218 lines
9.7 KiB
Diff
218 lines
9.7 KiB
Diff
From: uazo <uazo@users.noreply.github.com>
|
|
Date: Tue, 20 Sep 2022 07:20:01 +0000
|
|
Subject: Partition blobs by top frame URL
|
|
|
|
Verifies that the blob was created with the same top frame URL
|
|
or, if not defined, by the same agent cluster.
|
|
|
|
Original License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html
|
|
License: GPL-3.0-only - https://spdx.org/licenses/GPL-3.0-only.html
|
|
---
|
|
storage/browser/blob/blob_url_store_impl.cc | 37 ++++++++++++++++++-
|
|
storage/browser/blob/blob_url_store_impl.h | 14 ++++++-
|
|
.../public/mojom/blob/blob_url_store.mojom | 12 ++++--
|
|
.../core/fileapi/public_url_manager.cc | 17 +++++++++
|
|
4 files changed, 75 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/storage/browser/blob/blob_url_store_impl.cc b/storage/browser/blob/blob_url_store_impl.cc
|
|
--- a/storage/browser/blob/blob_url_store_impl.cc
|
|
+++ b/storage/browser/blob/blob_url_store_impl.cc
|
|
@@ -84,6 +84,20 @@ BlobURLStoreImpl::~BlobURLStoreImpl() {
|
|
}
|
|
}
|
|
|
|
+bool BlobURLStoreImpl::IsSamePartition(
|
|
+ const GURL& blob_url,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site) {
|
|
+ const absl::optional<net::SchemefulSite>& top_level_site =
|
|
+ registry_->GetUnsafeTopLevelSite(blob_url);
|
|
+ if (top_level_site.has_value())
|
|
+ return top_level_site == unsafe_top_level_site;
|
|
+
|
|
+ absl::optional<base::UnguessableToken> agent_cluster_id =
|
|
+ registry_->GetUnsafeAgentClusterID(blob_url);
|
|
+ return agent_cluster_id == unsafe_agent_cluster_id;
|
|
+}
|
|
+
|
|
void BlobURLStoreImpl::Register(
|
|
mojo::PendingRemote<blink::mojom::Blob> blob,
|
|
const GURL& url,
|
|
@@ -114,11 +128,18 @@ void BlobURLStoreImpl::Revoke(const GURL& url) {
|
|
urls_.erase(url);
|
|
}
|
|
|
|
-void BlobURLStoreImpl::Resolve(const GURL& url, ResolveCallback callback) {
|
|
+void BlobURLStoreImpl::Resolve(const GURL& url,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
+ ResolveCallback callback) {
|
|
if (!registry_) {
|
|
std::move(callback).Run(mojo::NullRemote(), absl::nullopt);
|
|
return;
|
|
}
|
|
+ if (!IsSamePartition(url, unsafe_agent_cluster_id, unsafe_top_level_site)) {
|
|
+ std::move(callback).Run(mojo::NullRemote(), absl::nullopt);
|
|
+ return;
|
|
+ }
|
|
mojo::PendingRemote<blink::mojom::Blob> blob = registry_->GetBlobFromUrl(url);
|
|
std::move(callback).Run(std::move(blob),
|
|
registry_->GetUnsafeAgentClusterID(url));
|
|
@@ -127,6 +148,8 @@ void BlobURLStoreImpl::Resolve(const GURL& url, ResolveCallback callback) {
|
|
void BlobURLStoreImpl::ResolveAsURLLoaderFactory(
|
|
const GURL& url,
|
|
mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
ResolveAsURLLoaderFactoryCallback callback) {
|
|
if (!registry_) {
|
|
BlobURLLoaderFactory::Create(mojo::NullRemote(), url, std::move(receiver));
|
|
@@ -134,6 +157,12 @@ void BlobURLStoreImpl::ResolveAsURLLoaderFactory(
|
|
return;
|
|
}
|
|
|
|
+ if (!IsSamePartition(url, unsafe_agent_cluster_id, unsafe_top_level_site)) {
|
|
+ BlobURLLoaderFactory::Create(mojo::NullRemote(), url, std::move(receiver));
|
|
+ std::move(callback).Run(absl::nullopt, absl::nullopt);
