From 4dd7535e6d564e094a7800cfc18e9cd171b96d03 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 12:39:19 +0800
Subject: [PATCH 1/8] Don't allow document.close during document.write

56181bbe6cff14701940ec3db29eae96867f90a3 protected against a document.write
generating a document.write.

This protects against a document.write generating a document.close. We cannot
immediately close, so we 'queue' the close (via a boolean) and defer it until
the write is complete.

Fixes crash in WPT: /html/webappapis/dynamic-markup-insertion/document-write/iframe_010.html
From what I can tell, this is the last one of these.
---
 .../reentrant_document_close.html             | 58 +++++++++++++++++++
 src/browser/webapi/Document.zig               | 29 +++++++++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 src/browser/tests/custom_elements/reentrant_document_close.html

diff --git a/src/browser/tests/custom_elements/reentrant_document_close.html b/src/browser/tests/custom_elements/reentrant_document_close.html
new file mode 100644
index 00000000..02fc5491
--- /dev/null
+++ b/src/browser/tests/custom_elements/reentrant_document_close.html
@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<head>
+<script src="../testing.js"></script>
+</head>
+<body>
+<!-- Regression test for a SIGSEGV triggered by re-entrant document.close().
+
+     Sibling to reentrant_document_write.html: that test covers a written
+     <script> calling document.write() re-entrantly. This one covers the
+     document.close() path, which the streaming parser's `feeding` guard did
+     NOT protect.
+
+     A script run by the script-created parser executes synchronously inside
+     html5ever's feed() (we're popping that <script>). If that script calls
+     document.close(), the close ran html5ever_streaming_parser_finish() on the
+     handle still mid-feed on the stack. html5ever's streaming parser is not
+     re-entrant: finishing it there walked an empty open-elements stack and
+     panicked with "no current element", then segfaulted.
+
+     The fix defers the finish: a re-entrant close flags the document, and the
+     write() driving the feed loop completes the close once the loop unwinds and
+     any markup the same script queued has drained. A custom element in the
+     written markup ensures a reaction is queued in the pop scope that crashed. -->
+<script id="reentrant_close">
+window.nestedCloseRan = false;
+window.connectedRan = false;
+
+class ReentrantClose extends HTMLElement {
+    connectedCallback() {
+        window.connectedRan = true;
+    }
+}
+customElements.define('reentrant-close', ReentrantClose);
+
+// onload runs after the initial parse, so document.write() goes through the
+// script-created parser (the path that crashed).
+testing.onload(function () {
+    document.open();
+    document.write(
+        '<reentrant-close></reentrant-close>' +
+        '<scr' + 'ipt>' +
+        'window.nestedCloseRan = true;' +
+        'document.write("<p>nested</p>");' +
+        'document.close();' +
+        '</scr' + 'ipt>'
+    );
+
+    // Reaching here without crashing is the whole point of the test.
+    testing.expectTrue(window.nestedCloseRan);
+    testing.expectTrue(window.connectedRan);
+
+    // The re-entrant close deferred the parser finish until the feed loop
+    // unwound; by now the queued <p>nested</p> has been parsed.
+    testing.expectEqual('nested', document.querySelector('p').textContent);
+});
+</script>
+</body>
+</html>
diff --git a/src/browser/webapi/Document.zig b/src/browser/webapi/Document.zig
index eff8a70b..93f3dc38 100644
--- a/src/browser/webapi/Document.zig
+++ b/src/browser/webapi/Document.zig
@@ -63,6 +63,7 @@ _implementation: ?*DOMImplementation = null,
 _fonts: ?*FontFaceSet = null,
 _write_insertion_point: ?*Node = null,
 _script_created_parser: ?Parser.Streaming = null,
+_close_requested: bool = false,
 _adopted_style_sheets: ?js.Object.Global = null,
 _selection: Selection = .{ ._rc = .init(1) },
 
@@ -764,9 +765,22 @@ fn writeInternal(self: *Document, text: []const []const u8, append_newline: bool
                         log.warn(.dom, "flush after parser panic", .{ .err = flush_err });
                     };
                     self._script_created_parser = null;
+                    self._close_requested = false;
                 };
             }
         }
+
+        if (self._close_requested) {
+            // document.close was executed during a document.write. We couldn't
+            // execute that during the write, but we can now.
+            if (self._script_created_parser) |*parser| {
+                if (parser.feeding == false) {
+                    try self.finishScriptCreatedParser(frame);
+                }
+            } else {
+                self._close_requested = false;
+            }
+        }
         return;
     }
 
@@ -891,10 +905,23 @@ pub fn close(self: *Document, call_frame: *Frame) !void {
         return error.InvalidStateError;
     }
 
-    if (self._script_created_parser == null) {
+    if (self._script_created_parser) |*parser| {
+        if (parser.feeding) {
+            // we're currently in a document.write, we cannot close. We flag
+            // the close and process it at the next safe spot.
+            self._close_requested = true;
+            return;
+        }
+    } else {
         return;
     }
 
+    try self.finishScriptCreatedParser(frame);
+}
+
+fn finishScriptCreatedParser(self: *Document, frame: *Frame) !void {
+    self._close_requested = false;
+
     // done() finishes html5ever's handle and runs the final flushPendingText.
     // Even if flushPendingText errors, the handle is already finished and we
     // must not retain the Streaming — defer so the error path also drops it.

From a7355a57625a4cf4ec7b9b79fc6f91f2a26a25ca Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 13:00:17 +0800
Subject: [PATCH 2/8] Less arena-reuse (retain) in Debug

Arena reuse/retain can hide UAF issues, often resulting in a crash that is more
symptom than cause (far from where the error actually is). Removing this, lets
us better utilize the DebugAllocator's UAF-detection.

Also, when running WPT tests (-Dwpt_extensions) limit console logging to 100
values (a few tests writer millions of values, which is annoying and just
destroys the terminal).
---
 src/ArenaPool.zig              | 12 +++++++++---
 src/browser/webapi/Console.zig | 15 ++++++++++++---
 src/cdp/domains/page.zig       |  2 +-
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/src/ArenaPool.zig b/src/ArenaPool.zig
index 36f7c71d..29d2a0da 100644
--- a/src/ArenaPool.zig
+++ b/src/ArenaPool.zig
@@ -28,6 +28,9 @@ const ArenaPool = @This();
 
 const IS_DEBUG = builtin.mode == .Debug;
 
+// In Debug, disable pooling to better catch UAF.
+const SAFETY = IS_DEBUG == true and builtin.is_test == false;
+
 pub const BucketSize = enum { tiny, small, medium, large };
 
 const Bucket = struct {
@@ -187,7 +190,8 @@ pub fn release(self: *ArenaPool, allocator: Allocator) void {
         }
     }
 
-    if (bucket.free_list_len >= bucket.free_list_max) {
+    if ((comptime SAFETY) or bucket.free_list_len >= bucket.free_list_max) {
+        // In Debug, we never pool. It can mask UAF bugs.
         arena.deinit();
         self.entry_pool.destroy(entry);
         return;
@@ -200,12 +204,14 @@ pub fn release(self: *ArenaPool, allocator: Allocator) void {
 
 pub fn reset(_: *const ArenaPool, allocator: Allocator, retain: usize) void {
     const arena: *ArenaAllocator = @ptrCast(@alignCast(allocator.ptr));
-    _ = arena.reset(.{ .retain_with_limit = retain });
+    // In Debug, free_all, it's less likely to hide things
+    _ = arena.reset(if (comptime SAFETY) .free_all else .{ .retain_with_limit = retain });
 }
 
 pub fn resetRetain(_: *const ArenaPool, allocator: Allocator) void {
     const arena: *ArenaAllocator = @ptrCast(@alignCast(allocator.ptr));
-    _ = arena.reset(.retain_capacity);
+    // In Debug, free_all, it's less likely to hide things
+    _ = arena.reset(if (comptime SAFETY) .free_all else .retain_capacity);
 }
 
 const testing = std.testing;
diff --git a/src/browser/webapi/Console.zig b/src/browser/webapi/Console.zig
index eea5e700..3d97325a 100644
--- a/src/browser/webapi/Console.zig
+++ b/src/browser/webapi/Console.zig
@@ -175,7 +175,7 @@ const ValueWriter = struct {
     stack: ?[]const u8 = null,
 
     pub fn format(self: ValueWriter, writer: *std.io.Writer) !void {
-        for (self.values, 1..) |value, i| {
+        for (self.valuesToLog(), 1..) |value, i| {
             try writer.print("\n  arg({d}): {f}", .{ i, value });
         }
         if (self.stack) |s| {
@@ -185,7 +185,7 @@ const ValueWriter = struct {
 
     pub fn logFmt(self: ValueWriter, _: []const u8, writer: anytype) !void {
         var buf: [32]u8 = undefined;
-        for (self.values, 0..) |value, i| {
+        for (self.valuesToLog(), 0..) |value, i| {
             const name = try std.fmt.bufPrint(&buf, "param.{d}", .{i});
             try writer.write(name, value);
         }
@@ -193,11 +193,20 @@ const ValueWriter = struct {
 
     pub fn jsonStringify(self: ValueWriter, writer: *std.json.Stringify) !void {
         try writer.beginArray();
-        for (self.values) |value| {
+        for (self.valuesToLog()) |value| {
             try writer.write(value);
         }
         return writer.endArray();
     }
+
+    fn valuesToLog(self: ValueWriter) []js.Value {
+        if (lp.build_config.wpt_extensions) {
+            // A few WPT tests print HUGE arrays, it's at best, annoying when
+            // running it locally
+            return self.values[0..@min(self.values.len, 100)];
+        }
+        return self.values;
+    }
 };
 
 pub const JsApi = struct {
diff --git a/src/cdp/domains/page.zig b/src/cdp/domains/page.zig
index 71aaeafb..ec8ad40a 100644
--- a/src/cdp/domains/page.zig
+++ b/src/cdp/domains/page.zig
@@ -535,7 +535,7 @@ pub fn frameCreated(bc: *CDP.BrowserContext, frame: *Frame) !void {
     const in_commit = bc.session.pendingPage() != null;
 
     if (!in_commit) {
-        _ = bc.cdp.frame_arena.reset(.{ .retain_with_limit = 1024 * 512 });
+        bc.cdp.browser.arena_pool.reset(bc.frame_arena, 1024 * 512);
     }
 
     for (bc.isolated_worlds.items) |isolated_world| {

From e3e3fc25fe6db2571f51d09b0da5da9c3dd7dc41 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 17:33:37 +0800
Subject: [PATCH 3/8] Various HTML attribute tweaks

Aimed at improving WPT /html/dom/reflection-obsolete.html Goes from 923 to 2305
passing cases (the remaining failing cases are all for <frame> which we don't
currently support)

Add accessors to Directory, Font and FrameSet. Add HTMLMarqueeElement.

