LibWeb: Partition Blob URL fetches by Storage Key

This was a security mechanism introduced in the fetch spec, with
supporting AOs added to the FileAPI spec.
This commit is contained in:
Shannon Booth 2025-01-19 19:02:18 +13:00 committed by Tim Ledbetter
commit 00cef330ef
Notes: github-actions[bot] 2025-01-21 19:23:08 +00:00
6 changed files with 146 additions and 22 deletions

View file

@ -2,7 +2,7 @@
* Copyright (c) 2021, Idan Horowitz <idan.horowitz@serenityos.org>
* Copyright (c) 2021, the SerenityOS developers.
* Copyright (c) 2023, networkException <networkexception@serenityos.org>
* Copyright (c) 2024, Shannon Booth <shannon@serenityos.org>
* Copyright (c) 2024-2025, Shannon Booth <shannon@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
@ -136,17 +136,21 @@ void DOMURL::revoke_object_url(JS::VM&, StringView url)
if (url_record.scheme() != "blob"sv)
return;
// 3. Let origin be the origin of url record.
auto origin = url_record.origin();
// 3. Let entry be urlRecords blob URL entry.
auto& entry = url_record.blob_url_entry();
// 4. Let settings be the current settings object.
auto& settings = HTML::current_principal_settings_object();
// 5. If origin is not same origin with settingss origin, return.
if (!origin.is_same_origin(settings.origin()))
// 4. If entry is null, return.
if (!entry.has_value())
return;
// 6. Remove an entry from the Blob URL Store for url.
// 5. Let isAuthorized be the result of checking for same-partition blob URL usage with entry and the current settings object.
bool is_authorized = FileAPI::check_for_same_partition_blob_url_usage(entry.value(), HTML::current_principal_settings_object());
// 6. If isAuthorized is false, then return.
if (!is_authorized)
return;
// 7. Remove an entry from the Blob URL Store for url.
FileAPI::remove_entry_from_blob_url_store(url);
}