Stowage/ladybird
2
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-12-07 21:59:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

LibWeb: Implement slot validation for HTMLScriptElement

Browse source 
This should be the last section missing in the TrustedType spec.
This commit is contained in:
Tete17 2025-10-29 15:20:33 +01:00 committed by Jelle Raaijmakers
parent 1d1182cad8
commit 901afee50b
Notes: github-actions[bot] 2025-12-01 08:55:48 +00:00
6 changed files with 567 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

96
Libraries/LibWeb/HTML/HTMLScriptElement.cpp
View file

@ -82,6 +82,31 @@ void HTMLScriptElement::attribute_changed(FlyString const& name, Optional<String
}
}
// https://www.w3.org/TR/trusted-types/#prepare-script-text
WebIDL::ExceptionOr<void> HTMLScriptElement::prepare_script_text()
{
// 1. Let sink be "HTMLScriptElement text" if script is an HTMLScriptElement; otherwise "SVGScriptElement text".
constexpr auto sink = TrustedTypes::InjectionSink::HTMLScriptElement_text;
// 2. If scripts script text value is not equal to its child text content,
// set scripts script text to the result of executing get Trusted Type compliant string, with the following arguments:
// TrustedScriptURL as expectedType,
// scripts Documents relevant global object as global,
// scripts child text content attribute value as input,
// sink,
// 'script' as sinkGroup.
if (m_script_text != child_text_content()) {
m_script_text = TRY(TrustedTypes::get_trusted_type_compliant_string(
TrustedTypes::TrustedTypeName::TrustedScriptURL,
HTML::relevant_global_object(document()),
child_text_content(),
sink,
TrustedTypes::Script.to_string()));
}
return {};
}
void HTMLScriptElement::begin_delaying_document_load_event(DOM::Document& document)
{
// https://html.spec.whatwg.org/multipage/scripting.html#concept-script-script
@ -170,6 +195,7 @@ void HTMLScriptElement::execute_script()
dispatch_event(DOM::Event::create(realm(), HTML::EventNames::load));
}
// https://w3c.github.io/trusted-types/dist/spec/#slot-value-verification
// https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script
// https://whatpr.org/html/9893/scripting.html#prepare-a-script
void HTMLScriptElement::prepare_script()
@ -191,22 +217,26 @@ void HTMLScriptElement::prepare_script()
m_force_async = true;
}
// 5. Let source text be el's child text content.
auto source_text = child_text_content();
// 5. Execute the Prepare the script text algorithm on el. If that algorithm threw an error, then return.
if (prepare_script_text().is_exception())
return;
// 6. Let source text be els script text value.
auto source_text = m_script_text;
auto source_text_utf8 = source_text.to_utf8_but_should_be_ported_to_utf16();
// 6. If el has no src attribute, and source text is the empty string, then return.
// 7. If el has no src attribute, and source text is the empty string, then return.
if (!has_attribute(HTML::AttributeNames::src) && source_text.is_empty()) {
return;
}
// 7. If el is not connected, then return.
// 8. If el is not connected, then return.
if (!is_connected()) {
dbgln("HTMLScriptElement: Refusing to run script because the element is not connected.");
return;
}
// 8. If any of the following are true:
// 9. If any of the following are true:
// - el has a type attribute whose value is the empty string;
// - el has no type attribute but it has a language attribute and that attribute's value is the empty string; or
// - el has neither a type attribute nor a language attribute
@ -230,61 +260,61 @@ void HTMLScriptElement::prepare_script()
script_block_type = MUST(String::formatted("text/{}", maybe_language_attribute.value()));
}
// 9. If the script block's type string is a JavaScript MIME type essence match,
// 10. If the script block's type string is a JavaScript MIME type essence match,
if (MimeSniff::is_javascript_mime_type_essence_match(script_block_type)) {
// then set el's type to "classic".
m_script_type = ScriptType::Classic;
}
// 10. Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "module",
// 11. Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "module",
else if (script_block_type.equals_ignoring_ascii_case("module"sv)) {
// then set el's type to "module".
m_script_type = ScriptType::Module;
}
// 11. Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "importmap",
// 12. Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "importmap",
else if (script_block_type.equals_ignoring_ascii_case("importmap"sv)) {
// then set el's type to "importmap".
