the script thread and the constellation
to be able to retrieve the origin of a cross-origin document. However,
in the fast-path where the document resides in the same script-thread,
we use the `frame_element` instead.
If no CSP list is active, then we skip all this logic, to have a minimal
impact on document navigation.
Part of #4577Fixes#36468
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
UA widgets (such as textual `<input>`) create a shadow DOM to contain
their various parts. When clicking on these parts (such as the text node
of the widget contents), we should use the root node of the widget as
the activable node. This means that wehen you click on the inside of an
`<input>` element, the input matches the `:active` pseudo-selector.
Testing: This improves WPT tests.
Fixes: #41102
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Also move the related `navigate_to_fragment` method next to it.
Part of #40600
Testing: It compiles
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Renamed NetworkEventActor variables in network_handler & lib.rs
Testing: No testing required
Fixes: Part of #43606
Signed-off-by: Sabb <sarafaabbas@gmail.com>
This is the first step toward implementing the Web Animations
specification. It adds support for the `AnimationTimeline` and
`DocumentTimeline` specification concepts. Note that there was already
an `AnimationTimeline`, but it did not implement the specification.
Testing: Various WPT start to pass or no longer error / timeout.
Signed-off-by: Martin Robinson <mrobinson@abandonedwig.info>
Co-authored-by: Martin Robinson <mrobinson@abandonedwig.info>
As titled. The `Vec<UnshapedTextRun>` produced by `fn
build_unshaped_text_runs`
is only used by `into_shaped_text_run`, which filters out those without
string or font.
It is better to not allocate them in the first place.
Testing: [Try](https://github.com/servo/servo/actions/runs/23642089615).
Added a Servo-specific crash test to ensure we will not have empty
font/string in a text run.
---------
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
It moves `Element.rs` into a subdirectory and turns on dead code
detection (found 4 methods that could be removed). Then it also extracts
the first attribute-related method into a separate file, to reduce the
file size of `Element` and add more structure as part of #43709.
Part of #38901
Part of #43709
Testing: It compiles
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This prevents unintended updates the `uv.lock` file which must be
reverted locally.
Testing: As this just fixes a runtime issue when running `test-tidy`,
this
probably doesn't deserve a test.
Signed-off-by: Martin Robinson <mrobinson@abandonedwig.info>
Co-authored-by: Martin Robinson <mrobinson@abandonedwig.info>
If there are multiple header values and one of them is empty, we should
append the empty string rather than skipping it. The algorithm was
incorrectly advancing the operation and continuing the loop, rather than
appending and later returning the `values`.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Both `Window::load_url` and `ScriptThread::navigate` implement parts of
the same navigate algorithm from the HTML spec
(https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigate).
`ScriptThread::navigate` had only one caller: `Window::load_url`.
This merges both methods into a single `navigate` function in
`navigation.rs`, which is the appropriate home for navigation logic. All
previous callers of `Window::load_url` now call `navigation::navigate`
directly.
Testing: This is a pure refactor with no behaviour changes, so no new
tests are needed. Existing tests cover the navigation paths affected.
Fixes: #43494
---------
Signed-off-by: thebabalola <t.babalolajoseph@gmail.com>
Renamed BrowsingContext in tab, network_event, watcher actors & lib.rs
Testing: No testing required - only renaming done
Fixes: Part o #43606
Signed-off-by: Sabb <sarafaabbas@gmail.com>
Refactor Constellation module to use GenericEmbedderProxy
- [X] create the new enum in components/<component>
- [X] for each use of EmbedderMsg::<something> in
components/<component>, extract that enum variant into the new enum
- [X] replace uses of EmbedderProxy in components/<component> with
GenericEmbedderProxy<<component>ToEmbedderMsg>
- [X] create a new instance of the generic embedder proxy in
[Servo::new](c023d8edc7/components/servo/servo.rs (L755-L756));
store the receiver in a new field in Servo and pass the sender to the
appropriate code that instantiates the component
- [X] add a new variant to the
[Message](c023d8edc7/components/servo/servo.rs (L137))
enum for the new component enum type
- [X] update
[receive_one_message](c023d8edc7/components/servo/servo.rs (L224))
to use the new receiver and return the new enum variant
- [X] extract the code from
[handle_embedder_message](c023d8edc7/components/servo/servo.rs (L345))
that handles the component-specific variants into a new method
Testing: Just a refactor shouldn't need any testing
Fixes: #42097
---------
Signed-off-by: Emmanuel Paul Elom <elomemmanuel007@gmail.com>
Signed-off-by: elomscansio <163124154+elomscansio@users.noreply.github.com>
Co-authored-by: Mukilan Thiyagarajan <mukilanthiagarajan@gmail.com>
The WebIDLs for values were duplicated in PropertyDescriptor and
EvalResultValue, with duplicated handlers across the code.
