Re: Blob URL Origin from Arun Ranganathan on 2014-06-12 (public-webapps@w3.org from April to June 2014)

From: Arun Ranganathan <arun@mozilla.com>
Date: Thu, 12 Jun 2014 09:35:50 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Joel Weinberger <jww@google.com>, Boris Zbarsky <bzbarsky@mit.edu>, Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <B4900CEB-B396-4AFC-B8D6-1E211C35CF9B@mozilla.com>

On Jun 10, 2014, at 2:57 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jun 10, 2014 at 12:16 AM, Arun Ranganathan <arun@mozilla.com> wrote:
>> Right now, the Blob URL Store is defined in terms of units of similar-origin browsing contexts; each unit is required to have a Blob URL Store. As you point out, that allows all origins within document.domain access to a given Blob URL Store.
> 
> Yeah, so unlike what the discussion claimed thus far, we did not in
> fact allow that much cross-origin blob URL usage. Only origins within
> the document.domain reach.
> 
> 
>> 1. Require that entries in the Blob URL Store also store origin
> 
> I thought this was the idea. The "identifier" would be
> "http://someorigin:70/uuid”.

Yes; there was some discussion about tuples vs. strings on IRC, but I think one leads to the other, and we can define how to extract the origin from a parsed Blob URL in terms of another use of the URL Parser instead of string parsing.

> 
>> 2. Define it strictly as a same-origin store. I’m a bit fuzzy on how exactly to define this; for instance, strictly the origin and not the effective script origin of a Document?
> 
> We could say that the store is bound to a global object. And then both
> URL.createObjectURL() and places that parse URLs hook into the entry
> setting object's global object's blob URL store.
> 
> At that point the only benefit of putting the origin into the URL is
> so that new URL(blob).origin works.

This seems right; I think it would be rare that a developer would need to check origin, but it’s been pointed out that there some use cases for that. It seems better to introduce a method that doesn’t require creating a new object, but I don’t feel strongly about it.

> Something that is still unclear to me is what happens when you
> navigate to a blob URL. I guess that still technically works as the
> URL parsing would happen within the correct global.

If URL parsing doesn’t occur within the correct global, a network error will be the result, since there won’t be a corresponding entry in the Blob URL store that matches the identifier. So I think this sounds workable.

— A*

Received on Thursday, 12 June 2014 13:36:21 UTC