From 98452495dd63a121e8e6d14386a26c0b628a52e8 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sat, 29 Jun 2019 13:54:05 -0400 Subject: [PATCH 1/6] only allow http/https protocols --- components/script/dom/location.rs | 6 +++++- .../location-protocol-setter-non-broken.html.ini | 16 ---------------- 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index d6df671f451b..561e737b4c73 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -217,7 +217,11 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-protocol fn SetProtocol(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetProtocol); + // If copyURL's scheme is not an HTTP(S) scheme, then terminate these steps. + let scheme = value.split(':').next().unwrap(); + if scheme.eq_ignore_ascii_case("http") || scheme.eq_ignore_ascii_case("https") { + self.set_url_component(value, UrlHelper::SetProtocol); + } Ok(()) } diff --git a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini b/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini index 3a39a215f254..fc20af26ee0e 100644 --- a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini +++ b/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini @@ -17,19 +17,3 @@ [Set data URL frame location.protocol to http+x] expected: FAIL - - [Set HTTP URL frame location.protocol to gopher] - expected: FAIL - - [Set HTTP URL frame location.protocol to http+x] - expected: FAIL - - [Set HTTP URL frame location.protocol to ftp] - expected: FAIL - - [Set HTTP URL frame location.protocol to data] - expected: FAIL - - [Set HTTP URL frame location.protocol to x] - expected: FAIL - From 3c8df69834b20b48239f830e56910d446ee1e4e5 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 10:17:06 -0400 Subject: [PATCH 2/6] host or hostname: abort if url cannot be a base --- components/script/dom/location.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 561e737b4c73..8e24a494dffb 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -140,7 +140,10 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-host fn SetHost(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetHost); + // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + if !self.get_url().cannot_be_a_base() { + self.set_url_component(value, UrlHelper::SetHost); + } Ok(()) } @@ -159,7 +162,10 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-hostname fn SetHostname(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetHostname); + // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + if !self.get_url().cannot_be_a_base() { + self.set_url_component(value, UrlHelper::SetHostname); + } Ok(()) } From 97e967ce0ef09365d06b351960e1f97354ff99cb Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 10:36:42 -0400 Subject: [PATCH 3/6] port: abort if url cannot have username/password/port --- components/script/dom/location.rs | 6 +++++- components/url/lib.rs | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 8e24a494dffb..509339bb9e70 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -210,7 +210,11 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-port fn SetPort(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetPort); + let url = self.get_url(); + // If copyURL cannot have a username/password/port, then return. + if url.has_host() && !url.cannot_be_a_base() && url.scheme() != "file" { + self.set_url_component(value, UrlHelper::SetPort); + } Ok(()) } diff --git a/components/url/lib.rs b/components/url/lib.rs index bb7c1fa4e356..a5b8b15279b3 100644 --- a/components/url/lib.rs +++ b/components/url/lib.rs @@ -93,6 +93,10 @@ impl ServoUrl { self.0.scheme() } + pub fn has_host(&self) -> bool { + self.0.has_host() + } + pub fn is_secure_scheme(&self) -> bool { let scheme = self.scheme(); scheme == "https" || scheme == "wss" From 3f2abccd01b4595ce47dd71c460b1ee52644f5d2 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 10:42:08 -0400 Subject: [PATCH 4/6] pathname: terminate if cannot-be-a-base --- components/script/dom/location.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 509339bb9e70..f5abdeb4a9e7 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -197,7 +197,10 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-pathname fn SetPathname(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetPathname); + // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + if !self.get_url().cannot_be_a_base() { + self.set_url_component(value, UrlHelper::SetPathname); + } Ok(()) } From 6c31813c224780817d7b4bf2dff66d20998a4be8 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 22:40:33 -0400 Subject: [PATCH 5/6] remove failure expectations --- ...ion-protocol-setter-non-broken-weird.html.ini | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini diff --git a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini b/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini deleted file mode 100644 index a30c51097ab4..000000000000 --- a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini +++ /dev/null @@ -1,16 +0,0 @@ -[location-protocol-setter-non-broken-weird.html] - [Set location.protocol to data] - expected: FAIL - - [Set location.protocol to ftp] - expected: FAIL - - [Set location.protocol to gopher] - expected: FAIL - - [Set location.protocol to x] - expected: FAIL - - [Set location.protocol to http+x] - expected: FAIL - From 05f75473ff252b5e774031e17341b37b28d010b7 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Mon, 1 Jul 2019 08:45:36 -0400 Subject: [PATCH 6/6] link to cannot have a username password spec --- components/script/dom/location.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index f5abdeb4a9e7..98f60a29b937 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -215,6 +215,7 @@ impl LocationMethods for Location { self.check_same_origin_domain()?; let url = self.get_url(); // If copyURL cannot have a username/password/port, then return. + // https://url.spec.whatwg.org/#cannot-have-a-username-password-port if url.has_host() && !url.cannot_be_a_base() && url.scheme() != "file" { self.set_url_component(value, UrlHelper::SetPort); }