These changes introduce a new OriginSnapshot type, which is an immutable
version of MutableOrigin (ie. an origin that includes an optional domain
modifier). This is now propagated as part of LoadData's origin, allowing
us to perform the same-origin-domain check for javascript: URLs as
needed.
Testing: Newly-passing tests.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
Methods were unused and removed from the HTML spec.
Testing: Verified with ./mach build and ./mach test-unit. Without errors
or warnings.
Fixes: #41835
Signed-off-by: TimurBora <timurborisov5561@gmail.com>
This change moves the `UserContentManager` abstraction from the
`ServoBuilder` to `WebViewBuilder` so that embedders can inject content
for each `WebView` independently. It also adds basic support for runtime
mutations to the `UserContentManager` API. Only adding new scripts is
currently supported, but future changes will add support for both other
mutations such as removal of scripts and addition & removal of
stylesheets. Future changes could also optimize the way mutations are
propagated to `ScriptThread`s by sending just the "delta" rather than
the whole `UserContents` structure for each mutation.
The `UserContentManager` now becomes just a convenient handle for the
embedders to invoke the mutation API while the actual management of the
manager's content is handled by the Constellation. The mutations are
relayed to the constellation via messages. The change also separates the
serialized version containg the user contents into a new `UserContent`
structure so that the API cannot be misused.
Testing: New unit tests have been added for the different scenarios
involving UserContentManager.
---------
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Changed some allow to expects and removed the unfulfilled expectations.
Testing: Refactor
Part of: #40383
Signed-off-by: anonmiraj <nabilmalek48@gmail.com>
Previously, when window.open() was called with a javascript: URL, the
script would execute unconditionally without any CSP enforcement. The
CSP list was not propagated from the opener to the newly opened
document.
This commit fixes two issues:
1. Propagate CSP from opener to new document The CSP list from the
existing (opener) document is now copied to the target document before
navigation, ensuring CSP policies are enforced.
2. Report CSP violations to the correct window Per the CSP spec,
violations should be reported to the navigation request's client (the
opener window), not the target window. To achieve this, we check CSP
early in window.open() while both windows are accessible, before
entering the normal navigation flow where only the target window is
available.
Testing: new wpt successes:
-
`content-security-policy/script-src/javascript-window-open-blocked.html`
-
`content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open.html`
-
`content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open.html`
Fixes: part of #36437
Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>
I used find and replace to finish the job. All this PR does is replace
all `Error::<error_name>` occurrences with `Error::<error_name>(None)`.
Testing: Refactor
Fixes: #39053
Signed-off-by: Ashwin Naren <arihant2math@gmail.com>
Have more of the code follow the same path calling
`ScriptThread::spawn_pipeline`. Somewhat tricky was that the `origin` of
the new Pipeline was being determined in several different places, but
all in a consistent way for different types of page loads. This change
makes it is so that the origin is always determined in the same place.
This change is preparation for splitting out the creation of a new
`ScriptThread` and the spawning of its first pipeline.
Testing: This should not change observable behavior, so is covered by
existing tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
The thing that this message does is to spawn a pipeline in a
`ScriptThread`. I believe that the `AttachLayout` name is a relic of a
different time. The corresponding procedure in the `Constellation` is
already called `Pipeline::spawn`.
Testing: This is just a rename, so existing tests should cover this
change.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This is another step on the way toward enabling the default set
of rustc compiler warnings for `script`. This also renames two
functions according to Rust snake case guidelines.
Testing: This should not change behavior and is thus covered by existing
tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Removes some unneeded lints, especially `#[allow(unsafe_code)]`.
Testing: Refactor
Part of: #40383
Signed-off-by: WaterWhisperer <waterwhisperer24@qq.com>
Servo has a lot of comments like this:
```rust
// https://example-spec.com/#do-the-thing
fn do_the_thing() {}
```
and I keep turning these into doc comments whenever I'm working close to
one of them. Doing so allows me to hover over a function call in an IDE
and open its specification without having to jump to the function
definition first. This change fixes all of these comments at once.
