From b988256940387ee32c538864bcd998b2cf9e01fa Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Fri, 25 Oct 2024 15:46:17 -0400 Subject: [PATCH 1/9] Partition Blob URL revocation --- index.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 8477cc4..dbd213e 100644 --- a/index.bs +++ b/index.bs @@ -1570,7 +1570,7 @@ run the following steps: ## Dereferencing Model for blob URLs ## {#requestResponseModel}
-To resolve a blob URL given a [=URL=] |url|: +To resolve a blob URL given a [=URL=] |url|: 1. [=Assert=]: |url|'s [=url/scheme=] is "`blob`". 1. Let |store| be the user agent's [=blob URL store=]. @@ -1630,11 +1630,11 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
The revokeObjectURL(|url|) static method must run these steps: -1. Let |url record| be the result of [=URL parser|parsing=] |url|. -1. If |url record|'s [=url/scheme=] is not "`blob`", return. -1. Let |origin| be the [=url/origin=] of |url record|. -1. Let |settings| be the [=current settings object=]. -1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return. +1. 1. Let |entry| be the result of [=resolving the blob URL=] |url|. +1. If |entry| is failure, return. +1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=environment settings object=]. +1. Let |currentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with the [=current settings object=]. +1. If |blobStorageKey| is not [=storage key/equal=] to |currentStorageKey|, return. 1. [=Remove an entry from the Blob URL Store=] for |url|. Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered will silently fail. From bb24acaab79dfa8ca28d46076f5f7714d034782c Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Fri, 25 Oct 2024 16:16:01 -0400 Subject: [PATCH 2/9] Fix duplicate list numbering --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index dbd213e..2067780 100644 --- a/index.bs +++ b/index.bs @@ -1630,7 +1630,7 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
The revokeObjectURL(|url|) static method must run these steps: -1. 1. Let |entry| be the result of [=resolving the blob URL=] |url|. +1. Let |entry| be the result of [=resolving the blob URL=] |url|. 1. If |entry| is failure, return. 1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=environment settings object=]. 1. Let |currentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with the [=current settings object=]. From c97d7f90f2bcc13fa1b60af1e3669868c3d0eadb Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Fri, 22 Nov 2024 05:08:58 +0000 Subject: [PATCH 3/9] Address review feedback --- index.bs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index 2067780..d55cd4f 100644 --- a/index.bs +++ b/index.bs @@ -1570,7 +1570,7 @@ run the following steps: ## Dereferencing Model for blob URLs ## {#requestResponseModel}
-To resolve a blob URL given a [=URL=] |url|: +To resolve a blob URL given a [=URL=] |url|: 1. [=Assert=]: |url|'s [=url/scheme=] is "`blob`". 1. Let |store| be the user agent's [=blob URL store=]. @@ -1630,14 +1630,15 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
The revokeObjectURL(|url|) static method must run these steps: -1. Let |entry| be the result of [=resolving the blob URL=] |url|. -1. If |entry| is failure, return. -1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=environment settings object=]. +1. Let |url record| be the result of [=URL parser|parsing=] |url|. +1. If |url record|'s [=url/scheme=] is not "`blob`", return. +1. Let |entry| be |url record|'s [=blob URL entry=]. +1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=blob URL entry/environment=]. 1. Let |currentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with the [=current settings object=]. 1. If |blobStorageKey| is not [=storage key/equal=] to |currentStorageKey|, return. 1. [=Remove an entry from the Blob URL Store=] for |url|. -Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered will silently fail. +Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered or that was registered from an environment with a different storage key will silently fail. User agents might display a message on the error console if this happens. Note: Attempts to dereference |url| after it has been revoked will result in a [=network error=]. From fd3d0f89880fd0be6f2398b462a90704e3a2773f Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Mon, 25 Nov 2024 04:20:08 +0000 Subject: [PATCH 4/9] Move partitioning checks into FileAPI --- index.bs | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/index.bs b/index.bs index d55cd4f..9296f88 100644 --- a/index.bs +++ b/index.bs @@ -1512,15 +1512,25 @@ A [=blob URL store=] is a [=map=] where [=map/keys=] are [=valid URL strings=] and [=map/values=] are [=blob URL Entries=]. -A blob URL entry consists of -an object (of type {{Blob}} or {{MediaSource}}), -and an environment (an [=environment settings object=]). - [=map/Keys=] in the [=blob URL store=] (also known as blob URLs) are [=valid URL strings=] that when [=URL parser|parsed=] result in a [=/URL=] with a [=url/scheme=] equal to "`blob`", an [=empty host=], and a [=url/path=] consisting of one element itself also a [=valid URL string=]. +A blob URL entry is used to store an object of type {{Blob}} or {{MediaSource}}. + +A [=blob URL entry=] has an environment (an [=environment settings object=]). + +
+To obtain a blob object given a [=blob URL entry=] |blobUrlEntry|, an [=environment=] |environment|, and an optional boolean |isNavigation| (default false): + +1. Let |isAuthorized| be true. +1. If |isNavigation| is false, let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. +1. If |isAuthorized| is false, then return failure. +1. Return |blobUrlEntry|'s object. + +
+
To generate a new blob URL, run the following steps: @@ -1595,6 +1605,22 @@ as the serialization of the origin of the environment that created the blob URL, but for opaque origins the origin itself might be distinct. This difference isn't observable though, since a revoked blob URL can't be resolved/fetched anymore anyway. +### Access restrictions on blob URLs ### {#partitioningOfBlobUrls} + +Blob URLs can only be fetched from environments where the [=storage key=] matches that of +the environment where the blob URL was created. blob URL navigations are not subject +to this restriction. + +
