Re: [w3c/FileAPI] Partition Blob URL revocation by Storage Key (PR #201) from Marijn Kruisselbrink on 2024-11-20 (public-webapps-github@w3.org from November 2024)

From: Marijn Kruisselbrink <notifications@github.com>
Date: Wed, 20 Nov 2024 13:03:55 -0800
To: w3c/FileAPI <FileAPI@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/FileAPI/pull/201/review/2449682288@github.com>
@mkruisselbrink commented on this pull request.



> @@ -1630,11 +1630,11 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
 <div algorithm="revokeObjectURL">
 The <dfn method for=URL id="dfn-revokeObjectURL">revokeObjectURL(|url|)</dfn> static method must run these steps:
 
-1. Let |url record| be the result of [=URL parser|parsing=] |url|.
-1. If |url record|'s [=url/scheme=] is not "`blob`", return.
-1. Let |origin| be the [=url/origin=] of |url record|.
-1. Let |settings| be the [=current settings object=].
-1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return.
+1. Let |entry| be the result of [=resolving the blob URL=] |url|.

url is a string, while the "resolving the blob URL" algorithm expects it to be a parsed URL struct. Furthermore, the resolve algorithm asserts that the url has the correct scheme, while you've removed that check from this algorithm, violating that invariant.

> @@ -1630,11 +1630,11 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
 <div algorithm="revokeObjectURL">
 The <dfn method for=URL id="dfn-revokeObjectURL">revokeObjectURL(|url|)</dfn> static method must run these steps:
 
-1. Let |url record| be the result of [=URL parser|parsing=] |url|.
-1. If |url record|'s [=url/scheme=] is not "`blob`", return.
-1. Let |origin| be the [=url/origin=] of |url record|.
-1. Let |settings| be the [=current settings object=].
-1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return.
+1. Let |entry| be the result of [=resolving the blob URL=] |url|.
+1. If |entry| is failure, return.
+1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=environment settings object=].

```suggestion
1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=blob URL entry/environment=].
```

> @@ -1630,11 +1630,11 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
 <div algorithm="revokeObjectURL">
 The <dfn method for=URL id="dfn-revokeObjectURL">revokeObjectURL(|url|)</dfn> static method must run these steps:
 
-1. Let |url record| be the result of [=URL parser|parsing=] |url|.
-1. If |url record|'s [=url/scheme=] is not "`blob`", return.
-1. Let |origin| be the [=url/origin=] of |url record|.
-1. Let |settings| be the [=current settings object=].
-1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return.
+1. Let |entry| be the result of [=resolving the blob URL=] |url|.
+1. If |entry| is failure, return.
+1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=environment settings object=].
+1. Let |currentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with the [=current settings object=].
+1. If |blobStorageKey| is not [=storage key/equal=] to |currentStorageKey|, return.
 1. [=Remove an entry from the Blob URL Store=] for |url|.
 
 Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered will silently fail.

Might make sense to mention that it's not just URLs that aren't registered that would silently fail, something like (although not sure that's the best way to phrase it):

```suggestion
Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered, or is registered from a different storage key, will silently fail.
```

> @@ -1630,11 +1630,11 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
 <div algorithm="revokeObjectURL">
 The <dfn method for=URL id="dfn-revokeObjectURL">revokeObjectURL(|url|)</dfn> static method must run these steps:
 
-1. Let |url record| be the result of [=URL parser|parsing=] |url|.
-1. If |url record|'s [=url/scheme=] is not "`blob`", return.
-1. Let |origin| be the [=url/origin=] of |url record|.
-1. Let |settings| be the [=current settings object=].
-1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return.
+1. Let |entry| be the result of [=resolving the blob URL=] |url|.

Also it seems like you don't need to explicitly invoke resolve the blob URL, rather keep the old algorithm and reference `|url record|'s blob URL entry` would get you the entry you need already?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/FileAPI/pull/201#pullrequestreview-2449682288
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/FileAPI/pull/201/review/2449682288@github.com>
Received on Wednesday, 20 November 2024 21:03:58 UTC