diff options
Diffstat (limited to 'components/script')
| -rw-r--r-- | components/script/dom/element.rs | 30 | ||||
| -rw-r--r-- | components/script/dom/globalscope.rs | 35 | ||||
| -rw-r--r-- | components/script/dom/htmlelement.rs | 19 | ||||
| -rw-r--r-- | components/script/dom/htmliframeelement.rs | 17 | ||||
| -rw-r--r-- | components/script/dom/htmlscriptelement.rs | 116 | ||||
| -rw-r--r-- | components/script/dom/macros.rs | 26 | ||||
| -rw-r--r-- | components/script/dom/servoparser/mod.rs | 22 | ||||
| -rw-r--r-- | components/script/dom/trustedscript.rs | 36 | ||||
| -rw-r--r-- | components/script/dom/trustedscripturl.rs | 29 | ||||
| -rw-r--r-- | components/script/dom/trustedtypepolicy.rs | 195 | ||||
| -rw-r--r-- | components/script/dom/trustedtypepolicyfactory.rs | 60 | ||||
| -rw-r--r-- | components/script/script_thread.rs | 13 |
12 files changed, 391 insertions, 207 deletions
diff --git a/components/script/dom/element.rs b/components/script/dom/element.rs index c040078f707..d92d5c124d1 100644 --- a/components/script/dom/element.rs +++ b/components/script/dom/element.rs @@ -149,7 +149,6 @@ use crate::dom::raredata::ElementRareData; use crate::dom::servoparser::ServoParser; use crate::dom::shadowroot::{IsUserAgentWidget, ShadowRoot}; use crate::dom::text::Text; -use crate::dom::types::TrustedTypePolicyFactory; use crate::dom::validation::Validatable; use crate::dom::validitystate::ValidationFlags; use crate::dom::virtualmethods::{VirtualMethods, vtable_for}; @@ -1961,35 +1960,6 @@ impl Element { .unwrap_or_else(|_| TrustedScriptURLOrUSVString::USVString(USVString(value.to_owned()))) } - pub(crate) fn set_trusted_type_url_attribute( - &self, - local_name: &LocalName, - value: TrustedScriptURLOrUSVString, - can_gc: CanGc, - ) -> Fallible<()> { - assert_eq!(*local_name, local_name.to_ascii_lowercase()); - let value = match value { - TrustedScriptURLOrUSVString::USVString(url) => { - let global = self.owner_global(); - // TODO(36258): Reflectively get the name of the class - let sink = format!("{} {}", "HTMLScriptElement", &local_name); - let result = TrustedTypePolicyFactory::get_trusted_type_compliant_string( - &global, - url.to_string(), - &sink, - "'script'", - can_gc, - ); - result? - }, - // This partially implements <https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm> - // Step 1: If input is an instance of expectedType, return stringified input and abort these steps. - TrustedScriptURLOrUSVString::TrustedScriptURL(script_url) => script_url.to_string(), - }; - self.set_attribute(local_name, AttrValue::String(value), can_gc); - Ok(()) - } - pub(crate) fn get_string_attribute(&self, local_name: &LocalName) -> DOMString { match self.get_attribute(&ns!(), local_name) { Some(x) => x.Value(), diff --git a/components/script/dom/globalscope.rs b/components/script/dom/globalscope.rs index f097642f424..527d03eed4e 100644 --- a/components/script/dom/globalscope.rs +++ b/components/script/dom/globalscope.rs @@ -18,11 +18,12 @@ use base::id::{ ServiceWorkerId, ServiceWorkerRegistrationId, WebViewId, }; use constellation_traits::{ - BlobData, BlobImpl, BroadcastMsg, FileBlob, MessagePortImpl, MessagePortMsg, PortMessageTask, - ScriptToConstellationChan, ScriptToConstellationMessage, + BlobData, BlobImpl, BroadcastMsg, FileBlob, LoadData, LoadOrigin, MessagePortImpl, + MessagePortMsg, PortMessageTask, ScriptToConstellationChan, ScriptToConstellationMessage, }; use content_security_policy::{ - CheckResult, CspList, PolicyDisposition, PolicySource, Violation, ViolationResource, + CheckResult, CspList, Destination, Initiator, NavigationCheckType, ParserMetadata, + PolicyDisposition, PolicySource, Request, Violation, ViolationResource, }; use crossbeam_channel::Sender; use devtools_traits::{PageError, ScriptToDevtoolsControlMsg}; @@ -62,6 +63,7 @@ use profile_traits::{ipc as profile_ipc, mem as profile_mem, time as profile_tim use script_bindings::interfaces::GlobalScopeHelpers; use servo_url::{ImmutableOrigin, MutableOrigin, ServoUrl}; use timers::{TimerEventId, TimerEventRequest, TimerSource}; +use url::Origin; use uuid::Uuid; #[cfg(feature = "webgpu")] use webgpu_traits::{DeviceLostReason, WebGPUDevice}; @@ -2951,6 +2953,33 @@ impl GlobalScope { is_js_evaluation_allowed == CheckResult::Allowed } + pub(crate) fn should_navigation_request_be_blocked(&self, load_data: &LoadData) -> bool { + let Some(csp_list) = self.get_csp_list() else { + return false; + }; + let request = Request { + url: load_data.url.clone().into_url(), + origin: match &load_data.load_origin { + LoadOrigin::Script(immutable_origin) => immutable_origin.clone().into_url_origin(), + _ => Origin::new_opaque(), + }, + // TODO: populate this field correctly + redirect_count: 0, + destination: Destination::None, + initiator: Initiator::None, + nonce: "".to_owned(), + integrity_metadata: "".to_owned(), + parser_metadata: ParserMetadata::None, + }; + // TODO: set correct navigation check type for form submission if applicable + let (result, violations) = + csp_list.should_navigation_request_be_blocked(&request, NavigationCheckType::Other); + + self.report_csp_violations(violations); + + result == CheckResult::Blocked + } + pub(crate) fn create_image_bitmap( &self, image: ImageBitmapSource, diff --git a/components/script/dom/htmlelement.rs b/components/script/dom/htmlelement.rs index e7efbde9b1d..59b71543d6d 100644 --- a/components/script/dom/htmlelement.rs +++ b/components/script/dom/htmlelement.rs @@ -116,7 +116,7 @@ impl HTMLElement { /// `.outerText` in JavaScript.