This was done using `find components -name '*.rs' -exec perl -i -0777
-pe 's|^([ \t]*)// (https?://.*)\n\1(fn )|\1/// <$2>\n\1$3|mg' {} +`.
Note that these comments should be doc comments even within trait `impl`
blocks, because rustdoc will use them as fallback documentation when the
method definition on the trait does not have documentation.
Testing: Comments only, no testing required
Preparation for https://github.com/servo/servo/pull/39552
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
It would be useful for the Constellation is ever going to store data
per-WebView for the purposes of making cleanup and resource management
easier. If that's ever going to happen the `WebView` needs to be passed
with all messages that need it. This change makes it so that messages to
the Constellation that require a Pipeline also carry a WebViewId. This
eliminates one way in which message handling might go wrong.
This avoids making the Constelaltion look up the `WebViewId` for many
messages
that it receives.
Testing: This should not change observable behavior, so should be
covered by existing tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
When one unbinds an iframe from the tree, its browsing context is
destroyed, however if script keeps a reference to the window, it can
still try to open an auxiliary, resulting in a crash because the
constellation has already removed the browsing context. This adds a
non-intermittent test for the problem, and addresses it in a seemingly
ad-hoc way by checking whether the browsing context has already been
discarded, and if so doing an early return, as part of the window open
steps.
Testing: Added a crash test in the mozilla wpt folder.
Fixes: https://github.com/servo/servo/issues/39716
---------
Signed-off-by: gterzian <2792687+gterzian@users.noreply.github.com>
This implements LazyDOMString (from now on DOMString) as outlined in
https://github.com/servo/servo/issues/39479.
Constructing from a *mut JSString we keep the in a
RootedTraceableBox<Heap<*mut JSString>> and transform
the string into a rust string if necessary via the `make_rust_string`
method.
Methods used in script are implemented on this string. Currently we
transform the string at all times.
But in the future more efficient implementations are possible.
We implement the safety critical sections in a separate module
DOMStringInner which allows simple constructors, `make_rust_string` and
the `bytes` method.
This method returns the new type `EncodedBytes` which contains the
reference to the underlying string in either format.
Testing: WPT tests still seem to work, so this should test this
functionality.
---------
Signed-off-by: Narfinger <Narfinger@users.noreply.github.com>
This change makes it so that `<iframe>` sanboxing is equivalent to the
one used for Content Security Policy, which is how the specification is
written. In addition, these sandboxing flags are passed through to
`<iframe>` `Document`s via `LoadData` and stored as
`Document::creation_sandboxing_flag_set`. The flags are used to
calculate the final `Document::active_sandboxing_flag_set` when loading
a `Document`.
This change makes it so that `<iframe>`s actually behave in a sandboxed
way, the same way that `Document`s with CSP configurations do. For
instance, now scripts and popups are blocked by default in `<iframe>`s
with the
`sandbox` attribute.
Testing: This causes many WPT tests to start to pass or to move from
ERROR to TIMEOUT or failing later. Some tests start to fail:
-
`/html/semantics/embedded-content/the-canvas-element/canvas-descendants-focusability-005.html`:
This test uses a combination of `<iframe allow>` and Canvas fallback
content, which we do not support.
-
`/html/semantics/embedded-content/the-iframe-element/iframe_sandbox_navigate_other_frame_popup.sub.html`:
This test is now failing because the iframe is sanboxed but in the
ScriptThread now due to `allow-same-origin`. More implementation is
needed to add support for the "one permitted sandbox navigator concept."
Fixes: This is part of #31973.
---------
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Oriol Brufau <obrufau@igalia.com>
This updates all Rc that were ignored for malloc_size_of to use
conditional_malloc_size_of, unless the type in the Rc itself doesn't
support malloc_size.
Regular expressions used to search for all occurrences:
```
ignore_malloc_size_of = "Rc.*"
ignore_malloc_size_of = "Arc.*"
```
There are a couple left since they have nested Rc, which I don't know
how to fix.