m_script_type = ScriptType::ImportMap;
}
// FIXME: 12. Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "speculationrules", then set el's type to "speculationrules".
// 13. Otherwise, return. (No script is executed, and el's type is left as null.)
// FIXME: 13. Otherwise, if the script block's type string is an ASCII case-insensitive match for the string "speculationrules", then set el's type to "speculationrules".
// 14. Otherwise, return. (No script is executed, and el's type is left as null.)
else {
VERIFY(m_script_type == ScriptType::Null);
return;
}
// 14. If parser document is non-null, then set el's parser document back to parser document and set el's force async to false.
// 15. If parser document is non-null, then set el's parser document back to parser document and set el's force async to false.
if (parser_document) {
m_parser_document = parser_document;
m_force_async = false;
}
// 15. Set el's already started to true.
// 16. Set el's already started to true.
m_already_started = true;
// 16. Set el's preparation-time document to its node document.
// 17. Set el's preparation-time document to its node document.
m_preparation_time_document = &document();
// 17. If parser document is non-null, and parser document is not equal to el's preparation-time document, then return.
// 18. If parser document is non-null, and parser document is not equal to el's preparation-time document, then return.
if (parser_document != nullptr && parser_document != m_preparation_time_document) {
dbgln("HTMLScriptElement: Refusing to run script because the parser document is not the same as the preparation time document.");
return;
}
// 18. If scripting is disabled for el, then return.
// 19. If scripting is disabled for el, then return.
if (is_scripting_disabled()) {
dbgln("HTMLScriptElement: Refusing to run script because scripting is disabled.");
return;
}
// 19. If el has a nomodule content attribute and its type is "classic", then return.
// 20. If el has a nomodule content attribute and its type is "classic", then return.
if (m_script_type == ScriptType::Classic && has_attribute(HTML::AttributeNames::nomodule)) {
dbgln("HTMLScriptElement: Refusing to run classic script because it has the nomodule attribute.");
return;
}
// FIXME: 20. Let cspType be "script speculationrules" if el's type is "speculationrules"; otherwise, "script".
// FIXME: 21. Let cspType be "script speculationrules" if el's type is "speculationrules"; otherwise, "script".
// 21. If el does not have a src content attribute, and the Should element's inline behavior be blocked by Content
// 22. If el does not have a src content attribute, and the Should element's inline behavior be blocked by Content
// Security Policy? algorithm returns "Blocked" when given el, cspType, and source text, then return [CSP]
if (!has_attribute(AttributeNames::src)
&& ContentSecurityPolicy::should_elements_inline_type_behavior_be_blocked_by_content_security_policy(realm(), *this, ContentSecurityPolicy::Directives::Directive::InlineType::Script, source_text_utf8) == ContentSecurityPolicy::Directives::Directive::Result::Blocked) {
@ -292,7 +322,7 @@ void HTMLScriptElement::prepare_script()
return;
}
// 22. If el has an event attribute and a for attribute, and el's type is "classic", then:
// 23. If el has an event attribute and a for attribute, and el's type is "classic", then:
if (m_script_type == ScriptType::Classic && has_attribute(HTML::AttributeNames::event) && has_attribute(HTML::AttributeNames::for_)) {
// 1. Let for be the value of el's' for attribute.
auto for_ = get_attribute_value(HTML::AttributeNames::for_);
@ -318,7 +348,7 @@ void HTMLScriptElement::prepare_script()
}
}
// 23. If el has a charset attribute, then let encoding be the result of getting an encoding from the value of the charset attribute.
// 24. If el has a charset attribute, then let encoding be the result of getting an encoding from the value of the charset attribute.
// If el does not have a charset attribute, or if getting an encoding failed, then let encoding be el's node document's the encoding.
Optional<String> encoding;
@ -334,34 +364,34 @@ void HTMLScriptElement::prepare_script()
VERIFY(encoding.has_value());
// 24. Let classic script CORS setting be the current state of el's crossorigin content attribute.
// 25. Let classic script CORS setting be the current state of el's crossorigin content attribute.
auto classic_script_cors_setting = m_crossorigin;
