Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Partition Blob URL revocation by Storage Key #201

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Partition Blob URL revocation by Storage Key #201

wants to merge 4 commits into from

Conversation

recvfrom
Copy link

@recvfrom recvfrom commented Oct 25, 2024
edited by pr-preview bot
Loading

Part of the changes discussed in #153 (comment)

This updates URL.revokeObjectURL to not allow revoking a Blob URL except from contexts with the same Storage Key as the one in which the Blob URL was created. A corresponding PR will update the Fetch spec to incorporate similar Storage Key checks into Blob URL fetches.

I considered incorporating the Storage Key checks into the "resolve a blob URL" algorithm instead, but it seemed that this would require an environment settings object to be available as part of https://url.spec.whatwg.org/#url-parsing, and I'm not sure whether that is the case / a change we want.

For normative changes, the following tasks have been completed:

  • Modified Web platform tests (link to pull request)

Implementation commitment:

Preview | Diff

This was referenced Oct 25, 2024
Open
Open
@recvfrom recvfrom marked this pull request as ready for review October 28, 2024 17:11
@recvfrom recvfrom mentioned this pull request Oct 28, 2024
Open
@miketaylr
Copy link
Member

Mind taking a look @mkruisselbrink?

mkruisselbrink
mkruisselbrink reviewed Nov 20, 2024
View reviewed changes
index.bs Outdated Show resolved Hide resolved
index.bs Outdated Show resolved Hide resolved
index.bs Outdated
1. If |entry| is failure, return.
1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=environment settings object=].
1. Let |currentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with the [=current settings object=].
1. If |blobStorageKey| is not [=storage key/equal=] to |currentStorageKey|, return.
1. [=Remove an entry from the Blob URL Store=] for |url|.

Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered will silently fail.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might make sense to mention that it's not just URLs that aren't registered that would silently fail, something like (although not sure that's the best way to phrase it):

Suggested change
Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered will silently fail.
Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered, or is registered from a different storage key, will silently fail.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I updated this (although made it a bit more verbose). WDYT?

@miketaylr
Copy link
Member

I guess we need to update spec-prod (or wait for the update to be propagated?):

  $ bikeshed update
    Bikeshed now requires Python 3.9; you are on 3.8.10.
        If you're seeing this message in your CI run, you are
        likely specifying an old OS; try `ubuntu-latest`.
        If you're seeing this on the command line, see the docs
        for instructions:
        https://speced.github.io/bikeshed/#installing
  Command `bikeshed update` failed with exit code: 1.

w3c/spec-prod#193

@mkruisselbrink
Copy link
Collaborator

I guess we need to update spec-prod (or wait for the update to be propagated?):

  $ bikeshed update
    Bikeshed now requires Python 3.9; you are on 3.8.10.
        If you're seeing this message in your CI run, you are
        likely specifying an old OS; try `ubuntu-latest`.
        If you're seeing this on the command line, see the docs
        for instructions:
        https://speced.github.io/bikeshed/#installing
  Command `bikeshed update` failed with exit code: 1.

w3c/spec-prod#193

I think #204 will fix that.

@recvfrom
Copy link
Author

Per the feedback here [1], I've updated this PR to also change how the blob URL entry's object member is exposed so that the partitioning checks can be fully contained in the FileAPI. WDYT?

[1] whatwg/fetch#1783 (comment)

annevk
annevk reviewed Nov 25, 2024
View reviewed changes
index.bs
[=map/Keys=] in the [=blob URL store=] (also known as <dfn lt="blob URL|object URL" export>blob URLs</dfn>)
are [=valid URL strings=] that when [=URL parser|parsed=]
result in a [=/URL=] with a [=url/scheme=] equal to "`blob`",
an [=empty host=], and a [=url/path=] consisting of one element itself also a [=valid URL string=].

A <dfn export>blob URL entry</dfn> is used to store an object of type {{Blob}} or {{MediaSource}}.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at this. I would continue to give a blob URL entry an object field, but just no longer export it. And then explain in a note that specifications have to use "obtain a blob object" to get hold of the object.

index.bs
To <dfn export id=blob-url-obtain-object>obtain a blob object</dfn> given a [=blob URL entry=] |blobUrlEntry|, an [=environment=] |environment|, and an optional boolean |isNavigation| (default false):

1. Let |isAuthorized| be true.
1. If |isNavigation| is false, let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you manipulate an initialized variable, you need to use "set ... to". See the Infra standard for more complete guidance.

index.bs
@@ -1632,12 +1658,13 @@ The <dfn method for=URL id="dfn-revokeObjectURL">revokeObjectURL(|url|)</dfn> st

1. Let |url record| be the result of [=URL parser|parsing=] |url|.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe change this to urlRecord while here? Having these as separate words is confusing with the url variable.

index.bs
1. Let |settings| be the [=current settings object=].
1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return.
1. Let |entry| be |url record|'s [=blob URL entry=].
1. If |entry| is null, return.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then return*

index.bs
1. Let |entry| be |url record|'s [=blob URL entry=].
1. If |entry| is null, return.
1. Let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |entry| and the [=current settings object=].
1. If |isAuthorized| is false, return.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then return*

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk left review comments

@mkruisselbrink mkruisselbrink mkruisselbrink left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@recvfrom @miketaylr @mkruisselbrink @annevk