To be able to define these, several new implementations were added to
`malloc_size_of/lib.rs` as well as
`HashMapTracedValues`.
Testing: if it compiles, it's safe
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Add the prefix of "WebStorage" instead of "Storage" for all webstorage
spec related things. For example, a `struct` called `StorageManager`:
this could refer to either webstorage's thread manager or to the backend
for [the storage manager
interface](https://storage.spec.whatwg.org/#storagemanager). webstorage
is the full name of the spec, so I chose to keep that in the names of
files/structs to prevent confusion when storage manager is implemented.
Signed-off-by: Ashwin Naren <arihant2math@gmail.com>
Split the window_proxies in script thread into its own struct with
appropiate methods. ScriptThread allows to get an Rc to it.
HtmlIFrameElement, Window and WindowProxy now get the Rc on construction
from ScriptThread.
Testing: Just a refactor so should not change any behavior.
Fixes: Addresses part of https://github.com/servo/servo/issues/37969
---------
Signed-off-by: Narfinger <Narfinger@users.noreply.github.com>
This is part of the future work of implementing LazyDOMString as
outlined in issue #39479.
We use str() method or direct implementations on DOMString for these
methods. We also change some types.
This is independent of https://github.com/servo/servo/pull/39480
Signed-off-by: Narfinger Narfinger@users.noreply.github.com
Testing: This is essentially just renaming a method and a type and
should not change functionality.
Signed-off-by: Narfinger <Narfinger@users.noreply.github.com>
When an `<iframe>` cannot scroll because the size of the frame is
greater than or
equal to the size of page contents, chain up the keyboard scroll
operation to the parent frame.
Testing: A new Servo-only WPT tests is added, though needs to be
manually
run with `--product servodriver`.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Co-authored-by: Delan Azabani <dazabani@igalia.com>
Adding an optional message to be attached to a SyntaxError. Unblocks
#39050.
The enum definition of Syntax is now `Syntax(Option<String>)`. Future
PRs should probably add more appropriate messages to some of the
`Syntax(None)`s.
Testing: Just a refactor
Fixes: Partially #39053
Signed-off-by: Ashwin Naren <arihant2math@gmail.com>
Port the reply / back channels of StorageThreadMsg to GenericChannel.
Testing: No functional changes
Part of #38912
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
This change includes the following additions to GenericChannel:
- Add a GenericSend trait which is meant to replace the `IpcSend` trait
over time, as channels are migrated. For the time being this means, that
we often need to use `GenericSend::send()` to disambiguate from the
`IpcSend::send` function, until all usages of `IpcSend` have been
replaced.
- Add an OpaqueSender impl for GenericSender
- Add a profiled version of GenericChannel. The profiling is 1:1 the
same as for the existing profiled IPC channel, namely that only the
blocked time during `recv` is measured.
Testing: No functional changes, covered by existing tests
Part of #38912
---------
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
The IpcSend trait defines a `send()` method, so doing .sender().send()
seems like it just adds a useless clone of the sender, when we could
just `send()` directly.
This only cleans up the direct usages of this pattern, there are more
instances, where a helper method is defined, which returns the
IpcSender, and the only usages also just directly call send.
Testing: No functional changes
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
This pull request introduces changes to the storage subsystem to:
- Isolate sessionStorage per top-level browsing context (WebViewId), in
addition to origin.
- Copy sessionStorage when creating a new auxiliary browsing context
without
noopener, as required by the corresponding spec
These changes bring Servo closer to spec compliance, matching expected
browser
behavior.
Testing: This work affects observable behavior. As a result, some
previously
failing WPT tests now pass. No new tests are added, since the behavior
is
already covered by existing web-platform-tests.
Fixes: #21291
---------
Signed-off-by: Jan Varga <jan.varga@gmail.com>
For Desktop port of `request_open_auxiliary_webview`, stay on the
original WebView if the request originates WebDriver.