Font setColor null -> ""

Add new properties to Html (accessKey and autofocus) and improve tabIndex
parsing.
---
 src/browser/Frame.zig                         |   4 +-
 src/browser/js/bridge.zig                     |   1 +
 src/browser/tests/element/html/font.html      |  47 ++++++
 .../tests/element/html/htmlelement-props.html |  28 ++++
 src/browser/tests/element/html/marquee.html   | 100 +++++++++++
 src/browser/webapi/Element.zig                |   3 +
 .../webapi/css/CSSStyleDeclaration.zig        |   2 +-
 src/browser/webapi/element/Html.zig           |  84 +++++++++-
 src/browser/webapi/element/html/Directory.zig |  15 ++
 src/browser/webapi/element/html/Font.zig      |  37 +++++
 src/browser/webapi/element/html/FrameSet.zig  |  20 +++
 src/browser/webapi/element/html/Marquee.zig   | 156 ++++++++++++++++++
 12 files changed, 486 insertions(+), 11 deletions(-)
 create mode 100644 src/browser/tests/element/html/font.html
 create mode 100644 src/browser/tests/element/html/marquee.html
 create mode 100644 src/browser/webapi/element/html/Marquee.zig

diff --git a/src/browser/Frame.zig b/src/browser/Frame.zig
index 8f4876d2..ffafef0d 100644
--- a/src/browser/Frame.zig
+++ b/src/browser/Frame.zig
@@ -2586,10 +2586,10 @@ pub fn createElementNS(self: *Frame, namespace: Element.Namespace, name: []const
                         .{ ._proto = undefined },
                     ),
                     asUint("marquee") => return self.createHtmlElementT(
-                        Element.Html.Generic,
+                        Element.Html.Marquee,
                         namespace,
                         attribute_iterator,
-                        .{ ._proto = undefined, ._tag_name = comptime .wrap("marquee"), ._tag = .marquee },
+                        .{ ._proto = undefined },
                     ),
                     asUint("address") => return self.createHtmlElementT(
                         Element.Html.Generic,
diff --git a/src/browser/js/bridge.zig b/src/browser/js/bridge.zig
index 2335d89a..ef215554 100644
--- a/src/browser/js/bridge.zig
+++ b/src/browser/js/bridge.zig
@@ -866,6 +866,7 @@ pub const PageJsApis = flattenTypes(&.{
     @import("../webapi/element/html/LI.zig"),
     @import("../webapi/element/html/Link.zig"),
     @import("../webapi/element/html/Map.zig"),
+    @import("../webapi/element/html/Marquee.zig"),
     @import("../webapi/element/html/Media.zig"),
     @import("../webapi/element/html/Meta.zig"),
     @import("../webapi/element/html/Meter.zig"),
diff --git a/src/browser/tests/element/html/font.html b/src/browser/tests/element/html/font.html
new file mode 100644
index 00000000..bd3d6d31
--- /dev/null
+++ b/src/browser/tests/element/html/font.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<script src="../../testing.js"></script>
+
+<script id="font_constructor">
+  {
+  testing.expectEqual("function", typeof HTMLFontElement)
+
+  const f = document.createElement('font')
+  testing.expectEqual("[object HTMLFontElement]", f.toString())
+  testing.expectEqual("FONT", f.tagName)
+  testing.expectEqual(true, f instanceof HTMLFontElement)
+  testing.expectEqual(true, f instanceof HTMLElement)
+  }
+</script>
+
+<script id="font_string_attributes">
+  {
+  const f = document.createElement('font')
+
+  testing.expectEqual("", f.color)
+  testing.expectEqual("", f.face)
+  testing.expectEqual("", f.size)
+
+  f.color = "red"
+  f.face = "serif"
+  f.size = "7"
+  testing.expectEqual("red", f.color)
+  testing.expectEqual("serif", f.face)
+  testing.expectEqual("7", f.size)
+  testing.expectEqual("red", f.getAttribute("color"))
+  }
+</script>
+
+<script id="font_color_legacy_null_to_empty_string">
+  {
+  // color is `[LegacyNullToEmptyString] DOMString`: null coerces to "", unlike
+  // face/size which stringify null to "null".
+  const f = document.createElement('font')
+
+  f.color = null
+  testing.expectEqual("", f.color)
+  testing.expectEqual("", f.getAttribute("color"))
+
+  f.face = null
+  testing.expectEqual("null", f.face)
+  }
+</script>
diff --git a/src/browser/tests/element/html/htmlelement-props.html b/src/browser/tests/element/html/htmlelement-props.html
index a008adc5..6e625d4f 100644
--- a/src/browser/tests/element/html/htmlelement-props.html
+++ b/src/browser/tests/element/html/htmlelement-props.html
@@ -52,5 +52,33 @@
 
     const textarea = document.createElement('textarea');
     testing.expectEqual(0, textarea.tabIndex);
+
+    // tabIndex follows the HTML "rules for parsing integers": skip leading
+    // ASCII whitespace, take an optional sign and the leading run of digits,
+    // ignoring any trailing junk.
+    d3.setAttribute('tabindex', ' 7');
+    testing.expectEqual(7, d3.tabIndex);
+
+    d3.setAttribute('tabindex', '\t\n\f\r9');
+    testing.expectEqual(9, d3.tabIndex);
+
+    d3.setAttribute('tabindex', '7%');
+    testing.expectEqual(7, d3.tabIndex);
+
+    d3.setAttribute('tabindex', '1.5');
+    testing.expectEqual(1, d3.tabIndex);
+
+    d3.setAttribute('tabindex', '-3');
+    testing.expectEqual(-3, d3.tabIndex);
+
+    d3.setAttribute('tabindex', '+4');
+    testing.expectEqual(4, d3.tabIndex);
+
+    // Non-numeric values fall back to the element's default (-1 here).
+    d3.setAttribute('tabindex', 'foo');
+    testing.expectEqual(-1, d3.tabIndex);
+
+    d3.setAttribute('tabindex', '');
+    testing.expectEqual(-1, d3.tabIndex);
   }
 </script>
diff --git a/src/browser/tests/element/html/marquee.html b/src/browser/tests/element/html/marquee.html
new file mode 100644
index 00000000..12fb4d99
--- /dev/null
+++ b/src/browser/tests/element/html/marquee.html
@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<script src="../../testing.js"></script>
+
+<script id="marquee_constructor">
+  {
+  testing.expectEqual("function", typeof HTMLMarqueeElement)
+
+  const m = document.createElement('marquee')
+  testing.expectEqual("[object HTMLMarqueeElement]", m.toString())
+  testing.expectEqual("MARQUEE", m.tagName)
+  testing.expectEqual(true, m instanceof HTMLMarqueeElement)
+  testing.expectEqual(true, m instanceof HTMLElement)
+  }
+</script>
+
+<script id="marquee_string_attributes">
+  {
+  const m = document.createElement('marquee')
+
+  // Plain string reflects.
+  testing.expectEqual("", m.bgColor)
+  m.bgColor = "red"
+  testing.expectEqual("red", m.bgColor)
+  testing.expectEqual("red", m.getAttribute("bgcolor"))
+
+  m.height = "100"
+  m.width = "200"
+  testing.expectEqual("100", m.height)
+  testing.expectEqual("200", m.width)
+  }
+</script>
+
+<script id="marquee_enumerated_attributes">
+  {
+  const m = document.createElement('marquee')
+
+  // Limited-to-known-values with a default (missing/invalid -> default).
+  testing.expectEqual("scroll", m.behavior)
+  testing.expectEqual("left", m.direction)
+
+  m.setAttribute("behavior", "ALTERNATE")
+  testing.expectEqual("alternate", m.behavior)
+  m.setAttribute("behavior", "nonsense")
+  testing.expectEqual("scroll", m.behavior)
+
+  m.setAttribute("direction", "Up")
+  testing.expectEqual("up", m.direction)
+  m.setAttribute("direction", "sideways")
+  testing.expectEqual("left", m.direction)
+  }
+</script>
+
+<script id="marquee_boolean_attribute">
+  {
+  const m = document.createElement('marquee')
+
+  testing.expectEqual(false, m.trueSpeed)
+  m.trueSpeed = true
+  testing.expectEqual(true, m.trueSpeed)
+  testing.expectEqual("", m.getAttribute("truespeed"))
+  m.trueSpeed = false
+  testing.expectEqual(false, m.trueSpeed)
+  testing.expectEqual(false, m.hasAttribute("truespeed"))
+  }
+</script>
+
+<script id="marquee_unsigned_long_attributes">
+  {
+  const m = document.createElement('marquee')
+
+  // Defaults when unset.
+  testing.expectEqual(0, m.hspace)
+  testing.expectEqual(0, m.vspace)
+  testing.expectEqual(6, m.scrollAmount)
+  testing.expectEqual(85, m.scrollDelay)
+
+  // Rules for parsing non-negative integers: ASCII whitespace prefix and
+  // trailing junk are allowed; VT (\v) is not whitespace; negatives and
+  // out-of-range values fall back to the default.
+  m.setAttribute("hspace", " \t7px")
+  testing.expectEqual(7, m.hspace)
+  m.setAttribute("hspace", "\v7")
+  testing.expectEqual(0, m.hspace)
+  m.setAttribute("hspace", "-1")
+  testing.expectEqual(0, m.hspace)
+  m.setAttribute("scrollAmount", "2147483648")
+  testing.expectEqual(6, m.scrollAmount)
+  m.setAttribute("scrollAmount", "2147483647")
+  testing.expectEqual(2147483647, m.scrollAmount)
+
+  // IDL setter: in-range values are written through, values above the
+  // signed-long max are coerced to the default.
+  m.hspace = 42
+  testing.expectEqual(42, m.hspace)
+  testing.expectEqual("42", m.getAttribute("hspace"))
+  m.scrollAmount = 4294967295
+  testing.expectEqual(6, m.scrollAmount)
+  testing.expectEqual("6", m.getAttribute("scrollamount"))
+  }
+</script>
diff --git a/src/browser/webapi/Element.zig b/src/browser/webapi/Element.zig
index 3a26798e..d898dbd7 100644
--- a/src/browser/webapi/Element.zig
+++ b/src/browser/webapi/Element.zig
@@ -233,6 +233,7 @@ pub fn getTagNameLower(self: *const Element) []const u8 {
                 .li => "li",
                 .link => "link",
                 .map => "map",
+                .marquee => "marquee",
                 .media => |m| switch (m._type) {
                     .audio => "audio",
                     .video => "video",
@@ -313,6 +314,7 @@ pub fn getTagNameSpec(self: *const Element, buf: []u8) []const u8 {
             .li => "LI",
             .link => "LINK",
             .map => "MAP",
+            .marquee => "MARQUEE",
             .meta => "META",
             .media => |m| switch (m._type) {
                 .audio => "AUDIO",
@@ -1507,6 +1509,7 @@ pub fn getTag(self: *const Element) Tag {
             .legend => .legend,
             .li => .li,
             .map => .map,
+            .marquee => .marquee,
             .ul => .ul,
             .ol => .ol,
             .object => .object,
diff --git a/src/browser/webapi/css/CSSStyleDeclaration.zig b/src/browser/webapi/css/CSSStyleDeclaration.zig
index 323bf3af..12833c41 100644
--- a/src/browser/webapi/css/CSSStyleDeclaration.zig
+++ b/src/browser/webapi/css/CSSStyleDeclaration.zig
@@ -722,7 +722,7 @@ fn getDefaultDisplay(element: *const Element) []const u8 {
         .html => |html| {
             return switch (html._type) {
                 .anchor, .br, .span, .label, .time, .font, .mod, .quote => "inline",
-                .body, .div, .dl, .p, .heading, .form, .button, .canvas, .details, .dialog, .embed, .head, .html, .hr, .iframe, .img, .input, .li, .link, .meta, .ol, .option, .script, .select, .slot, .style, .template, .textarea, .title, .ul, .media, .area, .base, .datalist, .directory, .fieldset, .frameset, .legend, .map, .meter, .object, .optgroup, .output, .param, .picture, .pre, .progress, .source, .table, .table_caption, .table_cell, .table_col, .table_row, .table_section, .track => "block",
+                .body, .div, .dl, .p, .heading, .form, .button, .canvas, .details, .dialog, .embed, .head, .html, .hr, .iframe, .img, .input, .li, .link, .meta, .ol, .option, .script, .select, .slot, .style, .template, .textarea, .title, .ul, .media, .area, .base, .datalist, .directory, .fieldset, .frameset, .legend, .map, .marquee, .meter, .object, .optgroup, .output, .param, .picture, .pre, .progress, .source, .table, .table_caption, .table_cell, .table_col, .table_row, .table_section, .track => "block",
                 .generic, .custom, .unknown, .data => blk: {
                     const tag = element.getTagNameLower();
                     if (isInlineTag(tag)) break :blk "inline";
diff --git a/src/browser/webapi/element/Html.zig b/src/browser/webapi/element/Html.zig
index 9a0a9f0c..96a49cfc 100644
--- a/src/browser/webapi/element/Html.zig
+++ b/src/browser/webapi/element/Html.zig
@@ -61,6 +61,7 @@ pub const Legend = @import("html/Legend.zig");
 pub const LI = @import("html/LI.zig");
 pub const Link = @import("html/Link.zig");
 pub const Map = @import("html/Map.zig");
+pub const Marquee = @import("html/Marquee.zig");
 pub const Media = @import("html/Media.zig");
 pub const Meta = @import("html/Meta.zig");
 pub const Meter = @import("html/Meter.zig");
@@ -151,6 +152,7 @@ pub const Type = union(enum) {
     li: *LI,
     link: *Link,
     map: *Map,
+    marquee: *Marquee,
     media: *Media,
     meta: *Meta,
     meter: *Meter,
@@ -342,14 +344,50 @@ pub fn setHidden(self: *HtmlElement, hidden: bool, frame: *Frame) !void {
 }
 
