[webkit-changes] [WebKit/WebKit] b1a659: Return opaque origin for blob: URL containing inne...

Anne van Kesteren noreply at github.com
Mon Jul 24 08:43:40 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b1a659b38f09d05fd3e7b3b112066894ab099b8c
      https://github.com/WebKit/WebKit/commit/b1a659b38f09d05fd3e7b3b112066894ab099b8c
  Author: Anne van Kesteren <annevk at annevk.nl>
  Date:   2023-07-24 (Mon, 24 Jul 2023)

  Changed paths:
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-xhtml-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/url-origin.any-expected.txt
    M LayoutTests/imported/w3c/web-platform-tests/url/url-origin.any.worker-expected.txt
    M Source/WebCore/fileapi/BlobURL.cpp
    M Source/WebCore/fileapi/ThreadableBlobRegistry.cpp
    M Source/WebCore/page/SecurityOrigin.cpp
    M Source/WebCore/page/SecurityOrigin.h
    M Source/WebCore/page/SecurityOriginData.cpp

  Log Message:
  -----------
  Return opaque origin for blob: URL containing inner non-http(s): URL
https://bugs.webkit.org/show_bug.cgi?id=257262
rdar://109781193

Reviewed by Alex Christensen and Darin Adler.

Refactor SecurityOrigin so it is more clear blob: URLs are the sole
special case. And change how we derive the blob: URL origin to align
with the URL standard:

* No longer perform percent-decoding (matches other browsers).
* Restrict non-opaque origins to HTTP(S) URLs (will soon match other
  browsers). However:

  * Still give blob: URLs derived from file: origins an origin for now
    as removing that ability needs a bit more care. This currently goes
    against the URL standard, but that might change.
  * Also give registered schemes a pass to allow embedders to continue
    to use blob: URLs as they see fit.

Also change BlobURL to rely more directly on SecurityOrigin.

* LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/url/a-element-origin-xhtml-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/url/url-origin.any-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/url/url-origin.any.worker-expected.txt:
* Source/WebCore/fileapi/BlobURL.cpp:
(WebCore::BlobURL::getOriginURL):
(WebCore::BlobURL::isSecureBlobURL):
* Source/WebCore/fileapi/ThreadableBlobRegistry.cpp:
(WebCore::ThreadableBlobRegistry::getCachedOrigin):
* Source/WebCore/page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::create):
(WebCore::SecurityOrigin::forBlobURL):
(WebCore::SecurityOrigin::isSecure):
(WebCore::SecurityOrigin::shouldUseInnerURL): Deleted.
(WebCore::SecurityOrigin::extractInnerURL): Deleted.
* Source/WebCore/page/SecurityOrigin.h:
* Source/WebCore/page/SecurityOriginData.cpp:
(WebCore::SecurityOriginData::shouldTreatAsOpaqueOrigin):

Canonical link: https://commits.webkit.org/266247@main

More information about the webkit-changes mailing list