From 98452495dd63a121e8e6d14386a26c0b628a52e8 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sat, 29 Jun 2019 13:54:05 -0400 Subject: [PATCH 1/8] only allow http/https protocols --- components/script/dom/location.rs | 6 +++++- .../location-protocol-setter-non-broken.html.ini | 16 ---------------- 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index d6df671f451b..561e737b4c73 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -217,7 +217,11 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-protocol fn SetProtocol(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetProtocol); + // If copyURL's scheme is not an HTTP(S) scheme, then terminate these steps. + let scheme = value.split(':').next().unwrap(); + if scheme.eq_ignore_ascii_case("http") || scheme.eq_ignore_ascii_case("https") { + self.set_url_component(value, UrlHelper::SetProtocol); + } Ok(()) } diff --git a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini b/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini index 3a39a215f254..fc20af26ee0e 100644 --- a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini +++ b/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken.html.ini @@ -17,19 +17,3 @@ [Set data URL frame location.protocol to http+x] expected: FAIL - - [Set HTTP URL frame location.protocol to gopher] - expected: FAIL - - [Set HTTP URL frame location.protocol to http+x] - expected: FAIL - - [Set HTTP URL frame location.protocol to ftp] - expected: FAIL - - [Set HTTP URL frame location.protocol to data] - expected: FAIL - - [Set HTTP URL frame location.protocol to x] - expected: FAIL - From 3c8df69834b20b48239f830e56910d446ee1e4e5 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 10:17:06 -0400 Subject: [PATCH 2/8] host or hostname: abort if url cannot be a base --- components/script/dom/location.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 561e737b4c73..8e24a494dffb 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -140,7 +140,10 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-host fn SetHost(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetHost); + // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + if !self.get_url().cannot_be_a_base() { + self.set_url_component(value, UrlHelper::SetHost); + } Ok(()) } @@ -159,7 +162,10 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-hostname fn SetHostname(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetHostname); + // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + if !self.get_url().cannot_be_a_base() { + self.set_url_component(value, UrlHelper::SetHostname); + } Ok(()) } From 97e967ce0ef09365d06b351960e1f97354ff99cb Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 10:36:42 -0400 Subject: [PATCH 3/8] port: abort if url cannot have username/password/port --- components/script/dom/location.rs | 6 +++++- components/url/lib.rs | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 8e24a494dffb..509339bb9e70 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -210,7 +210,11 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-port fn SetPort(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetPort); + let url = self.get_url(); + // If copyURL cannot have a username/password/port, then return. + if url.has_host() && !url.cannot_be_a_base() && url.scheme() != "file" { + self.set_url_component(value, UrlHelper::SetPort); + } Ok(()) } diff --git a/components/url/lib.rs b/components/url/lib.rs index bb7c1fa4e356..a5b8b15279b3 100644 --- a/components/url/lib.rs +++ b/components/url/lib.rs @@ -93,6 +93,10 @@ impl ServoUrl { self.0.scheme() } + pub fn has_host(&self) -> bool { + self.0.has_host() + } + pub fn is_secure_scheme(&self) -> bool { let scheme = self.scheme(); scheme == "https" || scheme == "wss" From 3f2abccd01b4595ce47dd71c460b1ee52644f5d2 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 10:42:08 -0400 Subject: [PATCH 4/8] pathname: terminate if cannot-be-a-base --- components/script/dom/location.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 509339bb9e70..f5abdeb4a9e7 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -197,7 +197,10 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-pathname fn SetPathname(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - self.set_url_component(value, UrlHelper::SetPathname); + // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + if !self.get_url().cannot_be_a_base() { + self.set_url_component(value, UrlHelper::SetPathname); + } Ok(()) } From 6c31813c224780817d7b4bf2dff66d20998a4be8 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Sun, 30 Jun 2019 22:40:33 -0400 Subject: [PATCH 5/8] remove failure expectations --- ...ion-protocol-setter-non-broken-weird.html.ini | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini diff --git a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini b/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini deleted file mode 100644 index a30c51097ab4..000000000000 --- a/tests/wpt/metadata/html/browsers/history/the-location-interface/location-protocol-setter-non-broken-weird.html.ini +++ /dev/null @@ -1,16 +0,0 @@ -[location-protocol-setter-non-broken-weird.html] - [Set location.protocol to data] - expected: FAIL - - [Set location.protocol to ftp] - expected: FAIL - - [Set location.protocol to gopher] - expected: FAIL - - [Set location.protocol to x] - expected: FAIL - - [Set location.protocol to http+x] - expected: FAIL - From 05f75473ff252b5e774031e17341b37b28d010b7 Mon Sep 17 00:00:00 2001 From: Brad Dunbar Date: Mon, 1 Jul 2019 08:45:36 -0400 Subject: [PATCH 6/8] link to cannot have a username password spec --- components/script/dom/location.