 pub fn getTabIndex(self: *HtmlElement) i32 {
-    const attr = self.asElement().getAttributeSafe(comptime .wrap("tabindex")) orelse {
-        // Per spec, interactive/focusable elements default to 0 when tabindex is absent
-        return switch (self._type) {
-            .anchor, .area, .button, .input, .select, .textarea, .iframe => 0,
-            else => -1,
-        };
+    const default: i32 = switch (self._type) {
+        .anchor, .area, .button, .input, .select, .textarea, .iframe => 0,
+        else => -1,
     };
-    return std.fmt.parseInt(i32, attr, 10) catch -1;
+    const attr = self.asElement().getAttributeSafe(comptime .wrap("tabindex")) orelse return default;
+    return parseInteger(attr) orelse default;
+}
+
+// HTML integer parsing is lax
+pub fn parseInteger(input: []const u8) ?i32 {
+    var normalized = std.mem.trimStart(u8, input, "\t\n\r\x0c ");
+    if (normalized.len == 0) {
+        return null;
+    }
+
+    var negative = false;
+    if (normalized[0] == '-') {
+        negative = true;
+        normalized = normalized[1..];
+    } else if (normalized[0] == '+') {
+        normalized = normalized[1..];
+    }
+
+    if (normalized.len == 0 or std.ascii.isDigit(normalized[0]) == false) {
+        return null;
+    }
+
+    var i: usize = 0;
+    var value: i64 = 0;
+    while (i < normalized.len and std.ascii.isDigit(normalized[i])) : (i += 1) {
+        value = value * 10 + (normalized[i] - '0');
+        if (value > 2147483648) {
+            return null;
+        }
+    }
+
+    if (negative) {
+        value = -value;
+    }
+
+    if (value < -2147483648 or value > 2147483647) {
+        return null;
+    }
+    return @intCast(value);
 }
 
 pub fn setTabIndex(self: *HtmlElement, value: i32, frame: *Frame) !void {
@@ -359,13 +397,41 @@ pub fn setTabIndex(self: *HtmlElement, value: i32, frame: *Frame) !void {
 }
 
 pub fn getDir(self: *HtmlElement) []const u8 {
-    return self.asElement().getAttributeSafe(comptime .wrap("dir")) orelse "";
+    // `dir` reflects as a "limited to only known values" enumerated
+    // attribute: the getter returns the canonical (lowercase) keyword only
+    // when the content attribute matches one ASCII-case-insensitively,
+    // otherwise the empty string.
+    const attr = self.asElement().getAttributeSafe(comptime .wrap("dir")) orelse return "";
+    inline for (.{ "ltr", "rtl", "auto" }) |keyword| {
+        if (std.ascii.eqlIgnoreCase(attr, keyword)) return keyword;
+    }
+    return "";
 }
 
 pub fn setDir(self: *HtmlElement, value: []const u8, frame: *Frame) !void {
     try self.asElement().setAttributeSafe(comptime .wrap("dir"), .wrap(value), frame);
 }
 
+pub fn getAccessKey(self: *HtmlElement) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("accesskey")) orelse "";
+}
+
+pub fn setAccessKey(self: *HtmlElement, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("accesskey"), .wrap(value), frame);
+}
+
+pub fn getAutofocus(self: *HtmlElement) bool {
+    return self.asElement().getAttributeSafe(comptime .wrap("autofocus")) != null;
+}
+
+pub fn setAutofocus(self: *HtmlElement, autofocus: bool, frame: *Frame) !void {
+    if (autofocus) {
+        try self.asElement().setAttributeSafe(comptime .wrap("autofocus"), .wrap(""), frame);
+    } else {
+        try self.asElement().removeAttribute(comptime .wrap("autofocus"), frame);
+    }
+}
+
 pub fn getLang(self: *HtmlElement) []const u8 {
     return self.asElement().getAttributeSafe(comptime .wrap("lang")) orelse "";
 }
@@ -1243,6 +1309,8 @@ pub const JsApi = struct {
     pub const insertAdjacentHTML = bridge.function(HtmlElement.insertAdjacentHTML, .{ .dom_exception = true, .ce_reactions = true });
     pub const click = bridge.function(HtmlElement.click, .{});
 
+    pub const accessKey = bridge.accessor(HtmlElement.getAccessKey, HtmlElement.setAccessKey, .{ .ce_reactions = true });
+    pub const autofocus = bridge.accessor(HtmlElement.getAutofocus, HtmlElement.setAutofocus, .{ .ce_reactions = true });
     pub const dir = bridge.accessor(HtmlElement.getDir, HtmlElement.setDir, .{ .ce_reactions = true });
     pub const hidden = bridge.accessor(HtmlElement.getHidden, HtmlElement.setHidden, .{ .ce_reactions = true });
     pub const isContentEditable = bridge.accessor(HtmlElement.getIsContentEditable, null, .{});
diff --git a/src/browser/webapi/element/html/Directory.zig b/src/browser/webapi/element/html/Directory.zig
index cd9f44d0..e0c488e7 100644
--- a/src/browser/webapi/element/html/Directory.zig
+++ b/src/browser/webapi/element/html/Directory.zig
@@ -1,4 +1,5 @@
 const js = @import("../../../js/js.zig");
+const Frame = @import("../../../Frame.zig");
 const Node = @import("../../Node.zig");
 const Element = @import("../../Element.zig");
 const HtmlElement = @import("../Html.zig");
@@ -14,6 +15,18 @@ pub fn asNode(self: *Directory) *Node {
     return self.asElement().asNode();
 }
 
+pub fn getCompact(self: *Directory) bool {
+    return self.asElement().getAttributeSafe(comptime .wrap("compact")) != null;
+}
+
+pub fn setCompact(self: *Directory, compact: bool, frame: *Frame) !void {
+    if (compact) {
+        try self.asElement().setAttributeSafe(comptime .wrap("compact"), .wrap(""), frame);
+    } else {
+        try self.asElement().removeAttribute(comptime .wrap("compact"), frame);
+    }
+}
+
 pub const JsApi = struct {
     pub const bridge = js.Bridge(Directory);
 
@@ -22,4 +35,6 @@ pub const JsApi = struct {
         pub const prototype_chain = bridge.prototypeChain();
         pub var class_id: bridge.ClassId = undefined;
     };
+
+    pub const compact = bridge.accessor(Directory.getCompact, Directory.setCompact, .{ .ce_reactions = true });
 };
diff --git a/src/browser/webapi/element/html/Font.zig b/src/browser/webapi/element/html/Font.zig
index 3c6dde77..fe0a7bea 100644
--- a/src/browser/webapi/element/html/Font.zig
+++ b/src/browser/webapi/element/html/Font.zig
@@ -1,4 +1,5 @@
 const js = @import("../../../js/js.zig");
+const Frame = @import("../../../Frame.zig");
 const Node = @import("../../Node.zig");
 const Element = @import("../../Element.zig");
 const HtmlElement = @import("../Html.zig");
@@ -14,6 +15,33 @@ pub fn asNode(self: *Font) *Node {
     return self.asElement().asNode();
 }
 
