Module script::layout_dom

source ·
Expand description

A safe wrapper for DOM nodes that prevents layout from mutating the DOM, from letting DOM nodes escape, and from generally doing anything that it isn’t supposed to. This is accomplished via a simple whitelist of allowed operations, along with some lifetime magic to prevent nodes from escaping.

As a security wrapper is only as good as its whitelist, be careful when adding operations to this list. The cardinal rules are:

  1. Layout is not allowed to mutate the DOM.

  2. Layout is not allowed to see anything with LayoutDom in the name, because it could hang onto these objects and cause use-after-free.

When implementing wrapper functions, be careful that you do not touch the borrow flags, or you will race and cause spurious thread failure. (Note that I do not believe these races are exploitable, but they’ll result in brokenness nonetheless.)



  • A wrapper around elements that ensures layout can only ever access safe properties.
  • A wrapper around a LayoutDom<Node> which provides a safe interface that can be used during layout. This implements the LayoutNode trait as well as several style and selectors traits for use during layout. This version should only be used on a single thread. If you need to use nodes across threads use ServoThreadSafeLayoutNode.
  • A wrapper around elements that ensures layout can only ever access safe properties and cannot race on elements.
  • A wrapper around a ServoLayoutNode that can be used safely on different threads. It’s very important that this never mutate anything except this wrapped node and never access any other node apart from its parent.