Give URLKeepingBlobAlive a top-origin SecurityOriginData #9184
Conversation
|
EWS run on previous version of this PR (hash b51bd49) |
Source/WebCore/fileapi/Blob.cpp
Outdated
| { | ||
| ASSERT(context); |
There was a problem hiding this comment.
I don't think we should have the assertion, not sure what makes this a guarantee
There was a problem hiding this comment.
I didn't find any call sites where the ScriptExecutionContext should be null, so this was only a sanity check.
There was a problem hiding this comment.
If call sites never passed null, we would take in a C++ reference, not a pointer. If something is a pointer in WebKit, always assume it can be null. If it really cannot, then update the parameter to be a c++ reference.
Source/WebCore/fileapi/Blob.cpp
Outdated
| { | ||
| ASSERT(context); |
There was a problem hiding this comment.
I don't think we should have the assertion, not sure what makes this a guarantee
Source/WebCore/dom/Document.cpp
Outdated
| @@ -3542,7 +3542,9 @@ void Document::setURL(const URL& url) | |||
|
|
|||
| if (SecurityOrigin::shouldIgnoreHost(newURL)) | |||
| newURL.setHostAndPort({ }); | |||
| m_url = WTFMove(newURL); | |||
| // SecurityContext::securityOrigin may not be initialized at this time if setURL() is called in the constructor, therefore calling topOrigin() is not always safe. | |||
| auto topOrigin = isTopDocument() && !SecurityContext::securityOrigin() ? SecurityOriginData::fromURL(url) : this->topOrigin().data(); | |||
There was a problem hiding this comment.
What if the URL is a blob URL? (which is the base we care about I believe).
I see 2 likely issues:
- SecurityOriginData::fromURL(url) likely won't be able to extra the origin from a blob URL
- Even if we addressed the first issue, how would it enforce partitioning?
Imagine this case:
- Frame from origin B (under top level origin A) creates a Blob and gets a URL for it. Then it opens a new window and uses this blob URL as URL for the popup. What's supposed to happen? I imagine the blob should have the "A / B" partitioned origin. Seems like we shouldn't be able to load this Blob in a top level popup? If so, I worry that your code here is not going to achieve this (even if we fix issue 1). Am I missing something?
There was a problem hiding this comment.
Right, I originally used SecurityOrigin::create(url) for this but I change it in this patch, and that is wrong - we do need SecurityOrigin's logic for handling blob URLs. But, as for (2), there are two options:
- the popup has "A / B" blob partitioning (therefore has access to the blob data)
- the popup has "B" blob partitioning (therefore doesn't have access to the blob data)
I was following (2) because creating a top-level navigation with subframe partitioning was conceptually confusing and required more invasive code changes. Following (1) will provide better web compat, but I don't know how common is that use case. If you think we should use (1), then this patch will need changes.
There was a problem hiding this comment.
I think 2 makes sense. The popup would have "B" origin and thus shouldn't be able to load the blob.
There was a problem hiding this comment.
Okay, thanks. I also just remembered and realized you are missing some other context. In w3c/FileAPI#153 there is discussion about how to partition blobs, and the general agreement is that cross-origin top-level navigations to a Blob URL should enforce no-opener.
sysrqb
force-pushed
the
eng/Give-URLKeepingBlobAlive-a-top-origin-SecurityOriginData
branch
from
b51bd49
to
6d7ad48
Compare
|
EWS run on previous version of this PR (hash 6d7ad48) |
| inline FetchRequest::FetchRequest(ScriptExecutionContext* context, std::optional<FetchBody>&& body, Ref<FetchHeaders>&& headers, ResourceRequest&& request, FetchOptions&& options, String&& referrer) | ||
| : FetchBodyOwner(context, WTFMove(body), WTFMove(headers)) | ||
| , m_request(WTFMove(request)) | ||
| , m_requestURL({ m_request.url(), context->topOrigin().data() }) |
There was a problem hiding this comment.
We shouldn't dereference context without a null check. If context really truly can't be null, then we should change the parameter type to be a ScriptExecutionContext&.
There was a problem hiding this comment.