+pub fn getColor(self: *Font) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("color")) orelse "";
+}
+
+pub fn setColor(self: *Font, value: js.Value, frame: *Frame) !void {
+    // color is `[LegacyNullToEmptyString] DOMString`: a JS null becomes "",
+    // not the string "null".
+    const str: []const u8 = if (value.isNull()) "" else try value.toZig([]const u8);
+    try self.asElement().setAttributeSafe(comptime .wrap("color"), .wrap(str), frame);
+}
+
+pub fn getFace(self: *Font) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("face")) orelse "";
+}
+
+pub fn setFace(self: *Font, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("face"), .wrap(value), frame);
+}
+
+pub fn getSize(self: *Font) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("size")) orelse "";
+}
+
+pub fn setSize(self: *Font, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("size"), .wrap(value), frame);
+}
+
 pub const JsApi = struct {
     pub const bridge = js.Bridge(Font);
 
@@ -22,4 +50,13 @@ pub const JsApi = struct {
         pub const prototype_chain = bridge.prototypeChain();
         pub var class_id: bridge.ClassId = undefined;
     };
+
+    pub const color = bridge.accessor(Font.getColor, Font.setColor, .{ .ce_reactions = true });
+    pub const face = bridge.accessor(Font.getFace, Font.setFace, .{ .ce_reactions = true });
+    pub const size = bridge.accessor(Font.getSize, Font.setSize, .{ .ce_reactions = true });
 };
+
+const testing = @import("../../../../testing.zig");
+test "WebApi: HTML.Font" {
+    try testing.htmlRunner("element/html/font.html", .{});
+}
diff --git a/src/browser/webapi/element/html/FrameSet.zig b/src/browser/webapi/element/html/FrameSet.zig
index cafec13d..4e84a25c 100644
--- a/src/browser/webapi/element/html/FrameSet.zig
+++ b/src/browser/webapi/element/html/FrameSet.zig
@@ -1,4 +1,5 @@
 const js = @import("../../../js/js.zig");
+const Frame = @import("../../../Frame.zig");
 const Node = @import("../../Node.zig");
 const Element = @import("../../Element.zig");
 const HtmlElement = @import("../Html.zig");
@@ -14,6 +15,22 @@ pub fn asNode(self: *FrameSet) *Node {
     return self.asElement().asNode();
 }
 
+pub fn getCols(self: *FrameSet) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("cols")) orelse "";
+}
+
+pub fn setCols(self: *FrameSet, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("cols"), .wrap(value), frame);
+}
+
+pub fn getRows(self: *FrameSet) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("rows")) orelse "";
+}
+
+pub fn setRows(self: *FrameSet, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("rows"), .wrap(value), frame);
+}
+
 pub const JsApi = struct {
     pub const bridge = js.Bridge(FrameSet);
 
@@ -22,6 +39,9 @@ pub const JsApi = struct {
         pub const prototype_chain = bridge.prototypeChain();
         pub var class_id: bridge.ClassId = undefined;
     };
+
+    pub const cols = bridge.accessor(FrameSet.getCols, FrameSet.setCols, .{ .ce_reactions = true });
+    pub const rows = bridge.accessor(FrameSet.getRows, FrameSet.setRows, .{ .ce_reactions = true });
 };
 
 const testing = @import("../../../../testing.zig");
diff --git a/src/browser/webapi/element/html/Marquee.zig b/src/browser/webapi/element/html/Marquee.zig
new file mode 100644
index 00000000..4d0c4950
--- /dev/null
+++ b/src/browser/webapi/element/html/Marquee.zig
@@ -0,0 +1,156 @@
+const std = @import("std");
+
+const js = @import("../../../js/js.zig");
+const Frame = @import("../../../Frame.zig");
+const Node = @import("../../Node.zig");
+const Element = @import("../../Element.zig");
+const HtmlElement = @import("../Html.zig");
+
+const Marquee = @This();
+
+_proto: *HtmlElement,
+
+pub fn asElement(self: *Marquee) *Element {
+    return self._proto._proto;
+}
+pub fn asNode(self: *Marquee) *Node {
+    return self.asElement().asNode();
+}
+
+pub fn getBehavior(self: *Marquee) []const u8 {
+    return getEnumerated(self, "behavior", &.{ "scroll", "slide", "alternate" }, "scroll");
+}
+
+pub fn setBehavior(self: *Marquee, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("behavior"), .wrap(value), frame);
+}
+
+pub fn getDirection(self: *Marquee) []const u8 {
+    return getEnumerated(self, "direction", &.{ "up", "right", "down", "left" }, "left");
+}
+
+pub fn setDirection(self: *Marquee, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("direction"), .wrap(value), frame);
+}
+
+pub fn getBgColor(self: *Marquee) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("bgcolor")) orelse "";
+}
+
+pub fn setBgColor(self: *Marquee, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("bgcolor"), .wrap(value), frame);
+}
+
+pub fn getHeight(self: *Marquee) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("height")) orelse "";
+}
+
+pub fn setHeight(self: *Marquee, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("height"), .wrap(value), frame);
+}
+
+pub fn getWidth(self: *Marquee) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("width")) orelse "";
+}
+
+pub fn setWidth(self: *Marquee, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("width"), .wrap(value), frame);
+}
+
+pub fn getHspace(self: *Marquee) u32 {
+    return getU32(self, "hspace", 0);
+}
+
+pub fn setHspace(self: *Marquee, value: u32, frame: *Frame) !void {
+    try setU32(self, "hspace", value, 0, frame);
+}
+
+pub fn getVspace(self: *Marquee) u32 {
+    return getU32(self, "vspace", 0);
+}
+
+pub fn setVspace(self: *Marquee, value: u32, frame: *Frame) !void {
+    try setU32(self, "vspace", value, 0, frame);
+}
+
+pub fn getScrollAmount(self: *Marquee) u32 {
+    return getU32(self, "scrollamount", 6);
+}
+
+pub fn setScrollAmount(self: *Marquee, value: u32, frame: *Frame) !void {
+    try setU32(self, "scrollamount", value, 6, frame);
+}
+
+pub fn getScrollDelay(self: *Marquee) u32 {
+    return getU32(self, "scrolldelay", 85);
+}
+
+pub fn setScrollDelay(self: *Marquee, value: u32, frame: *Frame) !void {
+    try setU32(self, "scrolldelay", value, 85, frame);
+}
+
+pub fn getTrueSpeed(self: *Marquee) bool {
+    return self.asElement().getAttributeSafe(comptime .wrap("truespeed")) != null;
+}
+
+pub fn setTrueSpeed(self: *Marquee, truespeed: bool, frame: *Frame) !void {
+    if (truespeed) {
+        try self.asElement().setAttributeSafe(comptime .wrap("truespeed"), .wrap(""), frame);
+    } else {
+        try self.asElement().removeAttribute(comptime .wrap("truespeed"), frame);
+    }
+}
+
+fn getEnumerated(self: *Marquee, comptime attr: []const u8, keywords: []const []const u8, default: []const u8) []const u8 {
+    const value = self.asElement().getAttributeSafe(comptime .wrap(attr)) orelse return default;
+    for (keywords) |keyword| {
+        if (std.ascii.eqlIgnoreCase(value, keyword)) return keyword;
+    }
+    return default;
+}
+
+// Reflects an `unsigned long` content attribute: parses with the "rules for
+// parsing non-negative integers" (the lax integer parser, then rejecting a
+// negative result), so a valid value lands in [0, 2147483647].
+fn getU32(self: *Marquee, comptime attr: []const u8, default: u32) u32 {
+    const value = self.asElement().getAttributeSafe(comptime .wrap(attr)) orelse return default;
+    const parsed = HtmlElement.parseInteger(value) orelse return default;
+
+    if (parsed < 0) {
+        return default;
+    }
+    return @intCast(parsed);
+}
+
+fn setU32(self: *Marquee, comptime attr: []const u8, value: u32, default: u32, frame: *Frame) !void {
+    const written = if (value > 2147483647) default else value;
+    var buf: [10]u8 = undefined;
+    const str = std.fmt.bufPrint(&buf, "{d}", .{written}) catch unreachable;
+    try self.asElement().setAttributeSafe(comptime .wrap(attr), .wrap(str), frame);
+}
+
+pub const JsApi = struct {
+    pub const bridge = js.Bridge(Marquee);
+
+    pub const Meta = struct {
+        pub const name = "HTMLMarqueeElement";
+        pub const prototype_chain = bridge.prototypeChain();
+        pub var class_id: bridge.ClassId = undefined;
+    };
+
+    pub const behavior = bridge.accessor(Marquee.getBehavior, Marquee.setBehavior, .{ .ce_reactions = true });
+    pub const bgColor = bridge.accessor(Marquee.getBgColor, Marquee.setBgColor, .{ .ce_reactions = true });
+    pub const direction = bridge.accessor(Marquee.getDirection, Marquee.setDirection, .{ .ce_reactions = true });
+    pub const height = bridge.accessor(Marquee.getHeight, Marquee.setHeight, .{ .ce_reactions = true });
+    pub const hspace = bridge.accessor(Marquee.getHspace, Marquee.setHspace, .{ .ce_reactions = true });
+    pub const scrollAmount = bridge.accessor(Marquee.getScrollAmount, Marquee.setScrollAmount, .{ .ce_reactions = true });
+    pub const scrollDelay = bridge.accessor(Marquee.getScrollDelay, Marquee.setScrollDelay, .{ .ce_reactions = true });
+    pub const trueSpeed = bridge.accessor(Marquee.getTrueSpeed, Marquee.setTrueSpeed, .{ .ce_reactions = true });
+    pub const vspace = bridge.accessor(Marquee.getVspace, Marquee.setVspace, .{ .ce_reactions = true });
+    pub const width = bridge.accessor(Marquee.getWidth, Marquee.setWidth, .{ .ce_reactions = true });
+};
+
+const testing = @import("../../../../testing.zig");
+test "WebApi: HTML.Marquee" {
+    try testing.htmlRunner("element/html/marquee.html", .{});
+}

From 3d00061287eec09382946c840888ce944b537eff Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 18:05:37 +0800
Subject: [PATCH 4/8] Fix UAF on FinalizerCallback.Identity memory

