diff options
| author | elomscansio <163124154+elomscansio@users.noreply.github.com> | 2025-04-20 02:46:09 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-20 01:46:09 +0000 |
| commit | d05496277e7db1777783a542a8ca768d05955ee5 (patch) | |
| tree | 47428f1d91d895a4828cc37a9f29e1de5adce2cd | |
| parent | fad5447838b65288b942b90cd3a018e88889b889 (diff) | |
| download | servo-d05496277e7db1777783a542a8ca768d05955ee5.tar.gz servo-d05496277e7db1777783a542a8ca768d05955ee5.zip | |
htmlvideoelement: Include security settings in poster image request (#36605)
This PR addresses [#36593](https://github.com/servo/servo/issues/36593),
where the poster image request for `<video>` elements lacked several
settings introduced in `RequestBuilder`. These settings —
`insecure_requests_policy`, `has_trustworthy_ancestor_origin`, and
`policy_container` — are now forwarded from the document, aligning
poster requests with other fetches using the correct policy container
and trust assessment.
This ensures that poster images are requested under the same security
assumptions as other media or resource loads.
---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by
`[X]` when the step is complete, and replace `___` with appropriate
data: -->
- [X] `./mach build -d` does not report any errors
- [X] `./mach test-tidy` does not report any errors
- [X] These changes fix #36593
<!-- Either: -->
- [X] There are tests for these changes
Signed-off-by: Emmanuel Elom <elomemmanuel007@gmail.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
| -rw-r--r-- | components/script/dom/htmlvideoelement.rs | 6 | ||||
| -rw-r--r-- | tests/wpt/mozilla/meta/MANIFEST.json | 7 | ||||
| -rw-r--r-- | tests/wpt/mozilla/meta/__dir__.ini | 1 | ||||
| -rw-r--r-- | tests/wpt/mozilla/meta/mozilla/video_poster_frame.html.ini | 2 | ||||
| -rw-r--r-- | tests/wpt/mozilla/tests/mozilla/video_poster_csp.sub.html | 25 |
5 files changed, 37 insertions, 4 deletions
diff --git a/components/script/dom/htmlvideoelement.rs b/components/script/dom/htmlvideoelement.rs index b707d9c93a1..6f27c164d02 100644 --- a/components/script/dom/htmlvideoelement.rs +++ b/components/script/dom/htmlvideoelement.rs @@ -233,8 +233,10 @@ impl HTMLVideoElement { .credentials_mode(CredentialsMode::Include) .use_url_credentials(true) .origin(document.origin().immutable().clone()) - .pipeline_id(Some(document.global().pipeline_id())); - + .pipeline_id(Some(document.global().pipeline_id())) + .insecure_requests_policy(document.insecure_requests_policy()) + .has_trustworthy_ancestor_origin(document.has_trustworthy_ancestor_origin()) + .policy_container(document.policy_container().to_owned()); // Step 5. // This delay must be independent from the ones created by HTMLMediaElement during // its media load algorithm, otherwise a code like diff --git a/tests/wpt/mozilla/meta/MANIFEST.json b/tests/wpt/mozilla/meta/MANIFEST.json index b6782318356..2ef84bb18a6 100644 --- a/tests/wpt/mozilla/meta/MANIFEST.json +++ b/tests/wpt/mozilla/meta/MANIFEST.json @@ -14178,6 +14178,13 @@ {} ] ], + "video_poster_csp.sub.html": [ + "cc5dfd54c1e39904d5c919f6bd6840d65dcc0fa8", + [ + null, + {} + ] + ], "weakref.html": [ "4deccbe1e26a3f921eea85a4395394a55cc88be4", [ diff --git a/tests/wpt/mozilla/meta/__dir__.ini b/tests/wpt/mozilla/meta/__dir__.ini index a57c0286b12..925f07e1c50 100644 --- a/tests/wpt/mozilla/meta/__dir__.ini +++ b/tests/wpt/mozilla/meta/__dir__.ini @@ -1,3 +1,4 @@ prefs: [ "dom_urlpattern_enabled:true", + "media_testing_enabled:true", ] diff --git a/tests/wpt/mozilla/meta/mozilla/video_poster_frame.html.ini b/tests/wpt/mozilla/meta/mozilla/video_poster_frame.html.ini deleted file mode 100644 index a8b5c2da0c5..00000000000 --- a/tests/wpt/mozilla/meta/mozilla/video_poster_frame.html.ini +++ /dev/null @@ -1,2 +0,0 @@ -[video_poster_frame.html] - expected: TIMEOUT diff --git a/tests/wpt/mozilla/tests/mozilla/video_poster_csp.sub.html b/tests/wpt/mozilla/tests/mozilla/video_poster_csp.sub.html new file mode 100644 index 00000000000..cc5dfd54c1e --- /dev/null +++ b/tests/wpt/mozilla/tests/mozilla/video_poster_csp.sub.html @@ -0,0 +1,25 @@ +<!doctype html> +<meta http-equiv="content-security-policy" content="img-src 'self'"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<video></video> +<img></img> +<script> + // This test sets up a cross-origin image URL for the video poster + // and verifies that the poster image is not shown. + // It also uses a separate image load to control when to end the test, + // since Servo doesn't fire any event handler if a poster image has an + // error (https://github.com/whatwg/html/issues/8445). + async_test(t => { + const pathparts = location.pathname.split('/'); + const testfile = pathparts[pathparts.length - 1]; + const url = location.href.replace(location.hostname, "{{hosts[alt][]}}").replace(testfile, "poster.png"); + let img = document.querySelector("img"); + img.src = url; + img.onload = t.unreached_func(); + img.onerror = t.step_timeout(() => t.done(), 500); + let video = document.querySelector("video"); + video.onpostershown = t.unreached_func(); + video.poster = url; + }); +</script> |