This is to make sure `webdriver_server::handle_new_window` does not
focus the new window, according to spec. See
c7eba2dbba/tests/wpt/tests/webdriver/tests/classic/new_window/new_window.py (L31-L37)
**To clarify**: this won't change the behaviour when user interacts, but
only affects WebDriver [New
Window](https://w3c.github.io/webdriver/#new-window).
Testing: `./mach test-wpt -r --log-raw "D:/servo log/all.txt"
./tests/wpt/tests/webdriver/tests/classic --product servodriver` based
on 96b0973037
---------
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Previously, when the theme was set it was only set on currently active
`Window`s. This change makes setting the `Theme` stateful. Now the
`Constellation` tracks what theme is applied to a `WebView` and properly
passes that value to new `Pipeline`s when they are constructed. In
addition, the value is passed to layout when that is constructed as
well.
Testing: this change adds a unit test.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This is the last big change necessary to create the
`constellation_traits` crate. This moves the data structure for messages
that originate from the `ScriptThread` and are sent to the
`Contellation` to `constellation_traits`, effectively splitting
`script_traits` in half. Before, `script_traits` was responsible for
exposing the API of both the `ScriptThread` and the `Constellation` to
the rest of Servo.
- Data structures that are used by `ScriptToConstellationMsg` are moved
to `constellation_traits`. The dependency graph looks a bit like this:
`script_layout_interface` depends on `script_traits` depends on
`constellation_traits` depends on `embedder_traits`.
- Data structures that are used in the embedding layer
(`UntrustedNodeAddress`, `CompositorHitTestResult`, `TouchEventResult`
and `AnimationState`) are moved to embedder_traits, to avoid a
dependency cycle between `webrender_traits` and
`constellation_traits`.
- Types dealing with MessagePorts and serialization are moved to
`constellation_traits::message_port`.
Testing: This is covered by existing tests as it just moves types
around.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Propagate through documents a flag that represents if any of the
ancestor navigables has a potentially trustworthy origin.
The "potentially trustworthy origin" concept appears to have gotten
confused in a couple of places and we were instead testing if a URL had
"potentially trustworthy" properties.
The main test for the ancestor navigables is
[mixed-content/nested-iframes](https://github.com/web-platform-tests/wpt/blob/master/mixed-content/nested-iframes.window.js)
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix#36108
<!-- Either: -->
- [X] There are tests for these changes
---------
Signed-off-by: Sebastian C <sebsebmc@gmail.com>
Messages that are sent to the `Constellation` have pretty ambiguous
names.
This change does two renames:
- `ConstellationMsg` → `EmbedderToConstellationMessage`
- `ScriptMsg` → `ScriptToConstellationMessage`
This naming reflects that the `Constellation` stands in between the
embedding layer and the script layer and can receive messages from both.
Soon both of these message types will live in `constellation_traits`,
reflecting the idea that the `_traits` variant for a crate is
responsible for exposing the API for that crate.
Testing: No new tests are necessary here as this just renames two enums.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
The `Constellation` previously held a `window_size` member, but this
assumes that all `WebView`s have the same size. This change removes that
assumption as well as making sure that all `WebView`s pass their size
and HiDIP scaling to the `Constellation` when they are created.
In addition
- `WindowSizeData` is renamed to `ViewportDetails`, as it was
holding more than just the size and it didn't necessarily correspond to
a "window." It's used for tracking viewport data, whether for an
`<iframe>` or the main `WebView` viewport.
- `ViewportDetails` is stored more consistently so that conceptually an
`<iframe>` can also have its own HiDPI scaling. This isn't something
we necessarily want, but it makes everything conceptually simpler.
The goal with this change is to work toward allowing per-`WebView` HiDPI
scaling and sizing. There are still some corresponding changes in the
compositor to make that happen, but they will in a subsequent change.
Testing: This is covered by existing tests. There should be no behavior
changes.
