dyegoaurelio be58c968de script: Implement duplicate attribute check for CSP nonce validation (#43216) ...

Propagate the had_duplicate_attributes flag from html5ever's
ElementFlags through to the Element struct, enabling step 3 of the
CSP "is element nonceable" algorithm. Elements with duplicate
attributes are now correctly marked as "Not Nonceable", preventing
scripts with duplicate attributes from bypassing CSP nonce checks.

Testing: We still need https://github.com/servo/html5ever/issues/118 to
fully pass the
`content-security-policy/script-src/nonce-enforce-blocked.html` wpt
test. But I was able to uncomment some of the remaining tests on
`mozilla/csp/nonce-external-script-malformed-blocked.html`

---------

Signed-off-by: Dyego Aurélio <dyegoaurelio@gmail.com>

2026-03-17 19:37:40 +00:00

..

docs

…

dom

script: Implement duplicate attribute check for CSP nonce validation (#43216)

2026-03-17 19:37:40 +00:00

layout_dom

Upgrade Stylo to 2026-03-01 (#43045)

2026-03-06 23:39:55 +00:00

resources

html: Render media controls without ready state precondition (#40456)

2025-11-08 19:57:59 +00:00

animation_timeline.rs

…

animations.rs

Change some #[allow]s to #[expect]s (#40458)

2025-11-06 12:31:48 +00:00

body.rs

Everywhere: Remove instances of clippy::redundant-clone (#43212)

2026-03-12 13:28:21 +00:00

build.rs

script: copy include! files from script_bindings to script's OUT_DIR (#36384)

2025-04-08 19:22:24 +00:00

Cargo.toml

everywhere: Remove unused deps (#43344)

2026-03-17 13:26:01 +00:00

clipboard_provider.rs

Script: Convert routed_promise to GenericCallback (#41380)

2026-01-09 10:09:45 +00:00

conversions.rs

…

css.rs

script: Create CSS parsing helpers to simplify ParserContext setup (#41566)

2025-12-31 06:27:52 +00:00

devtools.rs

devtools: Remove EvaluateJS in favor of Eval (#43316)

2026-03-16 12:45:32 +00:00

document_collection.rs

Replace allow(crown::unrooted_must_root) with expect(crown::unrooted_must_root) (#41815)

2026-01-10 08:05:49 +00:00

document_loader.rs

script: Pass down &mut JSContext in servoparser and event loop. (#42635)

2026-02-25 07:14:23 +00:00

drag_data_store.rs

change #[allow]s to #[expect]s (#41635)

2026-01-03 10:54:27 +00:00

fetch.rs

Everywhere: Remove instances of clippy::redundant-clone (#43212)

2026-03-12 13:28:21 +00:00

iframe_collection.rs

script: Notify PinchZoom resizes to ScriptThread's VisualViewport (#41754)

2026-01-28 09:33:55 +00:00

image_animation.rs

painter: Insert a cache for animation with smarter updates (#41956)

2026-01-28 14:07:27 +00:00

indexeddb.rs

Everywhere: Remove instances of clippy::redundant-clone (#43212)

2026-03-12 13:28:21 +00:00

init.rs

script: Wrap remaining unsafe code and enable unsafe_op_in_unsafe_fn (#40499)

2025-11-08 14:27:35 +00:00

layout_image.rs

script: Pass &mut JSContext in FetchResponseListener::process_response_eof (#42729)

2026-02-20 16:03:21 +00:00

lib.rs

script: Move CSPViolationReportTask (#43269)

2026-03-14 19:43:24 +00:00

links.rs

script: Clean up attribute access a little bit in Element (#43064)

2026-03-06 20:02:37 +00:00

messaging.rs

script: Add a ServoInternals.garbageCollectAllContexts() (#42798)

2026-02-28 08:38:32 +00:00

microtask.rs

script: Pass down &mut JSContext in servoparser and event loop. (#42635)

2026-02-25 07:14:23 +00:00

mime.rs

chore: remove repetitive word in comment (#39948)

2025-10-17 08:48:23 +00:00

module_loading.rs

Everywhere: Remove instances of clippy::redundant-clone (#43212)

2026-03-12 13:28:21 +00:00

navigation.rs

Expose nested browsing context status in RequestClient (#41661)

2026-01-05 16:28:45 +00:00

network_listener.rs

script: Pass &mut JSContext in FetchResponseListener::process_response_eof (#42729)

2026-02-20 16:03:21 +00:00

realms.rs

script: Obtain &mut JSContext at the start of the script and pass it down to msg handlers (#41564)

2025-12-30 18:19:41 +00:00

routed_promise.rs

Script: Convert routed_promise to GenericCallback (#41380)

2026-01-09 10:09:45 +00:00

script_module.rs

script: Add support for modulepreload link elements (#42964)

2026-03-17 09:28:05 +00:00

script_mutation_observers.rs

script: Fix MutationObserver to use Dom instead of DomRoot (#40608)

2025-11-13 19:14:30 +00:00

script_runtime.rs

script: Log unhandled promise rejections to the console (#43323)

2026-03-17 08:02:49 +00:00

script_thread.rs

devtools: Remove EvaluateJS in favor of Eval (#43316)

2026-03-16 12:45:32 +00:00

script_window_proxies.rs

script: remove redundant ScriptWindowProxies method (#43276)

2026-03-15 08:53:29 +00:00

serviceworker_manager.rs

Everywhere: Remove instances of clippy::redundant-clone (#43212)

2026-03-12 13:28:21 +00:00

stylesheet_loader.rs

script: Check for render-blocking documents before continuing (#43150)

2026-03-13 09:54:03 +00:00

stylesheet_set.rs

deps: Bump Stylo to "Share Device logic among Gecko and Servo" (#43146)

2026-03-10 21:08:29 +00:00

task_manager.rs

Implement fetchLater (#39547)

2025-10-02 07:51:19 +00:00

task_queue.rs

script: Switch QueuedTask to a struct to support MallocSizeOf (#42531)

2026-02-11 08:40:49 +00:00

task_source.rs

Fix inconsistent strum dependencies and imports (#40907)

2025-11-26 21:37:55 +00:00

task.rs

script: Pass &mut JSContext to tasks (#41756)

2026-01-08 07:49:27 +00:00

test.rs

Revert "script: Fire select events for user input selections (#42806)" (#42876)

2026-02-26 11:52:36 +00:00

textinput.rs

script: Readily accept all event names as Atoms (#43066)

2026-03-06 19:25:33 +00:00

timers.rs

script: Pass &mut JSContext to set_timeout_or_interval (#43278)

2026-03-15 10:10:21 +00:00

unminify.rs

Script: Lazily transform the DOMString into Rust String instead of immediately. (#39509)

2025-10-09 18:18:03 +00:00

webdriver_handlers.rs

Everywhere: Remove instances of clippy::redundant-clone (#43212)

2026-03-12 13:28:21 +00:00

window_named_properties.rs

Change some #[allow]s to #[expect]s (#40458)

2025-11-06 12:31:48 +00:00

xpath.rs

script: Finish converting all error message enum variants to Option<String> (#40750)

2025-11-20 06:20:47 +00:00