April in Servo: new Android UI, focus, forms, security fixes, and more
April in Servo: new Android UI, focus, forms, security fixes, and more
April in Servo: new Android UI, focus, forms, security fixes, and more! Plus better inspection of values in the DevTools Console and Debugger tabs. Posted 2026-05-31
Servo 0.2.0 contains all of the changes we landed in April, which came out to yet another record 534 commits (March: 530). For security fixes, see § Security.
Servo 四月动态:全新的 Android UI、焦点处理、表单支持、安全修复及更多内容!此外,DevTools 控制台和调试器标签页中对数值的检查功能也得到了增强。发布于 2026 年 5 月 31 日。
Servo 0.2.0 版本包含了我们在四月份合并的所有更改,提交次数再次创下 534 次的纪录(三月为 530 次)。有关安全修复,请参阅“安全”章节。
We’ve shipped several new web platform features: <select multiple>, <template shadowrootslotassignment>, <video> playback on OpenHarmony, ‘minimum-scale’ and ‘maximum-scale’ values in <meta name=viewport>, ‘color-mix()’ with any number of <color> values, ‘&::before’ and ‘&::after’ in ‘::details-content’, ‘revert-rule’, ‘tab-size’, ‘text-align: match-parent’, new Worker() with blob URLs, getContext("webgl") on OffscreenCanvas, and the detail property on PerformanceMark and PerformanceMeasure.
我们发布了多项新的 Web 平台功能:<select multiple>、<template shadowrootslotassignment>、OpenHarmony 上的 <video> 播放、<meta name=viewport> 中的 ‘minimum-scale’ 和 ‘maximum-scale’ 值、支持任意数量 <color> 值的 ‘color-mix()’、‘::details-content’ 中的 ‘&::before’ 和 ‘&::after’、‘revert-rule’、‘tab-size’、‘text-align: match-parent’、带有 blob URL 的 new Worker()、OffscreenCanvas 上的 getContext("webgl"),以及 PerformanceMark 和 PerformanceMeasure 上的 detail 属性。
Plus a bunch of new DOM APIs: ‘selectionchange’ events on <input> and <textarea>, StorageManager (experimental), activeElement on Document and ShadowRoot, crypto.subtle.supports() (Servo is the first major browser engine to support this!), cellPadding, cellSpacing, and align properties on HTMLTableElement, relatedTarget on ‘focus’ and ‘blur’ events, and transferFromImageBitmap() on ImageBitmapRenderingContext.
此外还有一系列新的 DOM API:<input> 和 <textarea> 上的 ‘selectionchange’ 事件、StorageManager(实验性模式)、Document 和 ShadowRoot 上的 activeElement、crypto.subtle.supports()(Servo 是第一个支持此特性的主流浏览器引擎!)、HTMLTableElement 上的 cellPadding、cellSpacing 和 align 属性、‘focus’ 和 ‘blur’ 事件上的 relatedTarget,以及 ImageBitmapRenderingContext 上的 transferFromImageBitmap()。
Servo’s support for text in Chinese, Japanese, and Korean languages has improved, with correct wrapping in the layout engine, and CJK fonts now enabled in servoshell’s browser UI on Windows, Linux, and FreeBSD. Navigating to a JSON file as the top-level document now renders the JSON with an interactive pretty-printer.
Servo 对中、日、韩语言文字的支持得到了改进,布局引擎实现了正确的换行,并且在 Windows、Linux 和 FreeBSD 上的 servoshell 浏览器 UI 中启用了 CJK 字体。现在,当将 JSON 文件作为顶级文档访问时,浏览器会使用交互式的格式化打印工具来渲染 JSON。
April was a big milestone for Servo, with some automated tests failing because they had hard-coded cookie expiry dates set to April 2016 plus ten years. Surprise! We’re still here. Here’s to the next 100 years of Servo.
四月是 Servo 的一个重要里程碑,一些自动化测试失败了,因为它们硬编码的 Cookie 过期日期设置为 2016 年 4 月加上十年。惊喜!我们依然在这里。期待 Servo 的下一个 100 年。
Security
CryptoKey now zeroes buffers containing key material after use. With only a few exceptions, you can only access DOM APIs in another document if that document is in the same origin. We’ve fixed some (but not all) of these incorrect accesses, specifically those that involve binding a Window or Location method in this document with a this from the other document. We’ve fixed a bug where localStorage and sessionStorage were usable in sandboxed <iframe> and shared with every other sandboxed <iframe>, rather than throwing SecurityError. We’ve fixed a bug where localStorage and sessionStorage were shared between all <iframe srcdoc> documents, rather than isolated using the origin of the containing document. We’ve fixed a bug where IndexedDB was usable in sandboxed <iframe> and data: URL web workers. We’ve fixed a bug where pages in some IP address origins can evict cookies from other IP address origins. We’ve fixed an out-of-bounds memory read in texImage3D() on WebGL2RenderingContext, and fixed some undefined behaviour in servoshell’s signal handler.
安全
CryptoKey 现在会在使用后将包含密钥材料的缓冲区清零。除少数例外,你只能在同源文档中访问 DOM API。我们修复了部分(而非全部)此类不正确的访问,特别是那些涉及将当前文档的 Window 或 Location 方法与来自其他文档的 this 绑定的情况。我们修复了一个漏洞:localStorage 和 sessionStorage 本应抛出 SecurityError,却在沙盒 <iframe> 中可用并与其他沙盒 <iframe> 共享。我们修复了一个漏洞:localStorage 和 sessionStorage 在所有 <iframe srcdoc> 文档之间共享,而非根据包含文档的源进行隔离。我们修复了一个漏洞:IndexedDB 在沙盒 <iframe> 和 data: URL Web Worker 中可用。我们修复了一个漏洞:某些 IP 地址源的页面可以清除其他 IP 地址源的 Cookie。我们修复了 WebGL2RenderingContext 中 texImage3D() 的越界内存读取问题,并修复了 servoshell 信号处理程序中的一些未定义行为。