` /// /// <https://html.spec.whatwg.org/multipage/#get-the-text-steps> - fn get_inner_outer_text(&self, can_gc: CanGc) -> DOMString { + pub(crate) fn get_inner_outer_text(&self, can_gc: CanGc) -> DOMString { let node = self.upcast::<Node>(); let window = node.owner_window(); let element = self.as_element(); @@ -134,6 +134,16 @@ impl HTMLElement { DOMString::from(text) } + + /// <https://html.spec.whatwg.org/multipage/#set-the-inner-text-steps> + pub(crate) fn set_inner_text(&self, input: DOMString, can_gc: CanGc) { + // Step 1: Let fragment be the rendered text fragment for value given element's node + // document. + let fragment = self.rendered_text_fragment(input, can_gc); + + // Step 2: Replace all with fragment within element. + Node::replace_all(Some(fragment.upcast()), self.upcast::<Node>(), can_gc); + } } impl HTMLElementMethods<crate::DomTypeHolder> for HTMLElement { @@ -494,12 +504,7 @@ impl HTMLElementMethods<crate::DomTypeHolder> for HTMLElement { /// <https://html.spec.whatwg.org/multipage/#set-the-inner-text-steps> fn SetInnerText(&self, input: DOMString, can_gc: CanGc) { - // Step 1: Let fragment be the rendered text fragment for value given element's node - // document. - let fragment = self.rendered_text_fragment(input, can_gc); - - // Step 2: Replace all with fragment within element. - Node::replace_all(Some(fragment.upcast()), self.upcast::<Node>(), can_gc); + self.set_inner_text(input, can_gc) } /// <https://html.spec.whatwg.org/multipage/#dom-outertext> diff --git a/components/script/dom/htmliframeelement.rs b/components/script/dom/htmliframeelement.rs index c5194c4527f..0fbff86e44a 100644 --- a/components/script/dom/htmliframeelement.rs +++ b/components/script/dom/htmliframeelement.rs @@ -162,8 +162,13 @@ impl HTMLIFrameElement { if load_data.url.scheme() == "javascript" { let window_proxy = self.GetContentWindow(); if let Some(window_proxy) = window_proxy { + if document + .global() + .should_navigation_request_be_blocked(&load_data) + { + return; + } // Important re security. See https://github.com/servo/servo/issues/23373 - // TODO: check according to https://w3c.github.io/webappsec-csp/#should-block-navigation-request if ScriptThread::check_load_origin(&load_data.load_origin, &document.url().origin()) { ScriptThread::eval_js_url(&window_proxy.global(), &mut load_data, can_gc); @@ -274,6 +279,7 @@ impl HTMLIFrameElement { Some(document.insecure_requests_policy()), document.has_trustworthy_ancestor_or_current_origin(), ); + load_data.policy_container = Some(window.as_global_scope().policy_container()); let element = self.upcast::<Element>(); load_data.srcdoc = String::from(element.get_string_attribute(&local_name!("srcdoc"))); self.navigate_or_reload_child_browsing_context( @@ -356,7 +362,7 @@ impl HTMLIFrameElement { None }; - let load_data = LoadData::new( + let mut load_data = LoadData::new( LoadOrigin::Script(document.origin().immutable().clone()), url, creator_pipeline_id, @@ -373,6 +379,10 @@ impl HTMLIFrameElement { let is_about_blank = pipeline_id.is_some() && pipeline_id == self.about_blank_pipeline_id.get(); + if is_about_blank { + load_data.policy_container = Some(window.as_global_scope().policy_container()); + } + let history_handling = if is_about_blank { NavigationHistoryBehavior::Replace } else { @@ -402,7 +412,7 @@ impl HTMLIFrameElement { let document = self.owner_document(); let window = self.owner_window(); let pipeline_id = Some(window.pipeline_id()); - let load_data = LoadData::new( + let mut load_data = LoadData::new( LoadOrigin::Script(document.origin().immutable().clone()), url, pipeline_id, @@ -412,6 +422,7 @@ impl HTMLIFrameElement { Some(document.insecure_requests_policy()), document.has_trustworthy_ancestor_or_current_origin(), ); + load_data.policy_container = Some(window.as_global_scope().policy_container()); let browsing_context_id = BrowsingContextId::new(); let webview_id = window.window_proxy().webview_id(); self.pipeline_id.set(None); diff --git a/components/script/dom/htmlscriptelement.rs b/components/script/dom/htmlscriptelement.rs index 58853f600d2..9d0ca807748 100644 --- a/components/script/dom/htmlscriptelement.rs +++ b/components/script/dom/htmlscriptelement.rs @@ -32,6 +32,7 @@ use net_traits::{ }; use servo_config::pref; use servo_url::{ImmutableOrigin, ServoUrl}; +use style::attr::AttrValue; use style::str::{HTML_SPACE_CHARACTERS, StaticStringVec}; use stylo_atoms::Atom; use uuid::Uuid; @@ -44,7 +45,9 @@ use crate::dom::bindings::codegen::Bindings::DocumentBinding::DocumentMethods; use crate::dom::bindings::codegen::Bindings::HTMLScriptElementBinding::HTMLScriptElementMethods; use crate::dom::bindings::codegen::Bindings::NodeBinding::NodeMethods; use