General cleanup of how debugger values are passed from debugger.js and
how the conversion from JS and to JSON happens.
There shouldn't be a behaviour change.
Testing: Existing devtools tests and manual testing
Part of: #36027
---------
Signed-off-by: eri <eri@igalia.com>
Co-authored-by: atbrakhi <atbrakhi@igalia.com>
Renamed WorkerActor variables in watcher, console, root and lib.rs
Testing: No testing required
Fixes: Part of #43606
Signed-off-by: Sabb <sarafaabbas@gmail.com>
Fixes#43629.
The `EventSource` constructor was resolving input URLs with
`api_base_url().join(...)`, which is not the same as the HTML spec’s
encoding-parsing step for URLs relative to the relevant settings object.
This change updates `components/script/dom/eventsource.rs` to use
`global.encoding_parse_a_url(&url.str())` when constructing the
`EventSource` request URL. That makes the constructor follow the spec
more
closely while keeping the existing failure behavior of returning
`Error::Syntax(None)` when parsing fails.
Using `GlobalScope::encoding_parse_a_url` also reuses the existing
parsing
path for both window and worker globals, instead of handling
`EventSource`
URL resolution through `api_base_url().join(...)` directly.
Testing:
* Ran ./mach check
* Ran ./mach test-wpt tests/wpt/tests/eventsource/
* Checked relevant coverage under
tests/wpt/tests/html/infrastructure/urls/resolving-urls/query-encoding/
---------
Signed-off-by: veercodeprog <veerpratap945050@gmail.com>
For any enabled command, we should fire corresponding
beforeinput and input events.
Also update a WPT test to make it clearer what the
expected behavior is. None of the test expect a
beforeinput event. Before, it would fail with
"expected undefined, but got", which is not descriptive
as a failure to what's happening.
We are failing these tests, since this behavior is
currently unspecced and also requires changes in
the input element to work with text edits.
Part of #25005
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
in #43029, we defined an accessibility tree for each webview. we create
those trees when accessibility is activated for that webview, then the
embedder can graft it into their main accessibility tree. at the time,
this accessibility tree was empty, but we ultimately want it to contain
the accessibility tree of the documents loaded in the webview at any
given time. to do that, we need to graft the active top-level pipeline’s
accessibility tree into the webview accessibility tree. we should be
able to ignore nested documents inside iframes here, and leave it to
their parent documents to graft those in as part of layout
accessibility.
this patch hooks into the moment in the constellation where we detect
that the top-level document has changed (#43013), and notifies libservo
of the new AccessKit TreeId for the webview-to-pipeline graft node. this
moment covers navigating to a new top-level document and navigating back
or forward, but not the initial document loaded in the webview, so we
also hook into the moment a ConstellationWebView is created, and do the
same for that initial document. now the accessibility tree for a webview
with accessibility activated should look like this:
- embedder’s main tree
- graft node for webview tree → webview tree
- ~~graft node for document back in history~~
- graft node for active top-level document → (nothing yet)
- ~~graft node for document forward in history~~
Testing: this patch updates the relevant accessibility test in libservo
Fixes: part of #4344, extracted from our work in #42338
---------
Signed-off-by: Alice Boxhall <alice@igalia.com>
Signed-off-by: delan azabani <dazabani@igalia.com>
Co-authored-by: Alice Boxhall <alice@igalia.com>
This update makes service workers properly show up in DevTools and
behave more like dedicated workers.
- Added an is_service_worker field to DevtoolsPageInfo so the devtools
server can tell service workers apart from dedicated workers
- Triggered a NewGlobal message when a service worker is created in
serviceworker_manager.rs, similar to what already happens for dedicated
workers
- Routed service workers to root.service_workers so they appear under
"Service Workers" in about:debugging instead of "Other Workers"
- Implemented listServiceWorkerRegistrations with the expected response
format (activeWorker, installingWorker, waitingWorker, evaluatingWorker)
to match Firefox’s LegacyServiceWorkersWatcher
- Added support for getPushSubscription in WorkerActor, currently
returning subscription: null
Enabled the service_worker target type in the watcher’s SessionContext
and handled watchTargets("service_worker")
Testing
Start Servo with:
`RUST_LOG="error,devtools=debug" ./mach run --
--pref=dom_serviceworker_enabled --devtools=6080
"https://mdn.github.io/dom-examples/service-worker/simple-service-worker/"
`
In Firefox, go to about:debugging and connect to localhost:6080
Confirm the service worker shows up under "Service Workers"
Fixes#43574
---------
Signed-off-by: CynthiaOketch <cynthiaoketch6@gmail.com>
These are mostly formatting changes to make them consistent.
Testing: Not required as there are no code changes.
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Rename page_style in inspector .
Testing: ran `./mach test-devtools`.
Fixes: Part of #43606
Signed-off-by: Jayanta Pradhan <pradhanjayanta91@gmail.com>
Introduces a new type `DevtoolsConnection`, which implements the
`JsonPacketStream` trait with proper coordination of I/O across threads.
This replaces the implementation of `JsonPacketStream` for raw
`TcpStream`s, which was susceptible to interleaving writes when cloned
across threads.
`DevtoolsConnection` also defensively synchronizes read operations.
These are less likely to cause issues: in practice actors should never
independently pull incoming messages without centralized coordination.
Testing: No new tests, as interleaving writes are difficult to evoke
deterministically. Removing the `JsonPacketStream` implementation for
`TcpStream` should discourage regressions due to improper use of raw
streams.
---------
Signed-off-by: Brent Schroeter <contact@brentsch.com>
Co-authored-by: eri <eri@igalia.com>
Rename `DeviceActor` local variable in `root.rs` from `device` to
`device_actor` for naming consistency across the devtools crate.
This follows the convention discussed in #43557:
- `{}_actor` for variables holding the actor
- `{}_name` for variables holding the actor name string
The `device_actor` field in the `GlobalActors` struct was not renamed,
as it is part of a `#[derive(Serialize)]` struct used for devtools
message serialization.
Testing: `./mach test-devtools` all 60 tests pass (6 expected failures).
One unrelated flaky test
(`test_breakpoint_at_invalid_entry_point_does_not_crash`) occasionally
fails due to a race condition tracked separately. opened an isssue for
it at #43667
fixes part of #43606
Signed-off-by: staysafe020 <jambongralpher@gmail.com>
Renamed TabDescriptorActor variable names in browsing_context, root &
target_configuration
Cleaned up a few more names as suggested by eerii
Testing: No testing required
Fixes: Part of #43606
Signed-off-by: Sabb <sarafaabbas@gmail.com>
Rename NetworkParent in watcher actors.
Testing: ran `./mach test-devtools`.
Fixes: Part of #43606
---------
Signed-off-by: Jayanta Pradhan <pradhanjayanta91@gmail.com>
The commit contains several related changes:
* iframes that load javascript: URLs as part of the initial insertion
(ie. `<iframe src='javascript:...'>`) get a synchronous load event
dispatched
* javascript: URL evaluation that does not result in a string no longer
treated like a 204 response
* iframes that perform a javascript: URL navigation that does not result
in a new document no longer block the parent document load event
Testing: Lots of new tests passing.
Fixes: #24901
---------
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Moves the cleanup logic to a separate helper struct to comply with the
prohibition of manual `Drop` implementations for DOM types.
Testing: WebGL tests cover these cases
Fixes: Partially #26488
Signed-off-by: Domenico Rizzo <domenico.rizzo@gmail.com>
There were two issues here:
1. We weren't firing the `load` event when we would show an error page
because of a CSP failure. This is to avoid web pages knowing wheter a
page has failed because of CSP.
2. We were reporting the violations in the wrong global. We shouldn't
fire these in the global of the child, but instead in the parent.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Rename console_actor and console in actors.
Testing: ran `./mach test-devtools`.
Fixes: Part of #43606
---------
Signed-off-by: Jayanta Pradhan <pradhanjayanta91@gmail.com>
Checks the web font sources and filter out the ones that are already
downloaded in the `FontContext` before starting to load new ones
Testing: Existing WPT tests.
---------
Signed-off-by: Minghua Wu <michael.wu1107@gmail.com>