Changing the parameter type seemed safe here, so I went ahead and did that.
sysrqb
force-pushed
the
eng/Give-URLKeepingBlobAlive-a-top-origin-SecurityOriginData
branch
from
6d7ad48
to
79f9ad0
Compare
|
EWS run on previous version of this PR (hash 79f9ad0) |
webkit-ews-buildbot
added
the
merging-blocked
sysrqb
force-pushed
the
eng/Give-URLKeepingBlobAlive-a-top-origin-SecurityOriginData
branch
from
79f9ad0
to
c6db0fa
Compare
|
EWS run on previous version of this PR (hash c6db0fa) |
sysrqb
force-pushed
the
eng/Give-URLKeepingBlobAlive-a-top-origin-SecurityOriginData
branch
from
c6db0fa
to
54ff216
Compare
|
EWS run on current version of this PR (hash 54ff216) |
|
EWS was all green on the last run, this run is just rebasing onto |
achristensen07
added
unsafe-merge-queue
https://bugs.webkit.org/show_bug.cgi?id=251218 rdar://104704879 Reviewed by Chris Dumez. In this patch we construct the URLKeepingBlobAlive with its associated top-level SecurityOrigin(Data). This will be helpful in a future patch where we partition the Blob registry using that top-level origin. URLKeepingBlobAlive needs this information, in particular, because it is responsible for automatically registering and unregistering its Blob URL handle - thus keeping the blob alive as long as it exists, as the class name implies. * Source/WebCore/Modules/fetch/FetchRequest.cpp: (WebCore::FetchRequest::FetchRequest): (WebCore::m_signal): (WebCore::FetchRequest::initializeWith): (WebCore::FetchRequest::create): (WebCore::FetchRequest::clone): (WebCore::FetchRequest::stop): * Source/WebCore/Modules/fetch/FetchRequest.h: (WebCore::FetchRequest::FetchRequest): Deleted. * Source/WebCore/dom/Document.cpp: (WebCore::Document::setURL): * Source/WebCore/fileapi/Blob.cpp: (WebCore::Blob::Blob): (WebCore::Blob::handle const): * Source/WebCore/fileapi/Blob.h: * Source/WebCore/fileapi/URLKeepingBlobAlive.cpp: (WebCore::URLKeepingBlobAlive::URLKeepingBlobAlive): (WebCore::URLKeepingBlobAlive::clear): (WebCore::URLKeepingBlobAlive::operator=): (WebCore::URLKeepingBlobAlive::isolatedCopy const): (WebCore::URLKeepingBlobAlive::isolatedCopy): * Source/WebCore/fileapi/URLKeepingBlobAlive.h: (WebCore::URLKeepingBlobAlive::URLKeepingBlobAlive): Deleted. (WebCore::URLKeepingBlobAlive::operator=): Deleted. * Source/WebCore/loader/NavigationScheduler.cpp: * Source/WebCore/loader/PolicyChecker.cpp: (WebCore::FrameLoader::PolicyChecker::extendBlobURLLifetimeIfNecessary const): (WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy): (WebCore::FrameLoader::PolicyChecker::checkNewWindowPolicy): * Source/WebCore/loader/PolicyChecker.h: * Source/WebCore/workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::importScripts): * Source/WebCore/workers/shared/SharedWorker.cpp: (WebCore::SharedWorker::SharedWorker): (WebCore::SharedWorker::didFinishLoading): * Source/WebCore/xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::open): (WebCore::XMLHttpRequest::createRequest): (WebCore::XMLHttpRequest::clearRequest): (WebCore::XMLHttpRequest::didFinishLoading): Canonical link: https://commits.webkit.org/260266@main
webkit-early-warning-system
force-pushed
the
eng/Give-URLKeepingBlobAlive-a-top-origin-SecurityOriginData
branch
from
54ff216
to
6f0e501
Compare
|
Committed 260266@main (6f0e501): https://commits.webkit.org/260266@main Reviewed commits have been landed. Closing PR #9184 and removing active labels. |
webkit-commit-queue
removed
the
unsafe-merge-queue
6f0e501
54ff216