crate::dom::bindings::codegen::GenericBindings::HTMLElementBinding::HTMLElement_Binding::HTMLElementMethods; -use crate::dom::bindings::codegen::UnionTypes::TrustedScriptURLOrUSVString; +use crate::dom::bindings::codegen::UnionTypes::{ + TrustedScriptOrString, TrustedScriptURLOrUSVString, +}; use crate::dom::bindings::error::Fallible; use crate::dom::bindings::inheritance::Castable; use crate::dom::bindings::refcounted::Trusted; @@ -64,6 +67,8 @@ use crate::dom::globalscope::GlobalScope; use crate::dom::htmlelement::HTMLElement; use crate::dom::node::{ChildrenMutation, CloneChildrenFlag, Node, NodeTraits}; use crate::dom::performanceresourcetiming::InitiatorType; +use crate::dom::trustedscript::TrustedScript; +use crate::dom::trustedscripturl::TrustedScriptURL; use crate::dom::virtualmethods::VirtualMethods; use crate::fetch::create_a_potential_cors_request; use crate::network_listener::{self, NetworkListener, PreInvoke, ResourceTimingListener}; @@ -667,7 +672,7 @@ impl HTMLScriptElement { // Step 5. Let source text be el's child text content. // Step 6. If el has no src attribute, and source text is the empty string, then return. - let text = self.Text(); + let text = self.text(); if text.is_empty() && !element.has_attribute(&local_name!("src")) { return; } @@ -1272,6 +1277,15 @@ impl HTMLScriptElement { let event = Event::new(window.upcast(), type_, bubbles, cancelable, can_gc); event.fire(self.upcast(), can_gc) } + + fn text(&self) -> DOMString { + match self.Text() { + TrustedScriptOrString::String(value) => value, + TrustedScriptOrString::TrustedScript(trusted_script) => { + DOMString::from(trusted_script.to_string()) + }, + } + } } impl VirtualMethods for HTMLScriptElement { @@ -1286,7 +1300,7 @@ impl VirtualMethods for HTMLScriptElement { if *attr.local_name() == local_name!("src") { if let AttributeMutation::Set(_) = mutation { if !self.parser_inserted.get() && self.upcast::<Node>().is_connected() { - self.prepare(CanGc::note()); + self.prepare(can_gc); } } } @@ -1344,10 +1358,25 @@ impl VirtualMethods for HTMLScriptElement { impl HTMLScriptElementMethods<crate::DomTypeHolder> for HTMLScriptElement { // https://html.spec.whatwg.org/multipage/#dom-script-src - make_trusted_type_url_getter!(Src, "src"); + fn Src(&self) -> TrustedScriptURLOrUSVString { + let element = self.upcast::<Element>(); + element.get_trusted_type_url_attribute(&local_name!("src")) + } - // https://html.spec.whatwg.org/multipage/#dom-script-src - make_trusted_type_url_setter!(SetSrc, "src"); + /// <https://w3c.github.io/trusted-types/dist/spec/#the-src-idl-attribute> + fn SetSrc(&self, value: TrustedScriptURLOrUSVString, can_gc: CanGc) -> Fallible<()> { + let element = self.upcast::<Element>(); + let local_name = &local_name!("src"); + let value = TrustedScriptURL::get_trusted_script_url_compliant_string( + &element.owner_global(), + value, + "HTMLScriptElement", + local_name, + can_gc, + )?; + element.set_attribute(local_name, AttrValue::String(value), can_gc); + Ok(()) + } // https://html.spec.whatwg.org/multipage/#dom-script-type make_getter!(Type, "type"); @@ -1416,14 +1445,77 @@ impl HTMLScriptElementMethods<crate::DomTypeHolder> for HTMLScriptElement { // https://html.spec.whatwg.org/multipage/#dom-script-referrerpolicy make_setter!(SetReferrerPolicy, "referrerpolicy"); - // https://html.spec.whatwg.org/multipage/#dom-script-text - fn Text(&self) -> DOMString { - self.upcast::<Node>().child_text_content() + /// <https://w3c.github.io/trusted-types/dist/spec/#dom-htmlscriptelement-innertext> + fn InnerText(&self, can_gc: CanGc) -> TrustedScriptOrString { + // Step 1: Return the result of running get the text steps with this. + TrustedScriptOrString::String(self.upcast::<HTMLElement>().get_inner_outer_text(can_gc)) } - // https://html.spec.whatwg.org/multipage/#dom-script-text - fn SetText(&self, value: DOMString, can_gc: CanGc) { - self.upcast::<Node>().SetTextContent(Some(value), can_gc) + /// <https://w3c.github.io/trusted-types/dist/spec/#the-innerText-idl-attribute> + fn SetInnerText(&self, input: TrustedScriptOrString, can_gc: CanGc) -> Fallible<()> { + // Step 1: Let value be the result of calling Get Trusted Type compliant string with TrustedScript, + // this's relevant global object, the given value, HTMLScriptElement innerText, and script. + let value = TrustedScript::get_trusted_script_compliant_string( + &self.owner_global(), + input, + "HTMLScriptElement", + "innerText", + can_gc, + )?; + // Step 3: Run set the inner text steps with this and value. + self.upcast::<HTMLElement>() + .set_inner_text(DOMString::from(value), can_gc); + Ok(()) + } + + /// <https://html.spec.whatwg.org/multipage/#dom-script-text> + fn Text(&self) -> TrustedScriptOrString { + TrustedScriptOrString::String(self.upcast::<Node>().child_text_content()) + } + + /// <https://w3c.github.io/trusted-types/dist/spec/#the-text-idl-attribute> + fn SetText(&self, value: TrustedScriptOrString, can_gc: CanGc) -> Fallible<()> { + // Step 1: Let value be the result of calling Get Trusted Type compliant string with TrustedScript, + // this's