Open Bug 1747240 Opened 3 years ago Updated 3 years ago

Want ChromeOnly API to determine underlying origin for blob URI generated by sandboxed iframes

Categories

(Core :: DOM: File, enhancement)

Product:
Core
Component:
DOM: File
Platform:
Desktop
All
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox97 --- affected

People

(Reporter: Gijs, Unassigned)

References

Details

STR:

  1. generate blob URI in example.com, then use new URL(bloburlstring).origin --> produces example.com
  2. generate the same URI in an <iframe sandbox> that has loaded example.com, and the same thing produces null

AR: null in step 2

ER: want to be able to deduce example.com somehow, either with that API or some other (privileged) API.

For frontend downloads code, it'd be useful if we could still determine the origin of the blob URI in this case. I assume we know this at the point of creation, though atm it might not be stored anywhere that we can retrieve later?

There also seems to be some overlap with bug 1282504 but I can't easily tell from that bug and https://github.com/whatwg/url/issues/127 where the spec has ended up, and/or if we now implement it or if actually the web version of this API should also support this. Anne, can you clarify?

Flags: needinfo?(annevk)

The web version of the API should not support this functionality. In step 2 of comment 0 the origin of the nested document is an opaque origin, which serializes as "null". Perhaps that for Fission-purposes we also store the "initial origin" (not an actual specification concept) or some such, before sandboxing changed it. But exposing that would be some novel work presumably. Hope that helps.

Component: DOM: Core & HTML → DOM: File
Flags: needinfo?(annevk)
Type: defect → enhancement
You need to log in before you can comment on or make changes to this bug.