From a real case involving a modified version of our bing integration. Our
`releaseRef` (release from v8) destroys the FinalizerCallback.Identity but kept
it in the identities list. `releaseRef` now removes it from the list, so that
when FC.deinit is called, it doesn't try to access the freed identity.
---
 src/browser/js/Local.zig | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/browser/js/Local.zig b/src/browser/js/Local.zig
index ef15c4a1..15fc3d1e 100644
--- a/src/browser/js/Local.zig
+++ b/src/browser/js/Local.zig
@@ -34,6 +34,7 @@ const v8 = js.v8;
 const log = lp.log;
 const CallOpts = Caller.CallOpts;
 const FinalizerCallback = js.FinalizerCallback;
+const IS_DEBUG = @import("builtin").mode == .Debug;
 
 // Where js.Context has a lifetime tied to the frame, and holds the
 // v8::Global<v8::Context>, this has a much shorter lifetime and holds a
@@ -1271,15 +1272,35 @@ fn resolveT(comptime T: type, value: *T) Resolved {
                     const finalizer_ptr_id = identity_finalizer.finalizer_ptr_id;
                     const fc = page.finalizer_callbacks.get(finalizer_ptr_id) orelse return;
 
-                    const identity_count = fc.identity_count;
-                    if (identity_count == 1) {
+                    {
+                        // Unlink this identity from the FC's intrusive list
+                        var prev: ?*FinalizerCallback.Identity = null;
+                        var node = fc.identities;
+                        while (node) |n| {
+                            if (n == identity_finalizer) {
+                                if (prev) |p| {
+                                    p.next = n.next;
+                                } else {
+                                    fc.identities = n.next;
+                                }
+                                fc.identity_count -= 1;
+                                break;
+                            }
+                            prev = n;
+                            node = n.next;
+                        } else {
+                            if (comptime IS_DEBUG) {
+                                std.debug.assert(false);
+                            }
+                        }
+                    }
+
+                    if (fc.identity_count == 0) {
                         // Last identity - clean up the FC.
                         // Remove from map before releaseRef to prevent address reuse issues.
                         _ = page.finalizer_callbacks.remove(finalizer_ptr_id);
                         FT.releaseRef(@ptrFromInt(finalizer_ptr_id), page);
                         page.releaseArena(fc.arena);
-                    } else {
-                        fc.identity_count = identity_count - 1;
                     }
                 }
 

From 8c8bcac053c8d024ee5f43e0b1e4a6c93ce95373 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 18:43:31 +0800
Subject: [PATCH 5/8] More HTML attributes

Stacked on https://github.com/lightpanda-io/browser/pull/2604 and driven by
a different WPT test: /html/dom/reflection-metadata.html

Goes from 1527 to 3074 passing cases. Largely just adding more attributes and
adding validation to attributes where necessary.
---
 src/browser/tests/element/html/style.html   |   2 +-
 src/browser/webapi/element/Html.zig         | 108 ++++++++++---------
 src/browser/webapi/element/html/Base.zig    |   9 ++
 src/browser/webapi/element/html/Link.zig    | 111 ++++++++++++++++++--
 src/browser/webapi/element/html/Marquee.zig |  18 ++--
 src/browser/webapi/element/html/Meta.zig    |   9 ++
 src/browser/webapi/element/html/Style.zig   |   2 +-
 7 files changed, 193 insertions(+), 66 deletions(-)

diff --git a/src/browser/tests/element/html/style.html b/src/browser/tests/element/html/style.html
index 5a5cb4be..45aeed4e 100644
--- a/src/browser/tests/element/html/style.html
+++ b/src/browser/tests/element/html/style.html
@@ -49,7 +49,7 @@
 <script id="type">
   {
     const style = document.createElement('style');
-    testing.expectEqual('text/css', style.type);
+    testing.expectEqual('', style.type);
 
     style.type = 'text/plain';
     testing.expectEqual('text/plain', style.type);
diff --git a/src/browser/webapi/element/Html.zig b/src/browser/webapi/element/Html.zig
index 96a49cfc..be14f4bd 100644
--- a/src/browser/webapi/element/Html.zig
+++ b/src/browser/webapi/element/Html.zig
@@ -352,44 +352,6 @@ pub fn getTabIndex(self: *HtmlElement) i32 {
     return parseInteger(attr) orelse default;
 }
 
-// HTML integer parsing is lax
-pub fn parseInteger(input: []const u8) ?i32 {
-    var normalized = std.mem.trimStart(u8, input, "\t\n\r\x0c ");
-    if (normalized.len == 0) {
-        return null;
-    }
-
-    var negative = false;
-    if (normalized[0] == '-') {
-        negative = true;
-        normalized = normalized[1..];
-    } else if (normalized[0] == '+') {
-        normalized = normalized[1..];
-    }
-
-    if (normalized.len == 0 or std.ascii.isDigit(normalized[0]) == false) {
-        return null;
-    }
-
-    var i: usize = 0;
-    var value: i64 = 0;
-    while (i < normalized.len and std.ascii.isDigit(normalized[i])) : (i += 1) {
-        value = value * 10 + (normalized[i] - '0');
-        if (value > 2147483648) {
-            return null;
-        }
-    }
-
-    if (negative) {
-        value = -value;
-    }
-
-    if (value < -2147483648 or value > 2147483647) {
-        return null;
-    }
-    return @intCast(value);
-}
-
 pub fn setTabIndex(self: *HtmlElement, value: i32, frame: *Frame) !void {
     var buf: [12]u8 = undefined;
     const str = std.fmt.bufPrint(&buf, "{d}", .{value}) catch unreachable;
@@ -397,15 +359,7 @@ pub fn setTabIndex(self: *HtmlElement, value: i32, frame: *Frame) !void {
 }
 
 pub fn getDir(self: *HtmlElement) []const u8 {
-    // `dir` reflects as a "limited to only known values" enumerated
-    // attribute: the getter returns the canonical (lowercase) keyword only
-    // when the content attribute matches one ASCII-case-insensitively,
-    // otherwise the empty string.
-    const attr = self.asElement().getAttributeSafe(comptime .wrap("dir")) orelse return "";
-    inline for (.{ "ltr", "rtl", "auto" }) |keyword| {
-        if (std.ascii.eqlIgnoreCase(attr, keyword)) return keyword;
-    }
-    return "";
+    return reflectEnumerated(self.asElement().getAttributeSafe(comptime .wrap("dir")), &.{ "ltr", "rtl", "auto" }, "", "").?;
 }
 
 pub fn setDir(self: *HtmlElement, value: []const u8, frame: *Frame) !void {
@@ -432,6 +386,14 @@ pub fn setAutofocus(self: *HtmlElement, autofocus: bool, frame: *Frame) !void {
     }
 }
 
+pub fn getNonce(self: *HtmlElement) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("nonce")) orelse "";
+}
+
+pub fn setNonce(self: *HtmlElement, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("nonce"), .wrap(value), frame);
+}
+
 pub fn getLang(self: *HtmlElement) []const u8 {
     return self.asElement().getAttributeSafe(comptime .wrap("lang")) orelse "";
 }
@@ -1289,6 +1251,57 @@ pub fn getOnWheel(self: *HtmlElement, frame: *Frame) !?js.Function.Global {
     return self.getAttributeFunction(.onwheel, frame);
 }
 
+// HTML integer parsing is lax
+pub fn parseInteger(input: []const u8) ?i32 {
+    var normalized = std.mem.trimStart(u8, input, "\t\n\r\x0c ");
+    if (normalized.len == 0) {
+        return null;
+    }
+
+    var negative = false;
+    if (normalized[0] == '-') {
+        negative = true;
+        normalized = normalized[1..];
+    } else if (normalized[0] == '+') {
+        normalized = normalized[1..];
+    }
+
+    if (normalized.len == 0 or std.ascii.isDigit(normalized[0]) == false) {
+        return null;
+    }
+
+    var i: usize = 0;
+    var value: i64 = 0;
+    while (i < normalized.len and std.ascii.isDigit(normalized[i])) : (i += 1) {
+        value = value * 10 + (normalized[i] - '0');
+        if (value > 2147483648) {
+            return null;
+        }
+    }
+
+    if (negative) {
+        value = -value;
+    }
+
+    if (value < -2147483648 or value > 2147483647) {
+        return null;
+    }
+    return @intCast(value);
+}
+
+pub fn reflectEnumerated(
+    value: ?[]const u8,
+    keywords: []const []const u8,
+    missing: ?[]const u8,
+    invalid: ?[]const u8,
+) ?[]const u8 {
+    const v = value orelse return missing;
+    for (keywords) |keyword| {
+        if (std.ascii.eqlIgnoreCase(v, keyword)) return keyword;
+    }
+    return invalid;
+}
+
 pub const JsApi = struct {
     pub const bridge = js.Bridge(HtmlElement);
 
@@ -1315,6 +1328,7 @@ pub const JsApi = struct {
     pub const hidden = bridge.accessor(HtmlElement.getHidden, HtmlElement.setHidden, .{ .ce_reactions = true });
     pub const isContentEditable = bridge.accessor(HtmlElement.getIsContentEditable, null, .{});
     pub const lang = bridge.accessor(HtmlElement.getLang, HtmlElement.setLang, .{ .ce_reactions = true });
+    pub const nonce = bridge.accessor(HtmlElement.getNonce, HtmlElement.setNonce, .{ .ce_reactions = true });
     pub const tabIndex = bridge.accessor(HtmlElement.getTabIndex, HtmlElement.setTabIndex, .{ .ce_reactions = true });
     pub const title = bridge.accessor(HtmlElement.getTitle, HtmlElement.setTitle, .{ .ce_reactions = true });
 
diff --git a/src/browser/webapi/element/html/Base.zig b/src/browser/webapi/element/html/Base.zig
index bb5616c8..9f86df1c 100644
--- a/src/browser/webapi/element/html/Base.zig
+++ b/src/browser/webapi/element/html/Base.zig
@@ -17,6 +17,14 @@ pub fn asNode(self: *Base) *Node {
     return self.asElement().asNode();
 }
 