relevant global object, the given value, HTMLScriptElement text, and script. + let value = TrustedScript::get_trusted_script_compliant_string( + &self.owner_global(), + value, + "HTMLScriptElement", + "text", + can_gc, + )?; + // Step 2: Set this's script text value to the given value. + // TODO: Implement for https://w3c.github.io/trusted-types/dist/spec/#prepare-script-text + // Step 3: String replace all with the given value within this. + Node::string_replace_all(DOMString::from(value), self.upcast::<Node>(), can_gc); + Ok(()) + } + + /// <https://w3c.github.io/trusted-types/dist/spec/#the-textContent-idl-attribute> + fn GetTextContent(&self) -> Option<TrustedScriptOrString> { + // Step 1: Return the result of running get text content with this. + Some(TrustedScriptOrString::String( + self.upcast::<Node>().GetTextContent()?, + )) + } + + /// <https://w3c.github.io/trusted-types/dist/spec/#the-textContent-idl-attribute> + fn SetTextContent(&self, value: Option<TrustedScriptOrString>, can_gc: CanGc) -> Fallible<()> { + // Step 1: Let value be the result of calling Get Trusted Type compliant string with TrustedScript, + // this's relevant global object, the given value, HTMLScriptElement textContent, and script. + let value = TrustedScript::get_trusted_script_compliant_string( + &self.owner_global(), + value.unwrap_or(TrustedScriptOrString::String(DOMString::from(""))), + "HTMLScriptElement", + "textContent", + can_gc, + )?; + // Step 2: Set this's script text value to value. + // TODO: Implement for https://w3c.github.io/trusted-types/dist/spec/#prepare-script-text + // Step 3: Run set text content with this and value. + self.upcast::<Node>() + .SetTextContent(Some(DOMString::from(value)), can_gc); + Ok(()) } } diff --git a/components/script/dom/macros.rs b/components/script/dom/macros.rs index 997341984c6..cc44497d0b9 100644 --- a/components/script/dom/macros.rs +++ b/components/script/dom/macros.rs @@ -122,32 +122,6 @@ macro_rules! make_url_setter( ); #[macro_export] -macro_rules! make_trusted_type_url_getter( - ( $attr:ident, $htmlname:tt ) => ( - fn $attr(&self) -> TrustedScriptURLOrUSVString { - use $crate::dom::bindings::inheritance::Castable; - use $crate::dom::element::Element; - let element = self.upcast::<Element>(); - element.get_trusted_type_url_attribute(&html5ever::local_name!($htmlname)) - } - ); -); - -#[macro_export] -macro_rules! make_trusted_type_url_setter( - ( $attr:ident, $htmlname:tt ) => ( - fn $attr(&self, value: TrustedScriptURLOrUSVString, can_gc: CanGc) -> Fallible<()> { - use $crate::dom::bindings::inheritance::Castable; - use $crate::dom::element::Element; - use $crate::script_runtime::CanGc; - let element = self.upcast::<Element>(); - element.set_trusted_type_url_attribute(&html5ever::local_name!($htmlname), - value, can_gc) - } - ); -); - -#[macro_export] macro_rules! make_form_action_getter( ( $attr:ident, $htmlname:tt ) => ( fn $attr(&self) -> DOMString { diff --git a/components/script/dom/servoparser/mod.rs b/components/script/dom/servoparser/mod.rs index 0650fde676e..5878573d552 100644 --- a/components/script/dom/servoparser/mod.rs +++ b/components/script/dom/servoparser/mod.rs @@ -21,6 +21,7 @@ use html5ever::{Attribute, ExpandedName, LocalName, QualName, local_name, ns}; use hyper_serde::Serde; use markup5ever::TokenizerResult; use mime::{self, Mime}; +use net_traits::policy_container::PolicyContainer; use net_traits::request::RequestId; use net_traits::{ FetchMetadata, FetchResponseListener, Metadata, NetworkError, ResourceFetchTiming, @@ -813,6 +814,27 @@ impl ParserContext { pushed_entry_index: None, } } + + pub(crate) fn append_parent_to_csp_list(&self, policy_container: Option<&PolicyContainer>) { + let Some(policy_container) = policy_container else { + return; + }; + let Some(parent_csp_list) = &policy_container.csp_list else { + return; + }; + let Some(parser) = self.parser.as_ref().map(|p| p.root()) else { + return; + }; + let new_csp_list = match parser.document.get_csp_list() { + None => parent_csp_list.clone(), + Some(original_csp_list) => { + let mut appended_csp_list = original_csp_list.clone(); + appended_csp_list.append(parent_csp_list.clone()); + appended_csp_list.to_owned() + }, + }; + parser.document.set_csp_list(Some(new_csp_list)); + } } impl FetchResponseListener for ParserContext { diff --git a/components/script/dom/trustedscript.rs b/components/script/dom/trustedscript.rs index 5ce51c24989..648fcc8c239 100644 --- a/components/script/dom/trustedscript.rs +++ b/components/script/dom/trustedscript.rs @@ -1,14 +1,19 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ +use std::fmt; use dom_struct::dom_struct; use crate::dom::bindings::codegen::Bindings::TrustedScriptBinding::TrustedScriptMethods; +use crate::dom::bindings::codegen::UnionTypes::TrustedScriptOrString; +use crate::dom::bindings::error::Fallible; use crate::dom::bindings::reflector::{Reflector, reflect_dom_object}; use crate::dom::bindings::root::DomRoot; use crate::dom::bindings::str::DOMString; use crate::dom::globalscope::GlobalScope; +use crate::dom::trustedtypepolicy::TrustedType; +use crate::dom::trustedtypepolicyfactory::TrustedTypePolicyFactory; use crate::script_runtime::CanGc; #[dom_struct] @@ -30,6 +35,37 @@ impl TrustedScript { pub(crate) fn new(data: String, global: &GlobalScope, can_gc: CanGc) -> DomRoot<Self> { reflect_dom_object(Box::new(Self::new_inherited(data)), global, can_gc) } + + pub(crate) fn get_trusted_script_compliant_string( + global: &GlobalScope, + value: TrustedScriptOrString, + containing_class: &str, + field: &str, + can_gc: CanGc, + ) -> Fallible<String> { + match value { + TrustedScriptOrString::String(value) => { + let sink = format!