+To check for same-partition blob URL usage given a [=blob URL entry=] |blobUrlEntry| and an [=environment=] |environment|: + +1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |blobUrlEntry|'s [=blob URL entry/environment=]. +1. Let |environmentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |environment|. +1. If |blobStorageKey| is not [=storage key/equal=] to |environmentStorageKey|, then return false. +1. Otherwise, return true. + +
+

Lifetime of blob URLs

This specification extends the [=unloading document cleanup steps=] with the following steps: @@ -1633,12 +1659,12 @@ The revokeObjectURL(|url|) st 1. Let |url record| be the result of [=URL parser|parsing=] |url|. 1. If |url record|'s [=url/scheme=] is not "`blob`", return. 1. Let |entry| be |url record|'s [=blob URL entry=]. -1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |entry|'s [=blob URL entry/environment=]. -1. Let |currentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with the [=current settings object=]. -1. If |blobStorageKey| is not [=storage key/equal=] to |currentStorageKey|, return. +1. If |entry| is null, return. +1. Let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |entry| and the [=current settings object=]. +1. If |isAuthorized| is false, return. 1. [=Remove an entry from the Blob URL Store=] for |url|. -Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered or that was registered from an environment with a different storage key will silently fail. +Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered or that was registered from an environment in a different storage partition will silently fail. User agents might display a message on the error console if this happens. Note: Attempts to dereference |url| after it has been revoked will result in a [=network error=]. From 8b57aeac72e1593dc3578fab66ce55c85b46116f Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Thu, 28 Nov 2024 18:14:54 +0000 Subject: [PATCH 5/9] Address review feedback --- index.bs | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/index.bs b/index.bs index 9296f88..e335238 100644 --- a/index.bs +++ b/index.bs @@ -1512,20 +1512,25 @@ A [=blob URL store=] is a [=map=] where [=map/keys=] are [=valid URL strings=] and [=map/values=] are [=blob URL Entries=]. +A blob URL entry consists of an object (of type {{Blob}} or +{{MediaSource}}), and an environment (an +[=environment settings object=]). + +Note: Specifications must use the [=obtain a blob object=] algorithm to access a +[=blob URL entry=]'s object. + [=map/Keys=] in the [=blob URL store=] (also known as blob URLs) are [=valid URL strings=] that when [=URL parser|parsed=] result in a [=/URL=] with a [=url/scheme=] equal to "`blob`", an [=empty host=], and a [=url/path=] consisting of one element itself also a [=valid URL string=]. -A blob URL entry is used to store an object of type {{Blob}} or {{MediaSource}}. - -A [=blob URL entry=] has an environment (an [=environment settings object=]). -
-To obtain a blob object given a [=blob URL entry=] |blobUrlEntry|, an [=environment=] |environment|, and an optional boolean |isNavigation| (default false): +To obtain a blob object given a [=blob URL entry=] +|blobUrlEntry|, an [=environment=] or the string "`navigation`" |environment|: 1. Let |isAuthorized| be true. -1. If |isNavigation| is false, let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. +1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of +[=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. 1. If |isAuthorized| is false, then return failure. 1. Return |blobUrlEntry|'s object. @@ -1656,12 +1661,12 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
The revokeObjectURL(|url|) static method must run these steps: -1. Let |url record| be the result of [=URL parser|parsing=] |url|. -1. If |url record|'s [=url/scheme=] is not "`blob`", return. -1. Let |entry| be |url record|'s [=blob URL entry=]. -1. If |entry| is null, return. +1. Let |urlRecord| be the result of [=URL parser|parsing=] |url|. +1. If |urlRecord|'s [=url/scheme=] is not "`blob`", return. +1. Let |entry| be |urlRecord|'s [=blob URL entry=]. +1. If |entry| is null, then return. 1. Let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |entry| and the [=current settings object=]. -1. If |isAuthorized| is false, return. +1. If |isAuthorized| is false, then return. 1. [=Remove an entry from the Blob URL Store=] for |url|. Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered or that was registered from an environment in a different storage partition will silently fail. From 15e817a1c10e10224662e4bd80de0f852bde1424 Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Thu, 28 Nov 2024 18:25:50 +0000 Subject: [PATCH 6/9] Fix build issue --- index.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.bs b/index.bs index e335238..7a0fe21 100644 --- a/index.bs +++ b/index.bs @@ -1529,8 +1529,7 @@ To obtain a blob object given a [=bl |blobUrlEntry|, an [=environment=] or the string "`navigation`" |environment|: 1. Let |isAuthorized| be true. -1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of -[=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. +1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. 1. If |isAuthorized| is false, then return failure. 1. Return |blobUrlEntry|'s object. From 7b3d9d8f49f7bac38757316c3efa23bad0a5fbc3 Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Thu, 28 Nov 2024 18:29:05 +0000 Subject: [PATCH 7/9] use "Environment Settings Object" instead of "Environment" --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 7a0fe21..7c80675 100644 --- a/index.bs +++ b/index.bs @@ -1526,7 +1526,7 @@ an [=empty host=], and a [=url/path=] consisting of one element itself also a [=
To obtain a blob object given a [=blob URL entry=] -|blobUrlEntry|, an [=environment=] or the string "`navigation`" |environment|: +|blobUrlEntry|, an [=environment settings object=] or the string "`navigation`" |environment|: 1. Let |isAuthorized| be true. 1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. @@ -1616,7 +1616,7 @@ the environment where the blob URL was created. blob URL navigatio to this restriction.