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index f5abdeb4a9e7..98f60a29b937 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -215,6 +215,7 @@ impl LocationMethods for Location { self.check_same_origin_domain()?; let url = self.get_url(); // If copyURL cannot have a username/password/port, then return. + // https://url.spec.whatwg.org/#cannot-have-a-username-password-port if url.has_host() && !url.cannot_be_a_base() && url.scheme() != "file" { self.set_url_component(value, UrlHelper::SetPort); } From ad31fde3ef1203ba25047d4e9d2e134c1b764504 Mon Sep 17 00:00:00 2001 From: UxioAndrade Date: Sun, 9 Feb 2020 20:53:17 +0100 Subject: [PATCH 7/8] add comments linking to steps of the specs --- components/script/dom/location.rs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 83db5acf0d94..4da1669deee2 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -165,7 +165,7 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-host fn SetHost(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + // Step 4: If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. if !self.get_url().cannot_be_a_base() { self.set_url_component(value, UrlHelper::SetHost); } @@ -187,7 +187,7 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-hostname fn SetHostname(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + // Step 4: If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. if !self.get_url().cannot_be_a_base() { self.set_url_component(value, UrlHelper::SetHostname); } @@ -222,7 +222,7 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-pathname fn SetPathname(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - // If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. + // Step 3: If copyURL's cannot-be-a-base-URL flag is set, terminate these steps. if !self.get_url().cannot_be_a_base() { self.set_url_component(value, UrlHelper::SetPathname); } @@ -239,7 +239,7 @@ impl LocationMethods for Location { fn SetPort(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; let url = self.get_url(); - // If copyURL cannot have a username/password/port, then return. + // Step 4: If copyURL cannot have a username/password/port, then return. // https://url.spec.whatwg.org/#cannot-have-a-username-password-port if url.has_host() && !url.cannot_be_a_base() && url.scheme() != "file" { self.set_url_component(value, UrlHelper::SetPort); @@ -256,7 +256,7 @@ impl LocationMethods for Location { // https://html.spec.whatwg.org/multipage/#dom-location-protocol fn SetProtocol(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; - // If copyURL's scheme is not an HTTP(S) scheme, then terminate these steps. + // Step 6: If copyURL's scheme is not an HTTP(S) scheme, then terminate these steps. let scheme = value.split(':').next().unwrap(); if scheme.eq_ignore_ascii_case("http") || scheme.eq_ignore_ascii_case("https") { self.set_url_component(value, UrlHelper::SetProtocol); From ec7723142efc30b083a7c4e44f2fe2448041cc45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uxi=CC=81o=20Garci=CC=81a=20Andrade?= Date: Mon, 10 Feb 2020 13:39:01 +0100 Subject: [PATCH 8/8] change scheme unwrap into syntax error --- components/script/dom/location.rs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/components/script/dom/location.rs b/components/script/dom/location.rs index 4da1669deee2..f8f51f3c103c 100644 --- a/components/script/dom/location.rs +++ b/components/script/dom/location.rs @@ -257,12 +257,15 @@ impl LocationMethods for Location { fn SetProtocol(&self, value: USVString) -> ErrorResult { self.check_same_origin_domain()?; // Step 6: If copyURL's scheme is not an HTTP(S) scheme, then terminate these steps. - let scheme = value.split(':').next().unwrap(); - if scheme.eq_ignore_ascii_case("http") || scheme.eq_ignore_ascii_case("https") { - self.set_url_component(value, UrlHelper::SetProtocol); + if let Ok(scheme) = value.split(':').next() { + if scheme.eq_ignore_ascii_case("http") || scheme.eq_ignore_ascii_case("https") { + self.set_url_component(value, UrlHelper::SetProtocol); + } + Ok(()) + } else { + Err(Error::Syntax) } - Ok(()) - } + } // https://html.spec.whatwg.org/multipage/#dom-location-search fn GetSearch(&self) -> Fallible {