("{} {}", containing_class, field); + TrustedTypePolicyFactory::get_trusted_type_compliant_string( + TrustedType::TrustedScript, + global, + value.as_ref().to_owned(), + &sink, + "'script'", + can_gc, + ) + }, + + TrustedScriptOrString::TrustedScript(trusted_script) => Ok(trusted_script.to_string()), + } + } +} + +impl fmt::Display for TrustedScript { + #[inline] + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + f.write_str(&self.data) + } } impl TrustedScriptMethods<crate::DomTypeHolder> for TrustedScript { diff --git a/components/script/dom/trustedscripturl.rs b/components/script/dom/trustedscripturl.rs index ba1e0335abc..3f0aef248b3 100644 --- a/components/script/dom/trustedscripturl.rs +++ b/components/script/dom/trustedscripturl.rs @@ -7,10 +7,14 @@ use std::fmt; use dom_struct::dom_struct; use crate::dom::bindings::codegen::Bindings::TrustedScriptURLBinding::TrustedScriptURLMethods; +use crate::dom::bindings::codegen::UnionTypes::TrustedScriptURLOrUSVString; +use crate::dom::bindings::error::Fallible; use crate::dom::bindings::reflector::{Reflector, reflect_dom_object}; use crate::dom::bindings::root::DomRoot; use crate::dom::bindings::str::DOMString; use crate::dom::globalscope::GlobalScope; +use crate::dom::trustedtypepolicy::TrustedType; +use crate::dom::trustedtypepolicyfactory::TrustedTypePolicyFactory; use crate::script_runtime::CanGc; #[dom_struct] @@ -32,6 +36,31 @@ impl TrustedScriptURL { pub(crate) fn new(data: String, global: &GlobalScope, can_gc: CanGc) -> DomRoot<Self> { reflect_dom_object(Box::new(Self::new_inherited(data)), global, can_gc) } + + pub(crate) fn get_trusted_script_url_compliant_string( + global: &GlobalScope, + value: TrustedScriptURLOrUSVString, + containing_class: &str, + field: &str, + can_gc: CanGc, + ) -> Fallible<String> { + match value { + TrustedScriptURLOrUSVString::USVString(value) => { + let sink = format!("{} {}", containing_class, field); + TrustedTypePolicyFactory::get_trusted_type_compliant_string( + TrustedType::TrustedScriptURL, + global, + value.as_ref().to_owned(), + &sink, + "'script'", + can_gc, + ) + }, + TrustedScriptURLOrUSVString::TrustedScriptURL(trusted_script_url) => { + Ok(trusted_script_url.to_string()) + }, + } + } } impl fmt::Display for TrustedScriptURL { diff --git a/components/script/dom/trustedtypepolicy.rs b/components/script/dom/trustedtypepolicy.rs index 2ec5015eb88..d4def7269ed 100644 --- a/components/script/dom/trustedtypepolicy.rs +++ b/components/script/dom/trustedtypepolicy.rs @@ -7,6 +7,7 @@ use std::rc::Rc; use dom_struct::dom_struct; use js::jsapi::JSObject; use js::rust::HandleValue; +use strum_macros::IntoStaticStr; use crate::dom::bindings::callback::ExceptionHandling; use crate::dom::bindings::codegen::Bindings::TrustedTypePolicyBinding::TrustedTypePolicyMethods; @@ -38,6 +39,13 @@ pub struct TrustedTypePolicy { create_script_url: Option<Rc<CreateScriptURLCallback>>, } +#[derive(Clone, IntoStaticStr)] +pub(crate) enum TrustedType { + TrustedHTML, + TrustedScript, + TrustedScriptURL, +} + impl TrustedTypePolicy { fn new_inherited(name: String, options: &TrustedTypePolicyOptions) -> Self { Self { @@ -59,51 +67,87 @@ impl TrustedTypePolicy { reflect_dom_object(Box::new(Self::new_inherited(name, options)), global, can_gc) } - // TODO(36258): Remove when we refactor get_trusted_type_policy_value to take an enum - // value to handle which callback to call. The callback should not be exposed outside - // of the policy object, but is currently used in TrustedPolicyFactory::process_value_with_default_policy - pub(crate) fn create_script_url(&self) -> Option<Rc<CreateScriptURLCallback>> { - self.create_script_url.clone() + /// <https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-policy-value-algorithm> + fn check_callback_if_missing(throw_if_missing: bool) -> Fallible<Option<String>> { + // Step 3.1: If throwIfMissing throw a TypeError. + if throw_if_missing { + Err(Type("Cannot find type".to_owned())) + } else { + // Step 3.2: Else return null. + Ok(None) + } } - /// This does not take all arguments as specified. That's because the return type of the - /// trusted type function and object are not the same. 2 of the 3 string callbacks return - /// a DOMString, while the other one returns an USVString. Additionally, all three callbacks - /// have a unique type signature in WebIDL. - /// - /// To circumvent these type problems, rather than implementing the full functionality here, - /// part of the algorithm is implemented on the caller side. There, we only call the callback - /// and create the object. The rest of the machinery is ensuring the right values pass through - /// to the relevant callbacks. - /// /// <https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-policy-value-algorithm> - pub(crate) fn get_trusted_type_policy_value<S, PolicyCallback>( + pub(crate) fn get_trusted_type_policy_value( &self, - policy_value_callback: PolicyCallback, + expected_type: TrustedType, + cx: JSContext, + input: DOMString, + arguments: Vec<HandleValue>, throw_if_missing: bool, - ) -> Fallible<Option<S>> - where - S: AsRef<str>, - PolicyCallback: FnOnce() -> Option<Fallible<Option<S>>>, - { + can_gc: CanGc, + ) -> Fallible<Option<String>> { + rooted!