RSS

April in Servo: new Android UI, focus, forms, security fixes, and more

maxloh1 pts0 comments

April in Servo: new Android UI, focus, forms, security fixes, and more! - Servo aims to empower developers with a lightweight, high-performance alternative for embedding web technologies in applications.

April in Servo: new Android UI, focus, forms, security fixes, and more!

Plus better inspection of values in the DevTools Console and Debugger tabs.

Posted 2026-05-31

Servo 0.2.0 contains all of the changes we landed in April, which came out to yet another record 534 commits (March: 530).<br>For security fixes, see § Security .

Note: the GitHub release is available now, but the crates.io release is not yet complete.<br>We expect to publish it some time next week .

`, ``, ‘::details-content::before’ and ‘::details-content::after’, and ‘color-mix()’ with any number of colors">

We’ve shipped several new web platform features:

(@lukewarlow, @mrobinson, #43189)

(@simonwuelker, #44246)

playback on OpenHarmony (@rayguo17, #43208)

‘minimum-scale’ and ‘maximum-scale’ values in (@shubhamg13, #40098, #43715)

‘color-mix()’ with any number of values (@Loirooriol, #43890)

‘&::before’ and ‘&::after’ in ‘::details-content’ (@Loirooriol, #43878)

‘revert-rule’ (@Loirooriol, #43878)

‘tab-size’ (@mrobinson, @SimonSapin, #44480)

‘text-align: match-parent’ (@TG199, #44073)

new Worker() with blob URLs (@jdm, #44004)

get­Context("webgl") on Offscreen­Canvas (@niyabits, #44159)

the detail property on Performance­Mark and Performance­Measure (@shubhamg13, #44289, #44272)

Plus a bunch of new DOM APIs:

‘selectionchange’ events on and (@TimvdLippe, #44461)

Storage­Manager , in experimental mode (@Taym95, #43976)

active­Element on Document and Shadow­Root (@mrobinson, #43861)

crypto.subtle.supports() (@kkoyung, #43703) – Servo is the first major browser engine to support this!

cell­Padding , cell­Spacing , and align properties on HTML­Table­Element (@mrobinson, #43903) – previously supported in HTML only

related­Target on ‘focus’ and ‘blur’ events (@mrobinson, #43926)

transfer­From­Image­Bitmap() on Image­Bitmap­Rendering­Context (@Messi002, #43984)

Servo’s support for text in Chinese , Japanese , and Korean languages has improved, with correct wrapping in the layout engine (@SharanRP, #43744), and CJK fonts now enabled in servoshell’s browser UI on Windows, Linux, and FreeBSD (@yezhizhen, @CynthiaOketch, @nortti0, #44055, #44138, #44514).

Navigating to a JSON file as the top-level document now renders the JSON with an interactive pretty-printer (@webbeef, @TimvdLippe, #43702).

April was a big milestone for Servo, with some automated tests failing because they had hard-coded cookie expiry dates set to April 2016 plus ten years.<br>Surprise!<br>We’re still here.<br>Here’s to the next 100 years of Servo (@jdm, #44341).

This is another big update, so here’s an outline:

Security

Work in progress

servoshell

For developers

Embedding API

More on the web platform

Performance and stability

Security

Crypto­Key now zeroes buffers containing key material after use (@kkoyung, #44597).

With only a few exceptions, you can only access DOM APIs in another document if that document is in the same origin .<br>But if that document is in the same site with a different port number, Servo currently allows these accesses even though it shouldn’t.<br>We’ve fixed some (but not all) of these incorrect accesses, specifically those that involve binding a Window or Location method in this document with a this from the other document (@yvt, @jdm, #28583).

We’ve fixed a bug where local­Storage and session­Storage were usable in sandboxed and shared with every other sandboxed , rather than throwing Security­Error (@Taym95, #44002).

We’ve fixed a bug where local­Storage and session­Storage were shared between all documents , rather than isolated using the origin of the containing document (@niyabits, #43988, #44038).

We’ve fixed a bug where IndexedDB was usable in sandboxed and data: URL web workers (@Taym95, #44088).

We’ve fixed a bug where pages in some IP address origins can evict cookies from other IP address origins (@officialasishkumar, #44152).<br>Only evicting cookies was possible, not reading or writing them.

We’ve fixed an out-of-bounds memory read in tex­Image3D() on Web­GL2­Rendering­Context (@simartin, #44270), and fixed some undefined behaviour in servoshell’s signal handler (@Narfinger, #43891).

Work in progress

IndexedDB is now enabled in servoshell’s experimental mode (@arihant2math, #44245).<br>As always, embedders can enable it with Preferences::dom­_indexeddb­_enabled (@arihant2math, #44245, #44283).

IndexedDB now uses Servo’s new “client storage” system, which is based on the Storage Standard and will allow us to have a unified on-disk format and quota management for all web platform features that persistently store data (@gterzian, #44374, #43900).<br>We’ve also made key range queries more efficient (@arihant2math, #39009), landed improvements to IDB­Database, IDB­Object­Store, IDB­Cursor, IDB­Key­Range, IDB­Request, and to the...

servo security document storage fixed april

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.