-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Give URLKeepingBlobAlive a top-origin SecurityOriginData #9184
Give URLKeepingBlobAlive a top-origin SecurityOriginData #9184
Conversation
EWS run on previous version of this PR (hash b51bd49) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not opposed to adding a topOrigin to this class (since this class has Blob in its name). However, I have some other comments.
Source/WebCore/fileapi/Blob.cpp
Outdated
{ | ||
ASSERT(context); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should have the assertion, not sure what makes this a guarantee
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't find any call sites where the ScriptExecutionContext should be null, so this was only a sanity check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If call sites never passed null, we would take in a C++ reference, not a pointer. If something is a pointer in WebKit, always assume it can be null. If it really cannot, then update the parameter to be a c++ reference.
Source/WebCore/fileapi/Blob.cpp
Outdated
{ | ||
ASSERT(context); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should have the assertion, not sure what makes this a guarantee
Source/WebCore/dom/Document.cpp
Outdated
@@ -3542,7 +3542,9 @@ void Document::setURL(const URL& url) | |||
|
|||
if (SecurityOrigin::shouldIgnoreHost(newURL)) | |||
newURL.setHostAndPort({ }); | |||
m_url = WTFMove(newURL); | |||
// SecurityContext::securityOrigin may not be initialized at this time if setURL() is called in the constructor, therefore calling topOrigin() is not always safe. | |||
auto topOrigin = isTopDocument() && !SecurityContext::securityOrigin() ? SecurityOriginData::fromURL(url) : this->topOrigin().data(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the URL is a blob URL? (which is the base we care about I believe).
I see 2 likely issues:
- SecurityOriginData::fromURL(url) likely won't be able to extra the origin from a blob URL
- Even if we addressed the first issue, how would it enforce partitioning?
Imagine this case:
- Frame from origin B (under top level origin A) creates a Blob and gets a URL for it. Then it opens a new window and uses this blob URL as URL for the popup. What's supposed to happen? I imagine the blob should have the "A / B" partitioned origin. Seems like we shouldn't be able to load this Blob in a top level popup? If so, I worry that your code here is not going to achieve this (even if we fix issue 1). Am I missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I originally used SecurityOrigin::create(url) for this but I change it in this patch, and that is wrong - we do need SecurityOrigin's logic for handling blob URLs. But, as for (2), there are two options:
- the popup has "A / B" blob partitioning (therefore has access to the blob data)
- the popup has "B" blob partitioning (therefore doesn't have access to the blob data)
I was following (2) because creating a top-level navigation with subframe partitioning was conceptually confusing and required more invasive code changes. Following (1) will provide better web compat, but I don't know how common is that use case. If you think we should use (1), then this patch will need changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think 2 makes sense. The popup would have "B" origin and thus shouldn't be able to load the blob.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, thanks. I also just remembered and realized you are missing some other context. In w3c/FileAPI#153 there is discussion about how to partition blobs, and the general agreement is that cross-origin top-level navigations to a Blob URL should enforce no-opener.
b51bd49
to
6d7ad48
Compare
EWS run on previous version of this PR (hash 6d7ad48) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
inline FetchRequest::FetchRequest(ScriptExecutionContext* context, std::optional<FetchBody>&& body, Ref<FetchHeaders>&& headers, ResourceRequest&& request, FetchOptions&& options, String&& referrer) | ||
: FetchBodyOwner(context, WTFMove(body), WTFMove(headers)) | ||
, m_request(WTFMove(request)) | ||
, m_requestURL({ m_request.url(), context->topOrigin().data() }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't dereference context without a null check. If context really truly can't be null, then we should change the parameter type to be a ScriptExecutionContext&.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing the parameter type seemed safe here, so I went ahead and did that.
6d7ad48
to
79f9ad0
Compare
EWS run on previous version of this PR (hash 79f9ad0) |
79f9ad0
to
c6db0fa
Compare
EWS run on previous version of this PR (hash c6db0fa) |
c6db0fa
to
54ff216
Compare
EWS run on current version of this PR (hash 54ff216) |
EWS was all green on the last run, this run is just rebasing onto |
https://bugs.webkit.org/show_bug.cgi?id=251218 rdar://104704879 Reviewed by Chris Dumez. In this patch we construct the URLKeepingBlobAlive with its associated top-level SecurityOrigin(Data). This will be helpful in a future patch where we partition the Blob registry using that top-level origin. URLKeepingBlobAlive needs this information, in particular, because it is responsible for automatically registering and unregistering its Blob URL handle - thus keeping the blob alive as long as it exists, as the class name implies. * Source/WebCore/Modules/fetch/FetchRequest.cpp: (WebCore::FetchRequest::FetchRequest): (WebCore::m_signal): (WebCore::FetchRequest::initializeWith): (WebCore::FetchRequest::create): (WebCore::FetchRequest::clone): (WebCore::FetchRequest::stop): * Source/WebCore/Modules/fetch/FetchRequest.h: (WebCore::FetchRequest::FetchRequest): Deleted. * Source/WebCore/dom/Document.cpp: (WebCore::Document::setURL): * Source/WebCore/fileapi/Blob.cpp: (WebCore::Blob::Blob): (WebCore::Blob::handle const): * Source/WebCore/fileapi/Blob.h: * Source/WebCore/fileapi/URLKeepingBlobAlive.cpp: (WebCore::URLKeepingBlobAlive::URLKeepingBlobAlive): (WebCore::URLKeepingBlobAlive::clear): (WebCore::URLKeepingBlobAlive::operator=): (WebCore::URLKeepingBlobAlive::isolatedCopy const): (WebCore::URLKeepingBlobAlive::isolatedCopy): * Source/WebCore/fileapi/URLKeepingBlobAlive.h: (WebCore::URLKeepingBlobAlive::URLKeepingBlobAlive): Deleted. (WebCore::URLKeepingBlobAlive::operator=): Deleted. * Source/WebCore/loader/NavigationScheduler.cpp: * Source/WebCore/loader/PolicyChecker.cpp: (WebCore::FrameLoader::PolicyChecker::extendBlobURLLifetimeIfNecessary const): (WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy): (WebCore::FrameLoader::PolicyChecker::checkNewWindowPolicy): * Source/WebCore/loader/PolicyChecker.h: * Source/WebCore/workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::importScripts): * Source/WebCore/workers/shared/SharedWorker.cpp: (WebCore::SharedWorker::SharedWorker): (WebCore::SharedWorker::didFinishLoading): * Source/WebCore/xml/XMLHttpRequest.cpp: (WebCore::XMLHttpRequest::open): (WebCore::XMLHttpRequest::createRequest): (WebCore::XMLHttpRequest::clearRequest): (WebCore::XMLHttpRequest::didFinishLoading): Canonical link: https://commits.webkit.org/260266@main
54ff216
to
6f0e501
Compare
Committed 260266@main (6f0e501): https://commits.webkit.org/260266@main Reviewed commits have been landed. Closing PR #9184 and removing active labels. |
6f0e501
54ff216