(in(*cx) let this_object: *mut JSObject); // Step 1: Let functionName be a function name for the given trustedTypeName, based on the following table: - // Step 2: Let function be policy’s options[functionName]. - let function = policy_value_callback(); - match function { - // Step 3: If function is null, then: - None => { - // Step 3.1: If throwIfMissing throw a TypeError. - if throw_if_missing { - Err(Type("Cannot find type".to_owned())) - } else { - // Step 3.2: Else return null. - Ok(None) - } + match expected_type { + TrustedType::TrustedHTML => match &self.create_html { + // Step 3: If function is null, then: + None => TrustedTypePolicy::check_callback_if_missing(throw_if_missing), + // Step 2: Let function be policy’s options[functionName]. + Some(callback) => { + // Step 4: Let policyValue be the result of invoking function with value as a first argument, + // items of arguments as subsequent arguments, and callback **this** value set to null, + // rethrowing any exceptions. + callback + .Call_( + &this_object.handle(), + input, + arguments, + ExceptionHandling::Rethrow, + can_gc, + ) + .map(|result| result.map(|str| str.as_ref().to_owned())) + }, + }, + TrustedType::TrustedScript => match &self.create_script { + // Step 3: If function is null, then: + None => TrustedTypePolicy::check_callback_if_missing(throw_if_missing), + // Step 2: Let function be policy’s options[functionName]. + Some(callback) => { + // Step 4: Let policyValue be the result of invoking function with value as a first argument, + // items of arguments as subsequent arguments, and callback **this** value set to null, + // rethrowing any exceptions. + callback + .Call_( + &this_object.handle(), + input, + arguments, + ExceptionHandling::Rethrow, + can_gc, + ) + .map(|result| result.map(|str| str.as_ref().to_owned())) + }, + }, + TrustedType::TrustedScriptURL => match &self.create_script_url { + // Step 3: If function is null, then: + None => TrustedTypePolicy::check_callback_if_missing(throw_if_missing), + // Step 2: Let function be policy’s options[functionName]. + Some(callback) => { + // Step 4: Let policyValue be the result of invoking function with value as a first argument, + // items of arguments as subsequent arguments, and callback **this** value set to null, + // rethrowing any exceptions. + callback + .Call_( + &this_object.handle(), + input, + arguments, + ExceptionHandling::Rethrow, + can_gc, + ) + .map(|result| result.map(|str| str.as_ref().to_owned())) + }, }, - // Step 4: Let policyValue be the result of invoking function with value as a first argument, - // items of arguments as subsequent arguments, and callback **this** value set to null, - // rethrowing any exceptions. - Some(policy_value) => policy_value, } } @@ -118,27 +162,30 @@ impl TrustedTypePolicy { /// to the relevant callbacks. /// /// <https://w3c.github.io/trusted-types/dist/spec/#create-a-trusted-type-algorithm> - pub(crate) fn create_trusted_type<R, S, PolicyCallback, TrustedTypeCallback>( + pub(crate) fn create_trusted_type<R, TrustedTypeCallback>( &self, - policy_value_callback: PolicyCallback, + expected_type: TrustedType, + cx: JSContext, + input: DOMString, + arguments: Vec<HandleValue>, trusted_type_creation_callback: TrustedTypeCallback, + can_gc: CanGc, ) -> Fallible<DomRoot<R>> where R: DomObject, - S: AsRef<str>, - PolicyCallback: FnOnce() -> Option<Fallible<Option<S>>>, TrustedTypeCallback: FnOnce(String) -> DomRoot<R>, { // Step 1: Let policyValue be the result of executing Get Trusted Type policy value // with the same arguments as this algorithm and additionally true as throwIfMissing. - let policy_value = self.get_trusted_type_policy_value(policy_value_callback, true); + let policy_value = + self.get_trusted_type_policy_value(expected_type, cx, input, arguments, true, can_gc); match policy_value { // Step 2: If the algorithm threw an error, rethrow the error and abort the following steps. Err(error) => Err(error), Ok(policy_value) => { // Step 3: Let dataString be the result of stringifying policyValue. let data_string = match policy_value { - Some(value) => value.as_ref().into(), + Some(value) => value, // Step 4: If policyValue is null or undefined, set dataString to the empty string. None => "".to_owned(), }; @@ -164,22 +211,12 @@ impl TrustedTypePolicyMethods<crate::DomTypeHolder> for TrustedTypePolicy { can_gc: CanGc, ) -> Fallible<DomRoot<TrustedHTML>> { self.create_trusted_type( - || { - self.create_html.clone().map(|callback| { - rooted!