fix(s5-4e): dedicated-worker MessageEvent origin = "" per message-port post-message steps#445
Merged
Conversation
…t post-message steps Closes slot #11-worker-port-message-no-origin (S5-4 memo §5.5, edge E9). Spec: the *message port post message steps* (WHATWG HTML §9.4.4, #message-port-post-message-steps) step 7.7 fire the message event initializing only `data` + `ports`, so `MessageEvent.origin` keeps the MessageEventInit default "" — and `Worker.postMessage` / `DedicatedWorkerGlobalScope.postMessage` delegate to the port (§10.2.6.3). elidex stamped a page/script origin on BOTH directions. - Delete the `origin` field from the shared worker channel messages (`elidex-api-workers`: `ParentToWorker::PostMessage` / `WorkerToParent::PostMessage`) — dead payload once unread — and the `origin` arg from `WorkerHandle::post_message`. - parent→worker: `native_worker_post_message` no longer derives a `current_url` origin; the worker loop dispatches with origin "". - worker→parent: `drain_outgoing` no longer stamps the script-URL origin; the main-side drain fires `message` AND `messageerror` with origin "" (messageerror mirrors §9.4.4 step 7.4 — also originless). - Q5 outcome: the channel types are SHARED (`elidex-api-workers`), consumed by both the VM and boa → boa construction/destructure sites adjusted mechanically (light-touch): worker_thread / runtime drains / sw_thread bridge / worker_constructor postMessage. - `dispatch_worker_message` / `dispatch_message_event_at` KEEP the origin parameter: the Service Worker realm shares the seam and its `ExtendableMessageEvent.origin` is spec-REQUIRED (SW §3.1.5) — documented on both fns. Tests: worker round-trip origin "" in both directions (worker_thread_inbound_message_origin_is_empty / main_worker_message_event_target_and_origin), messageerror origin "" (main_worker_messageerror_origin_is_empty), window.postMessage origin regression-pinned to document_origin() (§9.3.3, post_message_event_origin_is_document_origin), SW inbound message origin pinned carried-verbatim (inbound_post_message_fires_message_event). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The full §9.4.4 step 7.7 + §10.2.6.3 no-origin derivation was re-stated at 4 dispatch sites (vm/host/worker.rs x2, vm/worker_thread.rs x2) plus 2 boa mirror sites; the dual-polarity origin contract was stated near-verbatim on both dispatch_worker_message and dispatch_message_event_at. Keep the canonical derivations on elidex_api_workers::ParentToWorker and dispatch_message_event_at (the real fan-in), reduce every other site to a one-line pointer. Local constraints (slot-closure provenance, window.postMessage contrast) kept. Comment/doc-only, no code changes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…essor, fix messageerror cite Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…post_message doc Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…0.2.6.3) + step attribution Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Owner
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. 👍 Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Owner
Author
|
@codex review |
|
Codex Review: Didn't find any major issues. More of your lovely PRs please. Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
S5-4e — slice of the S5-4 sandbox/security enforcement cluster (plan-memo
docs/plans/2026-07-s5-4-sandbox-enforcement.md§5.5, which rides PR #444 per the {4a,4b,4e}-parallel structure). Closes defer slot#11-worker-port-message-no-origin.Per HTML §9.4.4 message port post message steps step 7.7, the
messageevent initializes onlydata+ports—originstays theMessageEventInitdefault"";Worker.postMessage(§10.2.6.3) andDedicatedWorkerGlobalScope.postMessage(§10.2.1.2) delegate to the port. elidex stamped a page/script origin on both directions of the dedicated-worker channel.originfield DELETED from the channel types (ParentToWorker::PostMessage/WorkerToParent::PostMessage,elidex-api-workers) — a dedicated-worker message carrying an origin is now unconstructible (by-construction fix, not call-site zeroing). All five dispatch sites pass""(static literal, removes a per-messageStringclone from the hot path).messageerroralsoorigin = ""(§9.4.4 step 7.4).WorkerHandle::script_urlaccessor + field + ctor/spawn_workerparam — its sole reader was the removed origin stamping (WorkerLocation / errorfilenameread the worker-side URL copy, unaffected).ExtendableMessageEvent.originspec-REQUIRED, SW §3.1.5) — regression-pinned;window.postMessagekeepsdocument_origin()(§9.3.3) — contrast pin added. The shared VM dispatch seam keeps itsoriginparam for the SW polarity (documented dual contract).elidex-api-workers→ boa sites adjusted mechanically (light-touch, deletion-bound D-26 PR7).Tests
worker_thread_inbound_message_origin_is_empty(real thread round-trip,typeof e.originprobe),main_worker_message_event_target_and_origin("null"→""),main_worker_messageerror_origin_is_empty(synthetic peer through the real drain),onmessage_handler_receives_data_and_empty_origin, plus contrast pinspost_message_event_origin_is_document_origin(window) and SWinbound_post_message_fires_message_event(now asserts the carried origin).Gate
/pre-push 6-stage complete: fmt /
mise run ci×4 green / /simplify (2 doc-dedup fixes to canonical homes) / /code-review high (2 CONFIRMED fixed: deadscript_urlAPI deletion;messageerrorcite §10.2.6.1→§9.4.4 step 7.4) / /review (6 angles: A/B/C/conventions = none, 2 trivial MINs fixed) / /elidex-review (5-axis: 0 CRIT / 3 IMP / 1 MIN — all fixed: DWGS delegation cites §10.2.6.3→§10.2.1.2 incl. a sweep-caughtnatives_json.rsswap).elidex-js 6228 tests / elidex-api-workers / elidex-js-boa green; workspace clippy
-D warningsclean.🤖 Generated with Claude Code