Implement the `Sanitizer.get()` method.
Same as the previous patches on Sanitizer API, the steps related to
processing instructions are marked as TODO. Support for process
instructions was recently added to the specification, and we will
implement it later when tests are ready.
Testing: Covered by WPT tests in
`sanitizer-api/sanitizer-get.tentative.html`
Fixes: Part of #43948
Signed-off-by: Kingsley Yung <kingsley@kkoyung.dev>
Implement sanitizer configuration validation algorithm, and complete the
"set a configuration" algorithm.
The steps related to processing instructions are marked as TODO. Support
for process instructions was recently added to the specification, and we
will implement it later when tests are ready.
Specification:
- https://wicg.github.io/sanitizer-api/#sanitizerconfig-valid
- https://wicg.github.io/sanitizer-api/#sanitizer-set-a-configuration
Testing: Covered by WPT tests in
`sanitizer-api/sanitizer-config.tentative.html`
Fixes: Part of #43948
---------
Signed-off-by: Kingsley Yung <kingsley@kkoyung.dev>
Initialize Sanitizer API implementation with partially implemented
constructor and `get()` methods of the `Sanitizer` interface, which
allows the sub-sequential implementation to be tested by WPT.
The `Sanitizer` interface is hidden behind the feature flag
`dom_sanitizer_enabled`, which is disabled by default.
Specification: https://wicg.github.io/sanitizer-api/
Testing: Enable WPT tests for Sanitizer API.
Fixes: Part of #43948
---------
Signed-off-by: Kingsley Yung <kingsley@kkoyung.dev>
Requires communication between the script thread and the constellation
to be able to retrieve the origin of a cross-origin document. However,
in the fast-path where the document resides in the same script-thread,
we use the `frame_element` instead.
If no CSP list is active, then we skip all this logic, to have a minimal
impact on document navigation.
Part of #4577Fixes#36468
---------
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
- canvas
- constellation_traits
- canvas_traits
- constellation
Testing: This should not change any behaviour.
---------
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
We now check for this header and corresponding logic. The WPT tests
mostly pass, but rely on the `contentDocument` of the iframe to be
`null`. This is not something we did before, which means that iframes
were able to access the contents of error pages.
Instead, we now mark the document as internal with an opaque origin
according to the spec [1]. We shouldn't do this post-fact, but is
required since we first need to construct the document and enter its
realm, before we determine that it is an invalid document.
Fixes#16103
[1]:
https://html.spec.whatwg.org/multipage/document-lifecycle.html#navigate-ua-inline
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The CSP crate was incorrectly using the request URL for both checking if
policies were matching, as well as reporting that URL. However, the CSP
specification uses the current URL to check for policies and the url for
reporting a violation.
Therefore, set the new current_url field for these requests, leaving the
ws scheme URLs as a special case. We also should take redirects into
account for navigations (which is only relevant for forms), but LoadData
currently has no notion of keeping track of that.
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
The spec has explicit steps for it, where we were calling a different
algorithm before. This passes more assertions in
`content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image.sub.html`
but since line numbers aren't correct, the test isn't fully passing yet.
Testing: WPT
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This is no longer present in the spec. Instead, the
`process_request_body` is the new way. These two
methods were called right after each other and there was only 1
implementation in `htmlvideoelement`. That implementation is now moved
to `process_request_body` and hence we can remove the unnecessary
method.
Testing: It compiles
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Add the cx parameter to `fn process_response` in the
`FetchResponseListener` trait and the traits that that interface change
requires. Chose to add it as the first parameter, following the same
order that `FetchResponseListener::process_response_eof` uses.
Testing: Checked that servo builds locally as well as `./mach fmt` and
`./mach test-tidy`. I don't think more tests are needed as we are not
introducing new functionality
Fixes: #42840
---------
Signed-off-by: Javier Olaechea <pirata@gmail.com>
Also moves some relevant methods from GlobalScope that were only used
within ReportingObserver.
Part of #38901
Testing: It compiles
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This was the only struct leftover in security_manager. Therefore, this
both moves and renames the files.
Part of #38901
Testing: It compiles
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This PR fixes two related issues with Content Security Policy (CSP)
nonce validation for external scripts:
1. Missing nonce validation for external scripts with malformed
attributes
2. Incorrect violation event reporting for blocked external resources
This makes servo closer to passing the `nonce-enforce-blocked` wpt test.
The remaining failures are blocked by required changes in the html
parser.
1. Svg script support (https://github.com/servo/html5ever/issues/118)
```html
<svg xmlns="http://www.w3.org/2000/svg">
<script attribute attribute nonce="abc">
t.unreached_func("Duplicate attribute in SVG, no execution.")();
</script>
</svg>
```
2. Duplicate attrs check
the html parser needs to provide this flag, as mentioned on the original
commit message
(4821bc0ab0)
```html
<script attribute attribute nonce="abc">
t.unreached_func("Duplicate attribute, no execution.")();
</script>
<script attribute attribute=<style nonce="abc">
t.unreached_func("2# Duplicate attribute, no execution.")();
</script>
[...]
<script src="../support/nonce-should-be-blocked.js?5" attribute attribute nonce="abc"></script>
```
I've also created a PR to implement the duplicate attrs flag on
html5ever https://github.com/servo/html5ever/pull/695
Testing: doesn't fixes the aforementioned wpt test yet.
Fixes: part of #36437
---------
Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
These changes introduce a new OriginSnapshot type, which is an immutable
version of MutableOrigin (ie. an origin that includes an optional domain
modifier). This is now propagated as part of LoadData's origin, allowing
us to perform the same-origin-domain check for javascript: URLs as
needed.
Testing: Newly-passing tests.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Changed some allow to expects and removed the unfulfilled expectations.
Testing: Refactor
Part of: #40383
Signed-off-by: anonmiraj <nabilmalek48@gmail.com>
*Describe the changes that this pull request makes here. This will be
the commit message.*
Move CSP DOM interfaces to `script/dom/security`
Testing: Just a refactor, it doesn't require tests
Fixes: part of #38901
Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