(in(*cx) let this_object: *mut JSObject); - // Step 4: Let policyValue be the result of invoking function with value as a first argument, - // items of arguments as subsequent arguments, and callback **this** value set to null, - // rethrowing any exceptions. - callback.Call_( - &this_object.handle(), - input, - arguments, - ExceptionHandling::Rethrow, - can_gc, - ) - }) - }, + TrustedType::TrustedHTML, + cx, + input, + arguments, |data_string| TrustedHTML::new(data_string, &self.global(), can_gc), + can_gc, ) } /// <https://www.w3.org/TR/trusted-types/#dom-trustedtypepolicy-createscript> @@ -191,22 +228,12 @@ impl TrustedTypePolicyMethods<crate::DomTypeHolder> for TrustedTypePolicy { can_gc: CanGc, ) -> Fallible<DomRoot<TrustedScript>> { self.create_trusted_type( - || { - self.create_script.clone().map(|callback| { - rooted!(in(*cx) let this_object: *mut JSObject); - // Step 4: Let policyValue be the result of invoking function with value as a first argument, - // items of arguments as subsequent arguments, and callback **this** value set to null, - // rethrowing any exceptions. - callback.Call_( - &this_object.handle(), - input, - arguments, - ExceptionHandling::Rethrow, - can_gc, - ) - }) - }, + TrustedType::TrustedScript, + cx, + input, + arguments, |data_string| TrustedScript::new(data_string, &self.global(), can_gc), + can_gc, ) } /// <https://www.w3.org/TR/trusted-types/#dom-trustedtypepolicy-createscripturl> @@ -218,22 +245,12 @@ impl TrustedTypePolicyMethods<crate::DomTypeHolder> for TrustedTypePolicy { can_gc: CanGc, ) -> Fallible<DomRoot<TrustedScriptURL>> { self.create_trusted_type( - || { - self.create_script_url.clone().map(|callback| { - rooted!(in(*cx) let this_object: *mut JSObject); - // Step 4: Let policyValue be the result of invoking function with value as a first argument, - // items of arguments as subsequent arguments, and callback **this** value set to null, - // rethrowing any exceptions. - callback.Call_( - &this_object.handle(), - input, - arguments, - ExceptionHandling::Rethrow, - can_gc, - ) - }) - }, + TrustedType::TrustedScriptURL, + cx, + input, + arguments, |data_string| TrustedScriptURL::new(data_string, &self.global(), can_gc), + can_gc, ) } } diff --git a/components/script/dom/trustedtypepolicyfactory.rs b/components/script/dom/trustedtypepolicyfactory.rs index 0dcc78b7cd0..0927446b904 100644 --- a/components/script/dom/trustedtypepolicyfactory.rs +++ b/components/script/dom/trustedtypepolicyfactory.rs @@ -6,11 +6,9 @@ use std::cell::RefCell; use content_security_policy::CheckResult; use dom_struct::dom_struct; use html5ever::{LocalName, Namespace, QualName, local_name, ns}; -use js::jsapi::JSObject; use js::jsval::NullValue; use js::rust::HandleValue; -use crate::dom::bindings::callback::ExceptionHandling; use crate::dom::bindings::codegen::Bindings::TrustedTypePolicyFactoryBinding::{ TrustedTypePolicyFactoryMethods, TrustedTypePolicyOptions, }; @@ -23,7 +21,7 @@ use crate::dom::globalscope::GlobalScope; use crate::dom::trustedhtml::TrustedHTML; use crate::dom::trustedscript::TrustedScript; use crate::dom::trustedscripturl::TrustedScriptURL; -use crate::dom::trustedtypepolicy::TrustedTypePolicy; +use crate::dom::trustedtypepolicy::{TrustedType, TrustedTypePolicy}; use crate::js::conversions::ToJSValConvertible; use crate::script_runtime::{CanGc, JSContext}; @@ -144,50 +142,40 @@ impl TrustedTypePolicyFactory { /// <https://w3c.github.io/trusted-types/dist/spec/#process-value-with-a-default-policy-algorithm> #[allow(unsafe_code)] pub(crate) fn process_value_with_default_policy( + expected_type: TrustedType, global: &GlobalScope, input: String, sink: &str, can_gc: CanGc, - ) -> Fallible<Option<DomRoot<TrustedScriptURL>>> { + ) -> Fallible<Option<String>> { // Step 1: Let defaultPolicy be the value of global’s trusted type policy factory's default policy. let global_policy_factory = global.trusted_types(can_gc); let default_policy = match global_policy_factory.default_policy.get() { - None => return Ok(Some(TrustedScriptURL::new(input, global, can_gc))), + None => return Ok(None), Some(default_policy) => default_policy, }; let cx = GlobalScope::get_cx(); // Step 2: Let policyValue be the result of executing Get Trusted Type policy value, // with the following arguments: - let policy_value = default_policy.get_trusted_type_policy_value( - || { - // TODO(36258): support other trusted types as well by changing get_trusted_type_policy_value to accept - // the trusted type as enum and call the appropriate callback based on that. - default_policy.create_script_url().map(|callback| { - rooted!(in(*cx) let this_object: *mut JSObject); - rooted!(in(*cx) let mut trusted_type_name_value = NullValue()); - unsafe { - "TrustedScriptURL".to_jsval(*cx, trusted_type_name_value.handle_mut()); - } + rooted!(in(*cx) let mut trusted_type_name_value = NullValue()); + unsafe { + let trusted_type_name: &'static str = expected_type.clone().into(); + trusted_type_name.to_jsval(*cx, trusted_type_name_value.handle_mut()); + } - rooted!