search

w3c / webappsec-secure-contexts

WebAppSec Secure Contexts
https://w3c.github.io/webappsec-secure-contexts/
Other
33 stars 28 forks source link

Should Blob URLs created in data URLs in secure contexts be potentially trustworthy? #99

Open johnathan79717 opened 1 year ago

johnathan79717 commented 1 year ago

Let's say there's a worker created from a data: URL in a secure context. That worker creates a blob: URL and tries to create a nested worker out of that URL. Should that be blocked as mixed content? In other words, should the blob: URL be considered potentially trustworthy?

From the data worker: postMessaging to a dedicated blob sub-worker allows them to see each others' modifications test in [1], Firefox doesn't block the above as mixed content, but other browsers do.

I think the current spec says the blob: URL is not trustworthy, because [2] says

Note: The origin of `blob:` URLs is the origin of the context in which they were created. Therefore, blobs created in a trustworthy origin will themselves be potentially trustworthy.

Since workers created from a data: URL has a unique opaque origin [3], and opaque origins are not trustworthy [4], this blob: URL should not be considered potentially trustworthy.

However, since this blob is created in a secure context, and blob objects are immutable, it feels like we should be able to trust this URL to deliver data securely. Should we consider updating the spec to make blob: URLs potentially trustworthy if their creator context is secure?

[1] https://wpt.fyi/results/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html?label=master&label=experimental&aligned&q=html%2Finfrastructure%2Fsafe-passing-of-structured-data%2Fshared-array-buffers%2Fblob-data.https.html [2] https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy [3] https://html.spec.whatwg.org/multipage/workers.html#set-up-a-worker-environment-settings-object [4] https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

annevk commented 1 year ago

I think you are correct that we should make it work. Prior discussion on this topic: #69.

I guess it should also be a secure context when opened in a new window.

Part of the question here is where the authority should derive from. Should it be from the Blob object or URL.createObjectURL(). See also these issues: https://github.com/w3c/FileAPI/issues?q=is%3Aissue+is%3Aopen+policy.

The answer is observable I think if you have an insecure and secure context that can reach each other and exchange Blob objects, such as with popups.