+pub fn getTarget(self: *Base) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("target")) orelse "";
+}
+
+pub fn setTarget(self: *Base, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("target"), .wrap(value), frame);
+}
+
 pub fn getHref(self: *Base, frame: *Frame) ![]const u8 {
     const element = self.asElement();
     const href = element.getAttributeSafe(comptime .wrap("href")) orelse return "";
@@ -65,6 +73,7 @@ pub const JsApi = struct {
     };
 
     pub const href = bridge.accessor(Base.getHref, Base.setHref, .{ .ce_reactions = true });
+    pub const target = bridge.accessor(Base.getTarget, Base.setTarget, .{ .ce_reactions = true });
 };
 
 const testing = @import("../../../../testing.zig");
diff --git a/src/browser/webapi/element/html/Link.zig b/src/browser/webapi/element/html/Link.zig
index e9c62472..49ab7a6d 100644
--- a/src/browser/webapi/element/html/Link.zig
+++ b/src/browser/webapi/element/html/Link.zig
@@ -70,13 +70,50 @@ pub fn setRel(self: *Link, value: []const u8, frame: *Frame) !void {
 }
 
 pub fn getAs(self: *const Link) []const u8 {
-    return self.asConstElement().getAttributeSafe(comptime .wrap("as")) orelse "";
+    const valid_as = [_][]const u8{
+        "fetch",
+        "audio",
+        "document",
+        "embed",
+        "font",
+        "image",
+        "manifest",
+        "object",
+        "report",
+        "script",
+        "sharedworker",
+        "style",
+        "track",
+        "video",
+        "worker",
+        "xslt",
+    };
+    return HtmlElement.reflectEnumerated(self.asConstElement().getAttributeSafe(comptime .wrap("as")), &valid_as, "", "").?;
 }
 
 pub fn setAs(self: *Link, value: []const u8, frame: *Frame) !void {
     return self.asElement().setAttributeSafe(comptime .wrap("as"), .wrap(value), frame);
 }
 
+pub fn getReferrerPolicy(self: *const Link) []const u8 {
+    const valid_referrer_policy = [_][]const u8{
+        "",
+        "no-referrer",
+        "no-referrer-when-downgrade",
+        "same-origin",
+        "origin",
+        "strict-origin",
+        "origin-when-cross-origin",
+        "strict-origin-when-cross-origin",
+        "unsafe-url",
+    };
+    return HtmlElement.reflectEnumerated(self.asConstElement().getAttributeSafe(.wrap("referrerpolicy")), &valid_referrer_policy, "", "").?;
+}
+
+pub fn setReferrerPolicy(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(.wrap("referrerpolicy"), .wrap(value), frame);
+}
+
 pub fn getMedia(self: *Link) []const u8 {
     return self.asElement().getAttributeSafe(comptime .wrap("media")) orelse return "";
 }
@@ -86,15 +123,68 @@ pub fn setMedia(self: *Link, value: []const u8, frame: *Frame) !void {
 }
 
 pub fn getCrossOrigin(self: *const Link) ?[]const u8 {
-    return self.asConstElement().getAttributeSafe(comptime .wrap("crossorigin"));
+    const valid_cross_origin = [_][]const u8{
+        "anonymous", "use-credentials",
+    };
+    return HtmlElement.reflectEnumerated(self.asConstElement().getAttributeSafe(comptime .wrap("crossorigin")), &valid_cross_origin, null, "anonymous");
 }
 
-pub fn setCrossOrigin(self: *Link, value: []const u8, frame: *Frame) !void {
-    var normalized: []const u8 = "anonymous";
-    if (std.ascii.eqlIgnoreCase(value, "use-credentials")) {
-        normalized = "use-credentials";
+pub fn setCrossOrigin(self: *Link, value: ?[]const u8, frame: *Frame) !void {
+    // Nullable reflection: a null (or undefined) value removes the attribute;
+    // otherwise the content attribute mirrors the value verbatim and the
+    // getter canonicalizes it.
+    if (value) |v| {
+        return self.asElement().setAttributeSafe(comptime .wrap("crossorigin"), .wrap(v), frame);
     }
-    return self.asElement().setAttributeSafe(comptime .wrap("crossorigin"), .wrap(normalized), frame);
+    return self.asElement().removeAttribute(comptime .wrap("crossorigin"), frame);
+}
+
+pub fn getCharset(self: *const Link) []const u8 {
+    return self.asConstElement().getAttributeSafe(comptime .wrap("charset")) orelse "";
+}
+
+pub fn setCharset(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(comptime .wrap("charset"), .wrap(value), frame);
+}
+
+pub fn getHreflang(self: *const Link) []const u8 {
+    return self.asConstElement().getAttributeSafe(comptime .wrap("hreflang")) orelse "";
+}
+
+pub fn setHreflang(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(comptime .wrap("hreflang"), .wrap(value), frame);
+}
+
+pub fn getIntegrity(self: *const Link) []const u8 {
+    return self.asConstElement().getAttributeSafe(comptime .wrap("integrity")) orelse "";
+}
+
+pub fn setIntegrity(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(comptime .wrap("integrity"), .wrap(value), frame);
+}
+
+pub fn getType(self: *const Link) []const u8 {
+    return self.asConstElement().getAttributeSafe(comptime .wrap("type")) orelse "";
+}
+
+pub fn setType(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(comptime .wrap("type"), .wrap(value), frame);
+}
+
+pub fn getRev(self: *const Link) []const u8 {
+    return self.asConstElement().getAttributeSafe(comptime .wrap("rev")) orelse "";
+}
+
+pub fn setRev(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(comptime .wrap("rev"), .wrap(value), frame);
+}
+
+pub fn getTarget(self: *const Link) []const u8 {
+    return self.asConstElement().getAttributeSafe(comptime .wrap("target")) orelse "";
+}
+
+pub fn setTarget(self: *Link, value: []const u8, frame: *Frame) !void {
+    return self.asElement().setAttributeSafe(comptime .wrap("target"), .wrap(value), frame);
 }
 
 pub fn linkAddedCallback(self: *Link, frame: *Frame) !void {
@@ -145,6 +235,13 @@ pub const JsApi = struct {
     pub const media = bridge.accessor(Link.getMedia, Link.setMedia, .{ .ce_reactions = true });
     pub const href = bridge.accessor(Link.getHref, Link.setHref, .{ .ce_reactions = true });
     pub const crossOrigin = bridge.accessor(Link.getCrossOrigin, Link.setCrossOrigin, .{ .ce_reactions = true });
+    pub const referrerPolicy = bridge.accessor(Link.getReferrerPolicy, Link.setReferrerPolicy, .{ .ce_reactions = true });
+    pub const charset = bridge.accessor(Link.getCharset, Link.setCharset, .{ .ce_reactions = true });
+    pub const hreflang = bridge.accessor(Link.getHreflang, Link.setHreflang, .{ .ce_reactions = true });
+    pub const integrity = bridge.accessor(Link.getIntegrity, Link.setIntegrity, .{ .ce_reactions = true });
+    pub const @"type" = bridge.accessor(Link.getType, Link.setType, .{ .ce_reactions = true });
+    pub const rev = bridge.accessor(Link.getRev, Link.setRev, .{ .ce_reactions = true });
+    pub const target = bridge.accessor(Link.getTarget, Link.setTarget, .{ .ce_reactions = true });
     pub const relList = bridge.accessor(_getRelList, null, .{ .null_as_undefined = true });
 
     fn _getRelList(self: *Link, frame: *Frame) !?*@import("../../collections.zig").DOMTokenList {
diff --git a/src/browser/webapi/element/html/Marquee.zig b/src/browser/webapi/element/html/Marquee.zig
index 4d0c4950..74c1d6b5 100644
--- a/src/browser/webapi/element/html/Marquee.zig
+++ b/src/browser/webapi/element/html/Marquee.zig
@@ -18,7 +18,10 @@ pub fn asNode(self: *Marquee) *Node {
 }
 
 pub fn getBehavior(self: *Marquee) []const u8 {
-    return getEnumerated(self, "behavior", &.{ "scroll", "slide", "alternate" }, "scroll");
+    const valid_behavior = [_][]const u8{
+        "scroll", "slide", "alternate",
+    };
+    return HtmlElement.reflectEnumerated(self.asElement().getAttributeSafe(comptime .wrap("behavior")), &valid_behavior, "scroll", "scroll").?;
 }
 
 pub fn setBehavior(self: *Marquee, value: []const u8, frame: *Frame) !void {
@@ -26,7 +29,10 @@ pub fn setBehavior(self: *Marquee, value: []const u8, frame: *Frame) !void {
 }
 
 pub fn getDirection(self: *Marquee) []const u8 {
-    return getEnumerated(self, "direction", &.{ "up", "right", "down", "left" }, "left");
+    const valid_direction = [_][]const u8{
+        "up", "right", "down", "left",
+    };
+    return HtmlElement.reflectEnumerated(self.asElement().getAttributeSafe(comptime .wrap("direction")), &valid_direction, "left", "left").?;
 }
 
 pub fn setDirection(self: *Marquee, value: []const u8, frame: *Frame) !void {
@@ -101,14 +107,6 @@ pub fn setTrueSpeed(self: *Marquee, truespeed: bool, frame: *Frame) !void {
     }
 }
 
-fn getEnumerated(self: *Marquee, comptime attr: []const u8, keywords: []const []const u8, default: []const u8) []const u8 {
-    const value = self.asElement().getAttributeSafe(comptime .wrap(attr)) orelse return default;
-    for (keywords) |keyword| {
-        if (std.ascii.eqlIgnoreCase(value, keyword)) return keyword;
-    }
-    return default;
-}
-
 // Reflects an `unsigned long` content attribute: parses with the "rules for
 // parsing non-negative integers" (the lax integer parser, then rejecting a
 // negative result), so a valid value lands in [0, 2147483647].
diff --git a/src/browser/webapi/element/html/Meta.zig b/src/browser/webapi/element/html/Meta.zig
index 5f698996..6dceae34 100644
--- a/src/browser/webapi/element/html/Meta.zig
+++ b/src/browser/webapi/element/html/Meta.zig
@@ -68,6 +68,14 @@ pub fn setMedia(self: *Meta, value: []const u8, frame: *Frame) !void {
     try self.asElement().setAttributeSafe(comptime .wrap("media"), .wrap(value), frame);
 }
 
+pub fn getScheme(self: *Meta) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("scheme")) orelse return "";
+}
+
+pub fn setScheme(self: *Meta, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("scheme"), .wrap(value), frame);
+}
+
 pub const JsApi = struct {
     pub const bridge = js.Bridge(MetaElement);
 
@@ -81,4 +89,5 @@ pub const JsApi = struct {
     pub const httpEquiv = bridge.accessor(MetaElement.getHttpEquiv, MetaElement.setHttpEquiv, .{ .ce_reactions = true });
     pub const content = bridge.accessor(MetaElement.getContent, MetaElement.setContent, .{ .ce_reactions = true });
     pub const media = bridge.accessor(MetaElement.getMedia, MetaElement.setMedia, .{ .ce_reactions = true });
+    pub const scheme = bridge.accessor(MetaElement.getScheme, MetaElement.setScheme, .{ .ce_reactions = true });
 };
diff --git a/src/browser/webapi/element/html/Style.zig b/src/browser/webapi/element/html/Style.zig
index 995b8f05..48388a20 100644
--- a/src/browser/webapi/element/html/Style.zig
+++ b/src/browser/webapi/element/html/Style.zig
@@ -57,7 +57,7 @@ pub fn setMedia(self: *Style, value: []const u8, frame: *Frame) !void {
 }
 
 pub fn getType(self: *const Style) []const u8 {
-    return self.asConstElement().getAttributeSafe(comptime .wrap("type")) orelse "text/css";
+    return self.asConstElement().getAttributeSafe(comptime .wrap("type")) orelse "";
 }
 
 pub fn setType(self: *Style, value: []const u8, frame: *Frame) !void {

From 2451b41af5552f293ffc8638848667544a80b097 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 19:55:20 +0800
Subject: [PATCH 6/8] Switch env.contexts to ArrayList to support having more

A lot of WPT tests do something like:

```js
    const frame = document.createElement("iframe");
    t.add_cleanup(() => {
      frame.remove();
    });
    ... run a test
```

But our frame.remove (Element.remove) doesn't destroy the frame/context. It
can't. We don't know what is referencing it. So these WPT tests that create
_thousands_ of these quickly run into TooManyContexts errors.