-To check for same-partition blob URL usage given a [=blob URL entry=] |blobUrlEntry| and an [=environment=] |environment|: +To check for same-partition blob URL usage given a [=blob URL entry=] |blobUrlEntry| and an [=environment settings object=] |environment|: 1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |blobUrlEntry|'s [=blob URL entry/environment=]. 1. Let |environmentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |environment|. From 7cac8600b44c5155ca0f3380f5c04d4c644550a4 Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Wed, 4 Dec 2024 05:18:37 +0000 Subject: [PATCH 8/9] Address review feedback --- index.bs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/index.bs b/index.bs index 7c80675..0a301b7 100644 --- a/index.bs +++ b/index.bs @@ -1512,12 +1512,12 @@ A [=blob URL store=] is a [=map=] where [=map/keys=] are [=valid URL strings=] and [=map/values=] are [=blob URL Entries=]. -A blob URL entry consists of an object (of type {{Blob}} or -{{MediaSource}}), and an environment (an +A blob URL entry consists of an object (of type +{{Blob}} or {{MediaSource}}), and an environment (an [=environment settings object=]). -Note: Specifications must use the [=obtain a blob object=] algorithm to access a -[=blob URL entry=]'s object. +Note: Specifications have to use the [=obtain a blob object=] algorithm to access a +[=blob URL entry=]'s [=blob URL entry/object=]. [=map/Keys=] in the [=blob URL store=] (also known as blob URLs) are [=valid URL strings=] that when [=URL parser|parsed=] @@ -1531,7 +1531,7 @@ To obtain a blob object given a [=bl 1. Let |isAuthorized| be true. 1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. 1. If |isAuthorized| is false, then return failure. -1. Return |blobUrlEntry|'s object. +1. Return |blobUrlEntry|'s [=blob URL entry/object=].
@@ -1612,7 +1612,7 @@ observable though, since a revoked blob URL can't be resolved/fetched anymore an ### Access restrictions on blob URLs ### {#partitioningOfBlobUrls} Blob URLs can only be fetched from environments where the [=storage key=] matches that of -the environment where the blob URL was created. blob URL navigations are not subject +the environment where the blob URL was created. Blob URL navigations are not subject to this restriction.
@@ -1621,7 +1621,7 @@ To check for same-partition blob URL usa 1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |blobUrlEntry|'s [=blob URL entry/environment=]. 1. Let |environmentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |environment|. 1. If |blobStorageKey| is not [=storage key/equal=] to |environmentStorageKey|, then return false. -1. Otherwise, return true. +1. Return true.
From 5a9047cb8bbcb7a1474dfa70d18e54cac650850d Mon Sep 17 00:00:00 2001 From: Andrew Williams Date: Wed, 4 Dec 2024 05:29:12 +0000 Subject: [PATCH 9/9] Define return types for new algs; don't export partition check --- index.bs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 0a301b7..0859469 100644 --- a/index.bs +++ b/index.bs @@ -1526,7 +1526,8 @@ an [=empty host=], and a [=url/path=] consisting of one element itself also a [=
To obtain a blob object given a [=blob URL entry=] -|blobUrlEntry|, an [=environment settings object=] or the string "`navigation`" |environment|: +|blobUrlEntry| and an [=environment settings object=] or the string "`navigation`" |environment|, +perform the following steps. They return an [=blob URL entry/object=]. 1. Let |isAuthorized| be true. 1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|. @@ -1616,7 +1617,7 @@ the environment where the blob URL was created. Blob URL navigatio to this restriction.
-To check for same-partition blob URL usage given a [=blob URL entry=] |blobUrlEntry| and an [=environment settings object=] |environment|: +To check for same-partition blob URL usage given a [=blob URL entry=] |blobUrlEntry| and an [=environment settings object=] |environment|, perform the following steps. They return a boolean. 1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |blobUrlEntry|'s [=blob URL entry/environment=]. 1. Let |environmentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |environment|.