|
|
+ return;
|
|
+ }
|
|
+
|
|
BlobURLLoaderFactory::Create(registry_->GetBlobFromUrl(url), url,
|
|
std::move(receiver));
|
|
std::move(callback).Run(registry_->GetUnsafeAgentClusterID(url),
|
|
@@ -143,11 +172,17 @@ void BlobURLStoreImpl::ResolveAsURLLoaderFactory(
|
|
void BlobURLStoreImpl::ResolveForNavigation(
|
|
const GURL& url,
|
|
mojo::PendingReceiver<blink::mojom::BlobURLToken> token,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
ResolveForNavigationCallback callback) {
|
|
if (!registry_) {
|
|
std::move(callback).Run(absl::nullopt);
|
|
return;
|
|
}
|
|
+ if (!IsSamePartition(url, unsafe_agent_cluster_id, unsafe_top_level_site)) {
|
|
+ std::move(callback).Run(absl::nullopt);
|
|
+ return;
|
|
+ }
|
|
mojo::PendingRemote<blink::mojom::Blob> blob = registry_->GetBlobFromUrl(url);
|
|
if (!blob) {
|
|
std::move(callback).Run(absl::nullopt);
|
|
diff --git a/storage/browser/blob/blob_url_store_impl.h b/storage/browser/blob/blob_url_store_impl.h
|
|
--- a/storage/browser/blob/blob_url_store_impl.h
|
|
+++ b/storage/browser/blob/blob_url_store_impl.h
|
|
@@ -42,14 +42,21 @@ class COMPONENT_EXPORT(STORAGE_BROWSER) BlobURLStoreImpl
|
|
const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
RegisterCallback callback) override;
|
|
void Revoke(const GURL& url) override;
|
|
- void Resolve(const GURL& url, ResolveCallback callback) override;
|
|
+ void Resolve(const GURL& url,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
+ ResolveCallback callback) override;
|
|
void ResolveAsURLLoaderFactory(
|
|
const GURL& url,
|
|
mojo::PendingReceiver<network::mojom::URLLoaderFactory> receiver,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
ResolveAsURLLoaderFactoryCallback callback) override;
|
|
void ResolveForNavigation(
|
|
const GURL& url,
|
|
mojo::PendingReceiver<blink::mojom::BlobURLToken> token,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site,
|
|
ResolveForNavigationCallback callback) override;
|
|
|
|
private:
|
|
@@ -59,6 +66,11 @@ class COMPONENT_EXPORT(STORAGE_BROWSER) BlobURLStoreImpl
|
|
// `Revoke()`.
|
|
bool BlobUrlIsValid(const GURL& url, const char* method) const;
|
|
|
|
+ bool IsSamePartition(
|
|
+ const GURL& blob_url,
|
|
+ const base::UnguessableToken& unsafe_agent_cluster_id,
|
|
+ const absl::optional<net::SchemefulSite>& unsafe_top_level_site);
|
|
+
|
|
const blink::StorageKey storage_key_;
|
|
|
|
base::WeakPtr<BlobUrlRegistry> registry_;
|
|
diff --git a/third_party/blink/public/mojom/blob/blob_url_store.mojom b/third_party/blink/public/mojom/blob/blob_url_store.mojom
|
|
--- a/third_party/blink/public/mojom/blob/blob_url_store.mojom
|
|
+++ b/third_party/blink/public/mojom/blob/blob_url_store.mojom
|
|
@@ -33,7 +33,9 @@ interface BlobURLStore {
|
|
Revoke(url.mojom.Url url);
|
|
|
|
// Resolves a public Blob URL.
|
|
- Resolve(url.mojom.Url url) => (
|
|
+ Resolve(url.mojom.Url url,
|
|
+ mojo_base.mojom.UnguessableToken unsafe_agent_cluster_id,
|
|
+ network.mojom.SchemefulSite? unsafe_top_level_site) => (
|
|
pending_remote<blink.mojom.Blob>? blob,
|
|
// TODO(https://crbug.com/1224926): Remove this once experiment is over.
|
|
mojo_base.mojom.UnguessableToken? unsafe_agent_cluster_id);
|
|
@@ -47,7 +49,9 @@ interface BlobURLStore {
|
|
// both the blob URL and all other references to the blob have been dropped.
|
|
ResolveAsURLLoaderFactory(
|
|
url.mojom.Url url,
|
|
- pending_receiver<network.mojom.URLLoaderFactory> factory) => (
|
|
+ pending_receiver<network.mojom.URLLoaderFactory> factory,
|
|
+ mojo_base.mojom.UnguessableToken unsafe_agent_cluster_id,
|
|
+ network.mojom.SchemefulSite? unsafe_top_level_site) => (
|
|
// TODO(https://crbug.com/1224926): Remove these once experiment is over.
|
|
mojo_base.mojom.UnguessableToken? unsafe_agent_cluster_id,
|
|
network.mojom.SchemefulSite? unsafe_top_level_site);
|
|
@@ -57,7 +61,9 @@ interface BlobURLStore {
|
|
// refer to, even after the URL is revoked.
|
|
// As long as the token is alive, the resolved blob will also be kept alive.
|
|
ResolveForNavigation(url.mojom.Url url,
|
|
- pending_receiver<BlobURLToken> token) => (
|
|
+ pending_receiver<BlobURLToken> token,
|
|
+ mojo_base.mojom.UnguessableToken unsafe_agent_cluster_id,
|
|
+ network.mojom.SchemefulSite? unsafe_top_level_site) => (
|
|
// TODO(https://crbug.com/1224926): Remove this once experiment is over.
|
|
mojo_base.mojom.UnguessableToken? unsafe_agent_cluster_id);
|
|
};
|
|
diff --git a/third_party/blink/renderer/core/fileapi/public_url_manager.cc b/third_party/blink/renderer/core/fileapi/public_url_manager.cc
|
|
--- a/third_party/blink/renderer/core/fileapi/public_url_manager.cc
|
|
+++ b/third_party/blink/renderer/core/fileapi/public_url_manager.cc
|
|
@@ -64,6 +64,21 @@ static void RemoveFromNullOriginMapIfNecessary(const KURL& blob_url) {
|
|
BlobURLNullOriginMap::GetInstance()->Remove(blob_url);
|
|
}
|
|
|
|
+static absl::optional<BlinkSchemefulSite> GetInsecureTopLevelSite(
|
|
+ ExecutionContext* execution_context) {
|
|
+ absl::optional<BlinkSchemefulSite> top_level_site;
|
|
+ if (execution_context->IsWindow()) {
|
|
+ auto* window = To<LocalDOMWindow>(execution_context);
|
|
+ if (window->top() && window->top()->GetFrame()) {
|
|
+ top_level_site = BlinkSchemefulSite(window->top()
|
|
+ ->GetFrame()
|
|
+ ->GetSecurityContext()
|
|
+ ->GetSecurityOrigin());
|
|
+ }
|
|
+ }
|
|
+ return top_level_site;
|
|
+}
|
|
+
|
|
} // namespace
|
|
|
|
// Execution context names corresponding to the entries from
|
|
@@ -300,6 +315,7 @@ void PublicURLManager::Resolve(
|
|
|
|
GetBlobURLStore().ResolveAsURLLoaderFactory(
|
|
url, std::move(factory_receiver),
|
|
+ GetExecutionContext()->GetAgentClusterID(), GetInsecureTopLevelSite(GetExecutionContext()),
|
|
WTF::BindOnce(metrics_callback, WrapPersistent(GetExecutionContext())));
|
|
}
|
|
|
|
@@ -323,6 +339,7 @@ void PublicURLManager::Resolve(
|
|
|
|
GetBlobURLStore().ResolveForNavigation(
|
|
url, std::move(token_receiver),
|
|
+ GetExecutionContext()->GetAgentClusterID(), GetInsecureTopLevelSite(GetExecutionContext()),
|
|
WTF::BindOnce(metrics_callback, WrapPersistent(GetExecutionContext())));
|
|
}
|
|
|
|
--
|
|
2.25.1
|