LibWeb: Hook TrustedTypes to the SharedWorkers api

2025-12-06 12:20:00 +01:00 · 2025-10-06 18:00:37 +02:00 · 2025-10-06 18:00:37 +02:00 · e6ac064a34
commit e6ac064a34
parent bd4e3fd3e0
4 changed files with 17 additions and 8 deletions
--- a/Libraries/LibWeb/HTML/SharedWorker.cpp
+++ b/Libraries/LibWeb/HTML/SharedWorker.cpp
@ -17,17 +17,24 @@
 #include <LibWeb/HTML/Window.h>
 #include <LibWeb/HTML/Worker.h>
 #include <LibWeb/Platform/EventLoopPlugin.h>
+#include <LibWeb/TrustedTypes/RequireTrustedTypesForDirective.h>
+#include <LibWeb/TrustedTypes/TrustedTypePolicy.h>

 namespace Web::HTML {

 GC_DEFINE_ALLOCATOR(SharedWorker);

 // https://html.spec.whatwg.org/multipage/workers.html#dom-sharedworker
-WebIDL::ExceptionOr<GC::Ref<SharedWorker>> SharedWorker::construct_impl(JS::Realm& realm, String const& script_url, Variant<String, WorkerOptions>& options_value)
+WebIDL::ExceptionOr<GC::Ref<SharedWorker>> SharedWorker::construct_impl(JS::Realm& realm, TrustedTypes::TrustedScriptURLOrString const& script_url, Variant<String, WorkerOptions>& options_value)
 {
-    // FIXME: 1. Let compliantScriptURL be the result of invoking the Get Trusted Type compliant string algorithm with
-    //           TrustedScriptURL, this's relevant global object, scriptURL, "SharedWorker constructor", and "script".
-    auto const& compliant_script_url = script_url;
+    // 1. Let compliantScriptURL be the result of invoking the Get Trusted Type compliant string algorithm with
+    //    TrustedScriptURL, this's relevant global object, scriptURL, "SharedWorker constructor", and "script".
+    auto const compliant_script_url = TRY(get_trusted_type_compliant_string(
+        TrustedTypes::TrustedTypeName::TrustedScriptURL,
+        realm.global_object(),
+        script_url,
+        TrustedTypes::InjectionSink::SharedWorkerconstructor,
+        TrustedTypes::Script.to_string()));

    // 2. If options is a DOMString, set options to a new WorkerOptions dictionary whose name member is set to the value
    //    of options and whose other members are set to their default values.
@ -43,7 +50,7 @@ WebIDL::ExceptionOr<GC::Ref<SharedWorker>> SharedWorker::construct_impl(JS::Real
    auto& outside_settings = current_principal_settings_object();

    // 4. Let urlRecord be the result of encoding-parsing a URL given compliantScriptURL, relative to outside settings.
-    auto url = outside_settings.encoding_parse_url(compliant_script_url);
+    auto url = outside_settings.encoding_parse_url(compliant_script_url.to_utf8_but_should_be_ported_to_utf16());

    // 5. If urlRecord is failure, then throw a "SyntaxError" DOMException.
    if (!url.has_value())
--- a/Libraries/LibWeb/HTML/SharedWorker.h
+++ b/Libraries/LibWeb/HTML/SharedWorker.h
@ -10,6 +10,7 @@
 #include <LibWeb/Forward.h>
 #include <LibWeb/HTML/AbstractWorker.h>
 #include <LibWeb/HTML/WorkerAgentParent.h>
+#include <LibWeb/TrustedTypes/TrustedScriptURL.h>
 #include <LibWeb/WebIDL/ExceptionOr.h>

 namespace Web::HTML {
@ -22,7 +23,7 @@ class SharedWorker final
    GC_DECLARE_ALLOCATOR(SharedWorker);

 public:
-    static WebIDL::ExceptionOr<GC::Ref<SharedWorker>> construct_impl(JS::Realm&, String const& script_url, Variant<String, WorkerOptions>& options);
+    static WebIDL::ExceptionOr<GC::Ref<SharedWorker>> construct_impl(JS::Realm&, TrustedTypes::TrustedScriptURLOrString const& script_url, Variant<String, WorkerOptions>& options);

    virtual ~SharedWorker();

--- a/Libraries/LibWeb/HTML/SharedWorker.idl
+++ b/Libraries/LibWeb/HTML/SharedWorker.idl
@ -2,12 +2,12 @@
 #import <HTML/AbstractWorker.idl>
 #import <HTML/MessagePort.idl>
 #import <HTML/Worker.idl>
+#import <TrustedTypes/TrustedScriptURL.idl>

 // https://html.spec.whatwg.org/multipage/workers.html#sharedworker
 [Exposed=Window]
 interface SharedWorker : EventTarget {
-    // FIXME: "DOMString scriptURL" should be "(TrustedScriptURL or USVString) scriptURL".
-    constructor(DOMString scriptURL, optional (DOMString or WorkerOptions) options = {});
+    constructor((TrustedScriptURL or Utf16USVString) scriptURL, optional (DOMString or WorkerOptions) options = {});

    readonly attribute MessagePort port;
 };
--- a/Libraries/LibWeb/TrustedTypes/InjectionSink.h
+++ b/Libraries/LibWeb/TrustedTypes/InjectionSink.h
@ -28,6 +28,7 @@ namespace Web::TrustedTypes {
    __ENUMERATE_INJECTION_SINKS(HTMLScriptElementtextContent, "HTMLScriptElement textContent")   \
    __ENUMERATE_INJECTION_SINKS(Locationhref, "Location href")                                   \
    __ENUMERATE_INJECTION_SINKS(RangecreateContextualFragment, "Range createContextualFragment") \
+    __ENUMERATE_INJECTION_SINKS(SharedWorkerconstructor, "SharedWorker constructor")             \
    __ENUMERATE_INJECTION_SINKS(SVGScriptElementhref, "SVGScriptElement href")                   \
    ENUMERATE_GLOBAL_EVENT_HANDLERS(EVENT_HANDLERS_INJECTION_SINKS)                              \
    ENUMERATE_WINDOW_EVENT_HANDLERS(EVENT_HANDLERS_INJECTION_SINKS)