Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should Blob URLs created in data URLs in secure contexts be potentially trustworthy? #99

Open
johnathan79717 opened this issue Mar 31, 2023 · 1 comment

Comments

@johnathan79717
Copy link

Let's say there's a worker created from a data: URL in a secure context. That worker creates a blob: URL and tries to create a nested worker out of that URL. Should that be blocked as mixed content? In other words, should the blob: URL be considered potentially trustworthy?

From the data worker: postMessaging to a dedicated blob sub-worker allows them to see each others' modifications test in [1], Firefox doesn't block the above as mixed content, but other browsers do.

I think the current spec says the blob: URL is not trustworthy, because [2] says

Note: The origin of `blob:` URLs is the origin of the context in which they were created. Therefore, blobs created in a trustworthy origin will themselves be potentially trustworthy.

Since workers created from a data: URL has a unique opaque origin [3], and opaque origins are not trustworthy [4], this blob: URL should not be considered potentially trustworthy.

However, since this blob is created in a secure context, and blob objects are immutable, it feels like we should be able to trust this URL to deliver data securely. Should we consider updating the spec to make blob: URLs potentially trustworthy if their creator context is secure?

[1] https://wpt.fyi/results/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html?label=master&label=experimental&aligned&q=html%2Finfrastructure%2Fsafe-passing-of-structured-data%2Fshared-array-buffers%2Fblob-data.https.html
[2] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
[3] https://html.spec.whatwg.org/multipage/workers.html#set-up-a-worker-environment-settings-object
[4] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

@annevk
Copy link
Member

annevk commented Mar 31, 2023

I think you are correct that we should make it work. Prior discussion on this topic: #69.

I guess it should also be a secure context when opened in a new window.

Part of the question here is where the authority should derive from. Should it be from the Blob object or URL.createObjectURL(). See also these issues: https://github.com/w3c/FileAPI/issues?q=is%3Aissue+is%3Aopen+policy.

The answer is observable I think if you have an insecure and secure context that can reach each other and exchange Blob objects, such as with popups.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants