diff --git a/Libraries/LibWeb/HTML/Worker.cpp b/Libraries/LibWeb/HTML/Worker.cpp index d2a7fec7857..279f55585b5 100644 --- a/Libraries/LibWeb/HTML/Worker.cpp +++ b/Libraries/LibWeb/HTML/Worker.cpp @@ -12,6 +12,8 @@ #include #include #include +#include +#include namespace Web::HTML { @@ -42,7 +44,7 @@ void Worker::visit_edges(Cell::Visitor& visitor) // https://html.spec.whatwg.org/multipage/workers.html#dom-worker // https://whatpr.org/html/9893/workers.html#dom-worker -WebIDL::ExceptionOr> Worker::create(String const& script_url, WorkerOptions const& options, DOM::Document& document) +WebIDL::ExceptionOr> Worker::create(TrustedTypes::TrustedScriptURLOrString const& script_url, WorkerOptions const& options, DOM::Document& document) { dbgln_if(WEB_WORKER_DEBUG, "WebWorker: Creating worker with script_url = {}", script_url); @@ -53,26 +55,31 @@ WebIDL::ExceptionOr> Worker::create(String const& script_url, Wo // JavaScript modules (specify type: "module"), and if that is specified, can also be used // to specify how scriptURL is fetched through the credentials option. - // FIXME: 1. The user agent may throw a "SecurityError" DOMException if the request violates - // a policy decision (e.g. if the user agent is configured to not allow the page to start dedicated workers). - // Technically not a fixme if our policy is not to throw errors :^) + // 1. Let compliantScriptURL be the result of invoking the Get Trusted Type compliant string algorithm with + // TrustedScriptURL, this's relevant global object, scriptURL, "Worker constructor", and "script". + auto const compliant_script_url = TRY(TrustedTypes::get_trusted_type_compliant_string( + TrustedTypes::TrustedTypeName::TrustedScriptURL, + HTML::relevant_global_object(document), + script_url, + TrustedTypes::InjectionSink::Workerconstructor, + TrustedTypes::Script.to_string())); // 2. Let outside settings be the current principal settings object. auto& outside_settings = current_principal_settings_object(); // 3. Parse the scriptURL argument relative to outside settings. - auto url = outside_settings.parse_url(script_url); + auto url = outside_settings.parse_url(compliant_script_url.to_utf8_but_should_be_ported_to_utf16()); // 4. If this fails, throw a "SyntaxError" DOMException. if (!url.has_value()) { - dbgln_if(WEB_WORKER_DEBUG, "WebWorker: Invalid URL loaded '{}'.", script_url); + dbgln_if(WEB_WORKER_DEBUG, "WebWorker: Invalid URL loaded '{}'.", compliant_script_url); return WebIDL::SyntaxError::create(document.realm(), "url is not valid"_utf16); } // 5. Let worker URL be the resulting URL record. // 6. Let worker be a new Worker object. - auto worker = document.realm().create(script_url, options, document); + auto worker = document.realm().create(compliant_script_url.to_utf8_but_should_be_ported_to_utf16(), options, document); // 7. Let outside port be a new MessagePort in outside settings's Realm. auto outside_port = MessagePort::create(outside_settings.realm()); diff --git a/Libraries/LibWeb/HTML/Worker.h b/Libraries/LibWeb/HTML/Worker.h index 1570b1d0d99..b9ddad05f73 100644 --- a/Libraries/LibWeb/HTML/Worker.h +++ b/Libraries/LibWeb/HTML/Worker.h @@ -26,8 +26,8 @@ class Worker GC_DECLARE_ALLOCATOR(Worker); public: - static WebIDL::ExceptionOr> create(String const& script_url, WorkerOptions const& options, DOM::Document& document); - static WebIDL::ExceptionOr> construct_impl(JS::Realm& realm, String const& script_url, WorkerOptions const& options) + static WebIDL::ExceptionOr> create(TrustedTypes::TrustedScriptURLOrString const& script_url, WorkerOptions const& options, DOM::Document& document); + static WebIDL::ExceptionOr> construct_impl(JS::Realm& realm, TrustedTypes::TrustedScriptURLOrString const& script_url, WorkerOptions const& options) { auto& window = as(realm.global_object()); return Worker::create(script_url, options, window.associated_document()); diff --git a/Libraries/LibWeb/HTML/Worker.idl b/Libraries/LibWeb/HTML/Worker.idl index 83d4207c17c..962de387541 100644 --- a/Libraries/LibWeb/HTML/Worker.idl +++ b/Libraries/LibWeb/HTML/Worker.idl @@ -3,12 +3,12 @@ #import #import #import +#import // https://html.spec.whatwg.org/multipage/workers.html#worker [Exposed=(Window,DedicatedWorker,SharedWorker)] interface Worker : EventTarget { - // FIXME: "DOMString scriptURL" should be "(TrustedScriptURL or USVString) scriptURL". - constructor(DOMString scriptURL, optional WorkerOptions options = {}); + constructor((TrustedScriptURL or Utf16USVString) scriptURL, optional WorkerOptions options = {}); undefined terminate(); undefined postMessage(any message, sequence transfer); diff --git a/Libraries/LibWeb/TrustedTypes/InjectionSink.h b/Libraries/LibWeb/TrustedTypes/InjectionSink.h index c50ea2045b3..73cfd4af004 100644 --- a/Libraries/LibWeb/TrustedTypes/InjectionSink.h +++ b/Libraries/LibWeb/TrustedTypes/InjectionSink.h @@ -30,6 +30,7 @@ namespace Web::TrustedTypes { __ENUMERATE_INJECTION_SINKS(RangecreateContextualFragment, "Range createContextualFragment") \ __ENUMERATE_INJECTION_SINKS(SharedWorkerconstructor, "SharedWorker constructor") \ __ENUMERATE_INJECTION_SINKS(SVGScriptElementhref, "SVGScriptElement href") \ + __ENUMERATE_INJECTION_SINKS(Workerconstructor, "Worker constructor") \ ENUMERATE_GLOBAL_EVENT_HANDLERS(EVENT_HANDLERS_INJECTION_SINKS) \ ENUMERATE_WINDOW_EVENT_HANDLERS(EVENT_HANDLERS_INJECTION_SINKS)