// 25. Let module script credentials mode be the CORS settings attribute credentials mode for el's crossorigin content attribute.
// 26. Let module script credentials mode be the CORS settings attribute credentials mode for el's crossorigin content attribute.
auto module_script_credential_mode = cors_settings_attribute_credentials_mode(m_crossorigin);
// 26. Let cryptographic nonce be el's [[CryptographicNonce]] internal slot's value.
// 27. Let cryptographic nonce be el's [[CryptographicNonce]] internal slot's value.
auto cryptographic_nonce = m_cryptographic_nonce;
// 27. If el has an integrity attribute, then let integrity metadata be that attribute's value.
// 28. If el has an integrity attribute, then let integrity metadata be that attribute's value.
// Otherwise, let integrity metadata be the empty string.
String integrity_metadata;
if (auto maybe_integrity = attribute(HTML::AttributeNames::integrity); maybe_integrity.has_value()) {
integrity_metadata = *maybe_integrity;
}
// 28. Let referrer policy be the current state of el's referrerpolicy content attribute.
// 29. Let referrer policy be the current state of el's referrerpolicy content attribute.
auto referrer_policy = m_referrer_policy;
// 29. Let fetch priority be the current state of el's fetchpriority content attribute.
// 30. Let fetch priority be the current state of el's fetchpriority content attribute.
auto fetch_priority = Fetch::Infrastructure::request_priority_from_string(get_attribute_value(HTML::AttributeNames::fetchpriority)).value_or(Fetch::Infrastructure::Request::Priority::Auto);
// 30. Let parser metadata be "parser-inserted" if el is parser-inserted, and "not-parser-inserted" otherwise.
// 31. Let parser metadata be "parser-inserted" if el is parser-inserted, and "not-parser-inserted" otherwise.
auto parser_metadata = is_parser_inserted()
? Fetch::Infrastructure::Request::ParserMetadata::ParserInserted
: Fetch::Infrastructure::Request::ParserMetadata::NotParserInserted;
// 31. Let options be a script fetch options whose cryptographic nonce is cryptographic nonce,
// 32. Let options be a script fetch options whose cryptographic nonce is cryptographic nonce,
// integrity metadata is integrity metadata, parser metadata is parser metadata,
// credentials mode is module script credentials mode, referrer policy is referrer policy,
// and fetch priority is fetch priority.
@ -374,10 +404,10 @@ void HTMLScriptElement::prepare_script()
.fetch_priority = move(fetch_priority),
};
// 32. Let settings object be el's node document's relevant settings object.
// 33. Let settings object be el's node document's relevant settings object.
auto& settings_object = document().relevant_settings_object();
// 33. If el has a src content attribute, then:
// 34. If el has a src content attribute, then:
if (has_attribute(HTML::AttributeNames::src)) {
// 1. If el's type is "importmap" or "speculationrules", then:
// FIXME: Add "speculationrules" support.
@ -452,7 +482,7 @@ void HTMLScriptElement::prepare_script()
}
}
// 34. If el does not have a src content attribute:
// 35. If el does not have a src content attribute:
if (!has_attribute(HTML::AttributeNames::src)) {
// 1. Let base URL be el's node document's document base URL.
auto base_url = document().base_url();
@ -498,7 +528,7 @@ void HTMLScriptElement::prepare_script()
// FIXME: -> "speculationrules"
}
// 35. If el's type is "classic" and el has a src attribute, or el's type is "module":
// 36. If el's type is "classic" and el has a src attribute, or el's type is "module":
if ((m_script_type == ScriptType::Classic && has_attribute(HTML::AttributeNames::src)) || m_script_type == ScriptType::Module) {
// 1. Assert: el's result is "uninitialized".
// FIXME: I believe this step to be a spec bug, and it should be removed: https://github.com/whatwg/html/issues/8534
@ -572,7 +602,7 @@ void HTMLScriptElement::prepare_script()
}
}
// 36. Otherwise:
// 37. Otherwise:
else {
// 1. Assert: el's result is not "uninitialized".
VERIFY(!m_result.has<ResultState::Uninitialized>());

3
Libraries/LibWeb/HTML/HTMLScriptElement.h
View file

@ -92,6 +92,9 @@ private:
virtual void attribute_changed(FlyString const& name, Optional<String> const& old_value, Optional<String> const& value, Optional<FlyString> const& namespace_) override;
// https://www.w3.org/TR/trusted-types/#prepare-script-text
WebIDL::ExceptionOr<void> prepare_script_text();
// https://html.spec.whatwg.org/multipage/scripting.html#prepare-the-script-element
void prepare_script();