(in(*cx) let mut sink_value = NullValue()); - unsafe { - sink.to_jsval(*cx, sink_value.handle_mut()); - } + rooted!(in(*cx) let mut sink_value = NullValue()); + unsafe { + sink.to_jsval(*cx, sink_value.handle_mut()); + } - let args = vec![trusted_type_name_value.handle(), sink_value.handle()]; - // Step 4: Let policyValue be the result of invoking function with value as a first argument, - // items of arguments as subsequent arguments, and callback **this** value set to null, - // rethrowing any exceptions. - callback.Call_( - &this_object.handle(), - DOMString::from(input.to_owned()), - args, - ExceptionHandling::Rethrow, - can_gc, - ) - }) - }, + let arguments = vec![trusted_type_name_value.handle(), sink_value.handle()]; + let policy_value = default_policy.get_trusted_type_policy_value( + expected_type, + cx, + DOMString::from(input.to_owned()), + arguments, false, + can_gc, ); let data_string = match policy_value { // Step 3: If the algorithm threw an error, rethrow the error and abort the following steps. @@ -196,14 +184,15 @@ impl TrustedTypePolicyFactory { // Step 4: If policyValue is null or undefined, return policyValue. None => return Ok(None), // Step 5: Let dataString be the result of stringifying policyValue. - Some(policy_value) => policy_value.as_ref().into(), + Some(policy_value) => policy_value, }, }; - Ok(Some(TrustedScriptURL::new(data_string, global, can_gc))) + Ok(Some(data_string)) } /// Step 1 is implemented by the caller /// <https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm> pub(crate) fn get_trusted_type_compliant_string( + expected_type: TrustedType, global: &GlobalScope, input: String, sink: &str, @@ -224,6 +213,7 @@ impl TrustedTypePolicyFactory { // Step 4: Let convertedInput be the result of executing Process value with a default policy // with the same arguments as this algorithm. let converted_input = TrustedTypePolicyFactory::process_value_with_default_policy( + expected_type, global, input.clone(), sink, @@ -252,7 +242,7 @@ impl TrustedTypePolicyFactory { } }, // Step 8: Return stringified convertedInput. - Some(converted_input) => Ok((*converted_input).to_string()), + Some(converted_input) => Ok(converted_input), } // Step 7: Assert: convertedInput is an instance of expectedType. // TODO(https://github.com/w3c/trusted-types/issues/566): Implement when spec is resolved diff --git a/components/script/script_thread.rs b/components/script/script_thread.rs index 382ab94d893..7241c115a2a 100644 --- a/components/script/script_thread.rs +++ b/components/script/script_thread.rs @@ -598,7 +598,7 @@ impl ScriptThread { with_script_thread(|script_thread| { let is_javascript = load_data.url.scheme() == "javascript"; // If resource is a request whose url's scheme is "javascript" - // https://html.spec.whatwg.org/multipage/#javascript-protocol + // https://html.spec.whatwg.org/multipage/#navigate-to-a-javascript:-url if is_javascript { let window = match script_thread.documents.borrow().find_window(pipeline_id) { None => return, @@ -612,8 +612,12 @@ impl ScriptThread { .clone(); let task = task!(navigate_javascript: move || { // Important re security. See https://github.com/servo/servo/issues/23373 - // TODO: check according to https://w3c.github.io/webappsec-csp/#should-block-navigation-request if let Some(window) = trusted_global.root().downcast::<Window>() { + // Step 5: If the result of should navigation request of type be blocked by + // Content Security Policy? given request and cspNavigationType is "Blocked", then return. [CSP] + if trusted_global.root().should_navigation_request_be_blocked(&load_data) { + return; + } if ScriptThread::check_load_origin(&load_data.load_origin, &window.get_url().origin()) { ScriptThread::eval_js_url(&trusted_global.root(), &mut load_data, CanGc::note()); sender @@ -622,6 +626,7 @@ impl ScriptThread { } } }); + // Step 19 of <https://html.spec.whatwg.org/multipage/#navigate> global .task_manager() .dom_manipulation_task_source() @@ -3669,10 +3674,12 @@ impl ScriptThread { None => vec![], }; + let policy_container = incomplete.load_data.policy_container.clone(); self.incomplete_loads.borrow_mut().push(incomplete); let dummy_request_id = RequestId::default(); context.process_response(dummy_request_id, Ok(FetchMetadata::Unfiltered(meta))); + context.append_parent_to_csp_list(policy_container.as_ref()); context.process_response_chunk(dummy_request_id, chunk); context.process_response_eof( dummy_request_id, @@ -3692,12 +3699,14 @@ impl ScriptThread { let srcdoc = std::mem::take(&mut incomplete.load_data.srcdoc); let chunk = srcdoc.into_bytes(); + let policy_container = incomplete.load_data.policy_container.clone(); self.incomplete_loads.borrow_mut().push(incomplete); let mut context = ParserContext::new(id, url); let dummy_request_id = RequestId::default(); context.process_response(dummy_request_id, Ok(FetchMetadata::Unfiltered(meta))); + context.append_parent_to_csp_list(policy_container.as_ref()); context.process_response_chunk(dummy_request_id, chunk); context.process_response_eof( dummy_request_id, |