Fixes: This is part of #36232.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
…Window-only constructors
<!-- Please describe your changes on the following line: -->
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes fix#36118 (GitHub issue number if applicable)
<!-- Either: -->
- [ ] There are tests for these changes OR
- [ ] These changes do not require tests because ___
<!-- Also, please make sure that "Allow edits from maintainers" checkbox
is checked, so that we can help you if you get stuck somewhere along the
way.-->
<!-- Pull requests that do not address these steps are welcome, but they
will require additional verification as part of the review process. -->
---------
Signed-off-by: richarddushime <mudaherarich@gmail.com>
Signed-off-by: Richard Dushime <45734838+richarddushime@users.noreply.github.com>
The `WebViewId` name is a lot more descriptive these days to the casual
reader, so I think we can go ahead and finish the rename.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
To allow embedders to interact with webviews as soon as they are
created, we need to ensure that they exist in both the compositor and
the constellation before those interactions happen. #35662 does this
for the compositor, while this patch does this for the constellation.
When a webview opens another webview (via <a target>, <form target>,
window.open(), etc), the embedder creates an “auxiliary” webview,
which previously went as follows:
- script create_auxiliary_browsing_context
- libservo AllowOpeningWebView
- embedder request_open_auxiliary_webview (→ constellation FocusWebView)
- script create_auxiliary_browsing_context
- constellation ScriptNewAuxiliary
In that model, the constellation may receive FocusWebView before it
receives ScriptNewAuxiliary. Now they are created as follows:
- script create_auxiliary_browsing_context
- constellation CreateAuxiliaryWebView
- libservo AllowOpeningWebView
- embedder request_open_auxiliary_webview (→ constellation FocusWebView)
- constellation CreateAuxiliaryWebView
- script create_auxiliary_browsing_context
Since these messages are all synchronous and the constellation will
have set up the webview before handling any new messages, the webview
will always exist by the time we handle the embedder’s FocusWebView.
Signed-off-by: Delan Azabani <dazabani@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
`EmbedderMsg` was previously paired with an implicit
`Option<WebViewId>`, even though almost all variants were either always
`Some` or always `None`, depending on whether there was a `WebView
involved.
This patch adds the `WebViewId` to as many `EmbedderMsg` variants as
possible, so we can call their associated `WebView` delegate methods
without needing to check and unwrap the `Option`. In many cases, this
required more changes to plumb through the `WebViewId`.
Notably, all `Request`s now explicitly need a `WebView` or not, in order
to ensure that it is passed when appropriate.
Signed-off-by: Delan Azabani <dazabani@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
This patch introduces a new handle-based webview API to libservo, with
two main design goals:
1. The lifetime of the handles controls the lifetime of the webview,
giving the embedder full control over exactly when webviews are
created and destroyed. This is consistent with how WebKitGTK’s
WebView works; the engine can only create webviews via a create
request, and can only destroy them via a close request.
2. All methods are infallible; if the constellation dies, the embedder
finds out when calling Servo::handle_events.
For the moment, the embedder is only responsible for creating the
WebView id, and not the internal TopLevelBrowsingContext data
structures. This is so that the ScriptThread is able to get a handle on
the new WebView's WindowProxy in the case that it's an auxiliary
browsing context. In the future, the embedder should also be responsible
for creating the TopLevelBrowsingContext and the ScriptThread should
have mechanism to associate the two views so that WebView creation is
always executed through the same code path in the embedding layer. For
now, it's enough that the embedder can get a handle to the new WebView
when it's creation is requested.
Once we replace EmbedderMsg with a webview delegate trait, we will pass
WebView handles to the embedder, rather than webview ids. We’ll also add
detailed docs, once the design settles.
Signed-off-by: Delan Azabani <dazabani@igalia.com>
Co-authored-by: Martin Robinson <mrobinson@igalia.com>
Expose two new helpers and start using them as much as possible.
- `NodeTraits::owner_global`: which gets the `GlobalScope` that currenty
owns a `Node`. This may be different than `.global()` in the case that
the `Node` was adopted by a different `Document`.
- `Window::as_global_scope`: A helper to avoid having to cast so much
when treating a `Window` like a `GlobalScope`.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
