Support for Blobs in sharedStorage worklets

[CGossec]

Hello, We (Criteo) are trying to implement reach measurement through PAA and Shared Storage. As it is, the worklet script for reach measurement (similar to this) needs to be hosted on another service/website, and accessed through window.sharedStorage.worklet.addModule(<PathOrURL/to/worklet>) Classical worklets (example in this) support using Blob URLs as worklet paths, but sharedStorage worklets do not. Are there security reasons for not doing so? If not, we would be keen to see a change in the sharedStorage implementation so that it, too, could fit blobs as worklets.

[CGossec]

In practice, the following code in a DevTool console works:

var jsCode = "console.log('This is a worklet module.');"; var blob = new Blob([jsCode], { type: "application/javascript" }); var blobURL = URL.createObjectURL(blob); CSS.paintWorklet.addModule(blobURL);

Whereas the same code but with the sharedStorage worklet doesn't.

var jsCode = "console.log('This is a worklet module.');"; var blob = new Blob([jsCode], { type: "application/javascript" }); var blobURL = URL.createObjectURL(blob); window.sharedStorage.worklet.addModule(blobURL);

[alexmturner]

Hi,

Thanks for reaching out! It might make sense to move this discussion to the Shared Storage repo, but first: @xyaoinum @pythagoraskitty @jkarlin any thoughts about why this doesn't work?

[xyaoinum]

We decided to only allow explicitly same-origin URL here: https://github.com/WICG/shared-storage/issues/2: "It comes down to how much you trust the entities on your page.". Shall we revisit this decision now? @jkarlin @pythagoraskitty

[alois-bissuel]

The problem raised by @CGossec is that we get an error of error = net::ERR_UNKNOWN_URL_SCHEME.. I am not sure that this has to do with a same-origin URL limitation. Furthermore, if my understanding of Blobs is correct, the URL generated by createObjectURL(blob) has the same eTLD+1 as the script doing this call (so this should be same-origin).

[xyaoinum]

I see. The error may not come from the same restriction in the implementation. But I think the concern is nevertheless similar, as the blob could come from a fetch for a cross-origin script.

[alois-bissuel]

Got it, I did overlooked the fact that the blob can indeed come from a cross-origin script. We tried using a blob for simplicity reasons, ie not adding one endpoint serving the SharedStorage worklet script. To be clear, we are not asking to revisit the same-origin URL limits that you put in place.

[jkarlin]

Can we treat a blob similar to how we'd treat an iframe with srcdoc? That is, same origin to its parent frame? I don't see why that would be problematic.

[alexmturner]

I think that should already be the case per the blob spec: https://w3c.github.io/FileAPI/#originOfBlobURL. The error Aloïs mentioned indicates some other issue is happening -- it might be that Shared Storage's module script downloader needs to add support for blob URLs?

[xyaoinum]

Update: The issue is fixed. Blob URL is now supported on/after Chrome M116 (currently Beta)