As a quick solution, we now allow up to 8K contexts to be created when running
WPT tests (`-Dwpt_extensions`). Env.contexts becomes an arraylist rather than
an arary (so avoid having to pay that 8192 * 64 byte penalty for tests that
don't need 8K contexts).

An example of such a test is: /encoding/unsupported-labels.window.html
---
 src/browser/js/Env.zig | 39 +++++++++++++++++++++------------------
 1 file changed, 21 insertions(+), 18 deletions(-)

diff --git a/src/browser/js/Env.zig b/src/browser/js/Env.zig
index cf69a6fa..45452ffc 100644
--- a/src/browser/js/Env.zig
+++ b/src/browser/js/Env.zig
@@ -38,6 +38,8 @@ const JsApis = bridge.JsApis;
 const Allocator = std.mem.Allocator;
 const IS_DEBUG = builtin.mode == .Debug;
 
+const MAX_CONTEXTS = if (lp.build_config.wpt_extensions) 8192 else 128;
+
 fn initClassIds() void {
     inline for (JsApis, 0..) |JsApi, i| {
         JsApi.Meta.class_id = i;
@@ -63,8 +65,7 @@ platform: *const Platform,
 // the global isolate
 isolate: js.Isolate,
 
-contexts: [64]*Context,
-context_count: usize,
+contexts: std.ArrayList(*Context),
 
 // just kept around because we need to free it on deinit
 isolate_params: *v8.CreateParams,
@@ -184,8 +185,7 @@ pub fn init(app: *App, opts: InitOpts) !Env {
         .app = app,
         .context_id = 0,
         .allocator = allocator,
-        .contexts = undefined,
-        .context_count = 0,
+        .contexts = .empty,
         .isolate = isolate,
         .platform = &app.platform,
         .templates = templates,
@@ -199,11 +199,12 @@ pub fn init(app: *App, opts: InitOpts) !Env {
 
 pub fn deinit(self: *Env) void {
     if (comptime IS_DEBUG) {
-        std.debug.assert(self.context_count == 0);
+        std.debug.assert(self.contexts.items.len == 0);
     }
-    for (self.contexts[0..self.context_count]) |ctx| {
+    for (self.contexts.items) |ctx| {
         ctx.deinit();
     }
+    self.contexts.deinit(self.allocator);
 
     const app = self.app;
     const allocator = app.allocator;
@@ -338,22 +339,18 @@ fn _createContext(self: *Env, global: anytype, params: ContextParams) !*Context
     // a v8 context, we can get our context out
     v8.v8__Context__SetAlignedPointerInEmbedderData(v8_context, 1, @ptrCast(context));
 
-    const count = self.context_count;
-    if (count >= self.contexts.len) {
+    if (self.contexts.items.len >= MAX_CONTEXTS) {
         return error.TooManyContexts;
     }
-    self.contexts[count] = context;
-    self.context_count = count + 1;
+    try self.contexts.append(self.allocator, context);
 
     return context;
 }
 
 pub fn destroyContext(self: *Env, context: *Context) void {
-    for (self.contexts[0..self.context_count], 0..) |ctx, i| {
+    for (self.contexts.items, 0..) |ctx, i| {
         if (ctx == context) {
-            // Swap with last element and decrement count
-            self.context_count -= 1;
-            self.contexts[i] = self.contexts[self.context_count];
+            _ = self.contexts.swapRemove(i);
             break;
         }
     } else {
@@ -387,9 +384,11 @@ pub fn runMicrotasks(self: *Env) void {
         self.microtask_queues_are_running = true;
         defer self.microtask_queues_are_running = false;
 
+        // Re-read len/items each iteration: a checkpoint can run JS that creates
+        // a new context (e.g. an iframe), appending to (and reallocating) the list.
         var i: usize = 0;
-        while (i < self.context_count) : (i += 1) {
-            const ctx = self.contexts[i];
+        while (i < self.contexts.items.len) : (i += 1) {
+            const ctx = self.contexts.items[i];
             v8.v8__MicrotaskQueue__PerformCheckpoint(ctx.microtask_queue, v8_isolate);
         }
     }
@@ -400,7 +399,11 @@ pub fn runMacrotasks(self: *Env) !void {
         return;
     }
 
-    for (self.contexts[0..self.context_count]) |ctx| {
+    // Re-read len/items each iteration: scheduler.run() can create a new context
+    // (e.g. an iframe), appending to (and reallocating) the list.
+    var i: usize = 0;
+    while (i < self.contexts.items.len) : (i += 1) {
+        const ctx = self.contexts.items[i];
         if (comptime builtin.is_test == false) {
             // I hate this comptime check as much as you do. But we have tests
             // which rely on short execution before shutdown. In real world, it's
@@ -420,7 +423,7 @@ pub fn runMacrotasks(self: *Env) !void {
 
 pub fn msToNextMacrotask(self: *Env) ?u64 {
     var next_task: u64 = std.math.maxInt(u64);
-    for (self.contexts[0..self.context_count]) |ctx| {
+    for (self.contexts.items) |ctx| {
         const candidate = ctx.scheduler.msToNextHigh() orelse continue;
         next_task = @min(candidate, next_task);
     }

From 9ba7dbd9b7de6af7b279176ea392d5aeb61d8ff9 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Tue, 2 Jun 2026 20:17:30 +0800
Subject: [PATCH 7/8] Extract ZigToCurlAllocator into it's own file, only use
 in debug

Extract ZigToCurlAllocator to its own file and rename it to CurlDebugAllocator
to indicate that it is only used in debug. Also, only use it in debug.

In release mode, this just adds 16 bytes of overhead per allocation that curl
makes. In debug mode, it's the same overhead, but it at least hooks into the
std's DebugAllocator which can detect misuse.
---
 src/network/CurlDebugAllocator.zig | 134 +++++++++++++++++++++++++++++
 src/network/Network.zig            | 122 +++-----------------------
 2 files changed, 144 insertions(+), 112 deletions(-)
 create mode 100644 src/network/CurlDebugAllocator.zig

diff --git a/src/network/CurlDebugAllocator.zig b/src/network/CurlDebugAllocator.zig
new file mode 100644
index 00000000..7fc700e5
--- /dev/null
+++ b/src/network/CurlDebugAllocator.zig
@@ -0,0 +1,134 @@
+// Copyright (C) 2023-2026  Lightpanda (Selecy SAS)
+//
+// Francis Bouvier <francis@lightpanda.io>
+// Pierre Tachoire <pierre@lightpanda.io>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+const std = @import("std");
+const lp = @import("lightpanda");
+
+const libcurl = @import("../sys/libcurl.zig");
+
+const Allocator = std.mem.Allocator;
+
+const CurlDebugAllocator = @This();
+
+// C11 requires malloc to return memory aligned to max_align_t (16 bytes on x86_64).
+// We match this guarantee since libcurl expects malloc-compatible alignment.
+const alignment = 16;
+
+var instance: ?CurlDebugAllocator = null;
+
+allocator: Allocator,
+
+pub fn init(allocator: Allocator) void {
+    lp.assert(instance == null, "Initialization of curl must happen only once", .{});
+    instance = .{ .allocator = allocator };
+}
+
+pub fn interface() libcurl.CurlAllocator {
+    return .{
+        .free = free,
+        .strdup = strdup,
+        .malloc = malloc,
+        .calloc = calloc,
+        .realloc = realloc,
+    };
+}
+
+fn _allocBlock(size: usize) ?*Block {
+    const slice = instance.?.allocator.alignedAlloc(u8, .fromByteUnits(alignment), Block.fullsize(size)) catch return null;
+    const block: *Block = @ptrCast(@alignCast(slice.ptr));
+    block.size = size;
+    return block;
+}
+
+fn _freeBlock(header: *Block) void {
+    instance.?.allocator.free(header.slice());
+}
+
+fn malloc(size: usize) ?*anyopaque {
+    const block = _allocBlock(size) orelse return null;
+    return @ptrCast(block.data());
+}
+
+fn calloc(nmemb: usize, size: usize) ?*anyopaque {
+    const total = nmemb * size;
+    const block = _allocBlock(total) orelse return null;
+    const ptr = block.data();
+    @memset(ptr[0..total], 0); // for historical reasons, calloc zeroes memory, but malloc does not.
+    return @ptrCast(ptr);
+}
+
+fn realloc(ptr: ?*anyopaque, size: usize) ?*anyopaque {
+    const p = ptr orelse return malloc(size);
+    const block = Block.fromPtr(p);
+
+    const old_size = block.size;
+    if (size == old_size) return ptr;
+
+    if (instance.?.allocator.resize(block.slice(), alignment + size)) {
+        block.size = size;
+        return ptr;
+    }
+
+    const copy_size = @min(old_size, size);
+    const new_block = _allocBlock(size) orelse return null;
+    @memcpy(new_block.data()[0..copy_size], block.data()[0..copy_size]);
+    _freeBlock(block);
+    return @ptrCast(new_block.data());
+}
+
+fn free(ptr: ?*anyopaque) void {
+    const p = ptr orelse return;
+    _freeBlock(Block.fromPtr(p));
+}
+
+fn strdup(str: [*:0]const u8) ?[*:0]u8 {
+    const len = std.mem.len(str);
+    const header = _allocBlock(len + 1) orelse return null;
+    const ptr = header.data();
+    @memcpy(ptr[0..len], str[0..len]);
+    ptr[len] = 0;
+    return ptr[0..len :0];
+}
+
+const Block = extern struct {
+    size: usize = 0,
+    _padding: [alignment - @sizeOf(usize)]u8 = .{0} ** (alignment - @sizeOf(usize)),
+
+    inline fn fullsize(bytes: usize) usize {
+        return alignment + bytes;
+    }
+
+    inline fn fromPtr(ptr: *anyopaque) *Block {
+        const raw: [*]u8 = @ptrCast(ptr);
+        return @ptrCast(@alignCast(raw - @sizeOf(Block)));
+    }
+
+    inline fn data(self: *Block) [*]u8 {
+        const ptr: [*]u8 = @ptrCast(self);
+        return ptr + @sizeOf(Block);
+    }
+
+    inline fn slice(self: *Block) []align(alignment) u8 {
+        const base: [*]align(alignment) u8 = @ptrCast(@alignCast(self));
+        return base[0 .. alignment + self.size];
+    }
+};
+
+comptime {
+    std.debug.assert(@sizeOf(Block) == alignment);
+}
diff --git a/src/network/Network.zig b/src/network/Network.zig
index c7591805..cbc1b454 100644
--- a/src/network/Network.zig
+++ b/src/network/Network.zig
@@ -30,6 +30,7 @@ const http = @import("http.zig");
 const IpFilter = @import("IpFilter.zig");
 const RobotStore = @import("Robots.zig").RobotStore;
 const WebBotAuth = @import("WebBotAuth.zig");
+const CurlDebugAllocator = @import("CurlDebugAllocator.zig");
 
 const Cache = @import("cache/Cache.zig");
 const FsCache = @import("cache/FsCache.zig");
@@ -39,6 +40,7 @@ const net = std.net;
 const posix = std.posix;
 const Allocator = std.mem.Allocator;
 const DoublyLinkedList = std.DoublyLinkedList;
+const IS_DEBUG = builtin.mode == .Debug;
 
 const Network = @This();
 
@@ -152,120 +154,16 @@ const TickCallback = struct {
     fun: *const fn (*anyopaque) void,
 };
 
-const ZigToCurlAllocator = struct {
-    // C11 requires malloc to return memory aligned to max_align_t (16 bytes on x86_64).
-    // We match this guarantee since libcurl expects malloc-compatible alignment.
-    const alignment = 16;
-
-    const Block = extern struct {
-        size: usize = 0,
-        _padding: [alignment - @sizeOf(usize)]u8 = .{0} ** (alignment - @sizeOf(usize)),
-
-        inline fn fullsize(bytes: usize) usize {
-            return alignment + bytes;
-        }
-
-        inline fn fromPtr(ptr: *anyopaque) *Block {
-            const raw: [*]u8 = @ptrCast(ptr);
-            return @ptrCast(@alignCast(raw - @sizeOf(Block)));
-        }
-
-        inline fn data(self: *Block) [*]u8 {
-            const ptr: [*]u8 = @ptrCast(self);
-            return ptr + @sizeOf(Block);
-        }
-
-        inline fn slice(self: *Block) []align(alignment) u8 {
-            const base: [*]align(alignment) u8 = @ptrCast(@alignCast(self));
-            return base[0 .. alignment + self.size];
-        }
-    };
-
-    comptime {
-        std.debug.assert(@sizeOf(Block) == alignment);
-    }
-
-    var instance: ?ZigToCurlAllocator = null;
-
-    allocator: Allocator,
-
-    pub fn init(allocator: Allocator) void {
-        lp.assert(instance == null, "Initialization of curl must happen only once", .{});
-        instance = .{ .allocator = allocator };
-    }
-
-    pub fn interface() libcurl.CurlAllocator {
-        return .{
-            .free = free,
-            .strdup = strdup,
-            .malloc = malloc,
-            .calloc = calloc,
-            .realloc = realloc,
-        };
-    }
-
-    fn _allocBlock(size: usize) ?*Block {
-        const slice = instance.?.allocator.alignedAlloc(u8, .fromByteUnits(alignment), Block.fullsize(size)) catch return null;
-        const block: *Block = @ptrCast(@alignCast(slice.ptr));
-        block.size = size;
-        return block;
-    }
-
-    fn _freeBlock(header: *Block) void {
-        instance.?.allocator.free(header.slice());
-    }
-
-    fn malloc(size: usize) ?*anyopaque {
-        const block = _allocBlock(size) orelse return null;
-        return @ptrCast(block.data());
-    }
-
-    fn calloc(nmemb: usize, size: usize) ?*anyopaque {
-        const total = nmemb * size;
-        const block = _allocBlock(total) orelse return null;
-        const ptr = block.data();
-        @memset(ptr[0..total], 0); // for historical reasons, calloc zeroes memory, but malloc does not.
-        return @ptrCast(ptr);
-    }
-
-    fn realloc(ptr: ?*anyopaque, size: usize) ?*anyopaque {
-        const p = ptr orelse return malloc(size);
-        const block = Block.fromPtr(p);
-
-        const old_size = block.size;
-        if (size == old_size) return ptr;
-
-        if (instance.?.allocator.resize(block.slice(), alignment + size)) {
-            block.size = size;
-            return ptr;
-        }
-
-        const copy_size = @min(old_size, size);
-        const new_block = _allocBlock(size) orelse return null;
-        @memcpy(new_block.data()[0..copy_size], block.data()[0..copy_size]);
-        _freeBlock(block);
-        return @ptrCast(new_block.data());
-    }
-
-    fn free(ptr: ?*anyopaque) void {
-        const p = ptr orelse return;
-        _freeBlock(Block.fromPtr(p));
-    }
-
-    fn strdup(str: [*:0]const u8) ?[*:0]u8 {
-        const len = std.mem.len(str);
-        const header = _allocBlock(len + 1) orelse return null;
-        const ptr = header.data();
-        @memcpy(ptr[0..len], str[0..len]);
-        ptr[len] = 0;
-        return ptr[0..len :0];
-    }
-};
-
 fn globalInit(allocator: Allocator) void {
-    ZigToCurlAllocator.init(allocator);
+    // Only route curl's own allocations through our allocator in Debug, so the
+    // leak detector sees them. In Release it'd just wrap c_allocator (curl's
+    // default malloc anyway) at the cost of a per-allocation header.
+    const curl_allocator = comptime if (IS_DEBUG) CurlDebugAllocator.interface() else null;
+    if (comptime IS_DEBUG) {
+        CurlDebugAllocator.init(allocator);
+    }
 
-    libcurl.curl_global_init(.{ .ssl = true }, ZigToCurlAllocator.interface()) catch |err| {
+    libcurl.curl_global_init(.{ .ssl = true }, curl_allocator) catch |err| {
         lp.assert(false, "curl global init", .{ .err = err });
     };
 }

From 8116214a420170094dbd67b3276ebb8683a0ebaa Mon Sep 17 00:00:00 2001
From: Rohit <71192000+rohitsux@users.noreply.github.com>
Date: Wed, 3 Jun 2026 00:49:03 +0530
Subject: [PATCH 8/8] feat(webapi): reflect name and value on HTMLParamElement

Add the reflected DOMString attributes name and value to the
existing HTMLParamElement, per HTML 15.3
(https://html.spec.whatwg.org/multipage/obsolete.html#htmlparamelement).
Mirrors the reflection idiom used by HTMLTimeElement / HTMLDataElement.

Advances the html/dom/reflection-obsolete.html WPT row.
---
 src/browser/tests/element/html/param.html | 36 +++++++++++++++++++++++
 src/browser/webapi/element/html/Param.zig | 25 ++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 src/browser/tests/element/html/param.html

diff --git a/src/browser/tests/element/html/param.html b/src/browser/tests/element/html/param.html
new file mode 100644
index 00000000..12ef80b7
--- /dev/null
+++ b/src/browser/tests/element/html/param.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<script src="../../testing.js"></script>
+
+<param id="p1" name="n0" value="v0">
+
+<script id="name">
+  {
+    const p = document.getElementById('p1');
+    testing.expectEqual('n0', p.name);
+
+    p.name = 'n1';
+    testing.expectEqual('n1', p.getAttribute('name'));
+
+    p.setAttribute('name', 'n2');
+    testing.expectEqual('n2', p.name);
+
+    const p2 = document.createElement('param');
+    testing.expectEqual('', p2.name);
+  }
+</script>
+
+<script id="value">
+  {
+    const p = document.getElementById('p1');
+    testing.expectEqual('v0', p.value);
+
+    p.value = 'v1';
+    testing.expectEqual('v1', p.getAttribute('value'));
+
+    p.setAttribute('value', 'v2');
+    testing.expectEqual('v2', p.value);
+
+    const p2 = document.createElement('param');
+    testing.expectEqual('', p2.value);
+  }
+</script>
diff --git a/src/browser/webapi/element/html/Param.zig b/src/browser/webapi/element/html/Param.zig
index 41d909f5..b7cb9d47 100644
--- a/src/browser/webapi/element/html/Param.zig
+++ b/src/browser/webapi/element/html/Param.zig
@@ -1,4 +1,5 @@
 const js = @import("../../../js/js.zig");
+const Frame = @import("../../../Frame.zig");
 const Node = @import("../../Node.zig");
 const Element = @import("../../Element.zig");
 const HtmlElement = @import("../Html.zig");
@@ -14,6 +15,22 @@ pub fn asNode(self: *Param) *Node {
     return self.asElement().asNode();
 }
 
+pub fn getName(self: *Param) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("name")) orelse "";
+}
+
+pub fn setName(self: *Param, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("name"), .wrap(value), frame);
+}
+
+pub fn getValue(self: *Param) []const u8 {
+    return self.asElement().getAttributeSafe(comptime .wrap("value")) orelse "";
+}
+
+pub fn setValue(self: *Param, value: []const u8, frame: *Frame) !void {
+    try self.asElement().setAttributeSafe(comptime .wrap("value"), .wrap(value), frame);
+}
+
 pub const JsApi = struct {
     pub const bridge = js.Bridge(Param);
 
@@ -22,4 +39,12 @@ pub const JsApi = struct {
         pub const prototype_chain = bridge.prototypeChain();
         pub var class_id: bridge.ClassId = undefined;
     };
+
+    pub const name = bridge.accessor(Param.getName, Param.setName, .{ .ce_reactions = true });
+    pub const value = bridge.accessor(Param.getValue, Param.setValue, .{ .ce_reactions = true });
 };
+
+const testing = @import("../../../../testing.zig");
+test "WebApi: HTML.Param" {
+    try testing.htmlRunner("element/html/param.html", .{});
+}