Skip to content

fix(s5-4e): dedicated-worker MessageEvent origin = "" per message-port post-message steps#445

Merged
send merged 5 commits into
mainfrom
s5-4e-worker-message-origin
Jul 3, 2026
Merged

fix(s5-4e): dedicated-worker MessageEvent origin = "" per message-port post-message steps#445
send merged 5 commits into
mainfrom
s5-4e-worker-message-origin

Conversation

@send

@send send commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

S5-4e — slice of the S5-4 sandbox/security enforcement cluster (plan-memo docs/plans/2026-07-s5-4-sandbox-enforcement.md §5.5, which rides PR #444 per the {4a,4b,4e}-parallel structure). Closes defer slot #11-worker-port-message-no-origin.

Per HTML §9.4.4 message port post message steps step 7.7, the message event initializes only data + portsorigin stays the MessageEventInit default ""; Worker.postMessage (§10.2.6.3) and DedicatedWorkerGlobalScope.postMessage (§10.2.1.2) delegate to the port. elidex stamped a page/script origin on both directions of the dedicated-worker channel.

  • origin field DELETED from the channel types (ParentToWorker::PostMessage / WorkerToParent::PostMessage, elidex-api-workers) — a dedicated-worker message carrying an origin is now unconstructible (by-construction fix, not call-site zeroing). All five dispatch sites pass "" (static literal, removes a per-message String clone from the hot path).
  • messageerror also origin = "" (§9.4.4 step 7.4).
  • Dead API deleted: WorkerHandle::script_url accessor + field + ctor/spawn_worker param — its sole reader was the removed origin stamping (WorkerLocation / error filename read the worker-side URL copy, unaffected).
  • Polarity preserved (untouched + pinned): ServiceWorker channel keeps the sender's incumbent origin (ExtendableMessageEvent.origin spec-REQUIRED, SW §3.1.5) — regression-pinned; window.postMessage keeps document_origin() (§9.3.3) — contrast pin added. The shared VM dispatch seam keeps its origin param for the SW polarity (documented dual contract).
  • Q5 (channel ownership): types are shared elidex-api-workers → boa sites adjusted mechanically (light-touch, deletion-bound D-26 PR7).

Tests

worker_thread_inbound_message_origin_is_empty (real thread round-trip, typeof e.origin probe), main_worker_message_event_target_and_origin ("null"""), main_worker_messageerror_origin_is_empty (synthetic peer through the real drain), onmessage_handler_receives_data_and_empty_origin, plus contrast pins post_message_event_origin_is_document_origin (window) and SW inbound_post_message_fires_message_event (now asserts the carried origin).

Gate

/pre-push 6-stage complete: fmt / mise run ci ×4 green / /simplify (2 doc-dedup fixes to canonical homes) / /code-review high (2 CONFIRMED fixed: dead script_url API deletion; messageerror cite §10.2.6.1→§9.4.4 step 7.4) / /review (6 angles: A/B/C/conventions = none, 2 trivial MINs fixed) / /elidex-review (5-axis: 0 CRIT / 3 IMP / 1 MIN — all fixed: DWGS delegation cites §10.2.6.3→§10.2.1.2 incl. a sweep-caught natives_json.rs swap).

elidex-js 6228 tests / elidex-api-workers / elidex-js-boa green; workspace clippy -D warnings clean.

🤖 Generated with Claude Code

send and others added 5 commits July 3, 2026 03:12
…t post-message steps

Closes slot #11-worker-port-message-no-origin (S5-4 memo §5.5, edge E9).

Spec: the *message port post message steps* (WHATWG HTML §9.4.4,
#message-port-post-message-steps) step 7.7 fire the message event
initializing only `data` + `ports`, so `MessageEvent.origin` keeps the
MessageEventInit default "" — and `Worker.postMessage` /
`DedicatedWorkerGlobalScope.postMessage` delegate to the port
(§10.2.6.3). elidex stamped a page/script origin on BOTH directions.

- Delete the `origin` field from the shared worker channel messages
  (`elidex-api-workers`: `ParentToWorker::PostMessage` /
  `WorkerToParent::PostMessage`) — dead payload once unread — and the
  `origin` arg from `WorkerHandle::post_message`.
- parent→worker: `native_worker_post_message` no longer derives a
  `current_url` origin; the worker loop dispatches with origin "".
- worker→parent: `drain_outgoing` no longer stamps the script-URL
  origin; the main-side drain fires `message` AND `messageerror` with
  origin "" (messageerror mirrors §9.4.4 step 7.4 — also originless).
- Q5 outcome: the channel types are SHARED (`elidex-api-workers`),
  consumed by both the VM and boa → boa construction/destructure sites
  adjusted mechanically (light-touch): worker_thread / runtime drains /
  sw_thread bridge / worker_constructor postMessage.
- `dispatch_worker_message` / `dispatch_message_event_at` KEEP the
  origin parameter: the Service Worker realm shares the seam and its
  `ExtendableMessageEvent.origin` is spec-REQUIRED (SW §3.1.5) —
  documented on both fns.

Tests: worker round-trip origin "" in both directions
(worker_thread_inbound_message_origin_is_empty /
main_worker_message_event_target_and_origin), messageerror origin ""
(main_worker_messageerror_origin_is_empty), window.postMessage origin
regression-pinned to document_origin() (§9.3.3,
post_message_event_origin_is_document_origin), SW inbound message
origin pinned carried-verbatim (inbound_post_message_fires_message_event).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The full §9.4.4 step 7.7 + §10.2.6.3 no-origin derivation was re-stated
at 4 dispatch sites (vm/host/worker.rs x2, vm/worker_thread.rs x2) plus
2 boa mirror sites; the dual-polarity origin contract was stated
near-verbatim on both dispatch_worker_message and
dispatch_message_event_at. Keep the canonical derivations on
elidex_api_workers::ParentToWorker and dispatch_message_event_at (the
real fan-in), reduce every other site to a one-line pointer. Local
constraints (slot-closure provenance, window.postMessage contrast) kept.

Comment/doc-only, no code changes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…essor, fix messageerror cite

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…post_message doc

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…0.2.6.3) + step attribution

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@send

send commented Jul 2, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. 👍

Reviewed commit: c70f6a7ec6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@send

send commented Jul 2, 2026

Copy link
Copy Markdown
Owner Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. More of your lovely PRs please.

Reviewed commit: c70f6a7ec6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@send send merged commit 45727e5 into main Jul 3, 2026
6 checks passed
@send send deleted the s5-4e-worker-message-origin branch July 3, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant