Intent to Ship: Stricter mixed content check for blob and filesystem URLs

95 views
Skip to first unread message

Frédéric Wang

unread,
Feb 1, 2021, 10:17:08 AMFeb 1
to blin...@chromium.org

Contact emails

fw...@chromium.org

Specification

https://w3c.github.io/webappsec-mixed-content/

Summary

The Mixed Content specification describes how a user agent should handle fetching of unsecure content from a secure context. For that purpose, Chrome currently treats any blob: and filesystem: content as secure although the spec says their origin should be checked instead (i.e. blob://https://... is secure but blob://http://... is not). This change is about making the mixed content checker follow this stricter behavior.

Blink component

Blink>SecurityFeature>SecureContexts

Risks



Interoperability and Compatibility

Interop: Currently browsers implement different rules but in general they seem to agree about increasing security, so this is going into the right direction. Compat: There is a possible regression since Chrome will now treat some pages like blob://http://... as unsecure for the purpose of mixed content check.



Gecko: No signal

Edge: No signal

WebKit: No signal

Web developers: No signals


Is this feature fully tested by web-platform-tests?

No (only internal tests)

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1172988

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5721818595852288

This intent message was generated by Chrome Platform Status.
-- 
Frédéric Wang

Domenic Denicola

unread,
Feb 1, 2021, 11:32:51 AMFeb 1
to Frédéric Wang, blin...@chromium.org
From: blin...@chromium.org <blin...@chromium.org> On Behalf Of Frédéric Wang

> Is this feature fully tested by https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md?
> No (only internal tests)

Do you plan to add such tests as part of this work?

Frédéric Wang

unread,
Feb 1, 2021, 2:28:33 PMFeb 1
to Domenic Denicola, blin...@chromium.org
The current CL (
https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
not have WPT tests, but yeah new one should probably be added. Note
however that despite the fact that the filesystem: scheme is mentioned
on the Secure Contexts spec, it's really a chrome-specific one and is
not considered by the WHATWG's URL spec (
https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
really write a test for that one.

--
Frédéric Wang

Mike Taylor

unread,
Feb 1, 2021, 4:28:43 PMFeb 1
to Frédéric Wang, Domenic Denicola, blin...@chromium.org
On 2/1/21 1:28 PM, Frédéric Wang wrote:
> The current CL (
> https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
> not have WPT tests, but yeah new one should probably be added. Note
> however that despite the fact that the filesystem: scheme is mentioned
> on the Secure Contexts spec, it's really a chrome-specific one and is
> not considered by the WHATWG's URL spec (
> https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
> really write a test for that one.

A ".tentative" test may be an option for the filesystem stuff:

<https://web-platform-tests.org/writing-tests/file-names.html>

Mike West

unread,
Feb 3, 2021, 8:54:22 AMFeb 3
to Mike Taylor, Frédéric Wang, Domenic Denicola, blin...@chromium.org
This is simply a bug in our implementation, counter to the spec (and good sense!). I'd be comfortable shipping it as a bug fix. So, at least LGTM1. :)

I agree with both Domenic that we really do need WPT for this, and with Mike that `.tentative` is a reasonable way of supporting `filesystem:` tests in WPT (possibly with an `assert_implements_optional("webkitRequestFileSystem" in window)` gate).

-mike


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4dfdf5af-0fb7-bed8-b346-fabae6506a53%40google.com.

yo...@yoav.ws

unread,
Feb 4, 2021, 3:40:36 AMFeb 4
to blink-dev, mk...@chromium.org, fw...@igalia.com, d...@domenic.me, blin...@chromium.org, mike...@google.com
LGTM2

Daniel Bratell

unread,
Feb 4, 2021, 2:50:53 PMFeb 4
to yo...@yoav.ws, blink-dev, mk...@chromium.org, fw...@igalia.com, d...@domenic.me, mike...@google.com

LGTM3

But please make a reasonable attempt at a WPT so that we ensure interoperability in the future.

/Daniel

Joshua Bell

unread,
Feb 4, 2021, 8:01:44 PMFeb 4
to Mike West, Mike Taylor, Frédéric Wang, Domenic Denicola, blin...@chromium.org
On Wed, Feb 3, 2021 at 5:54 AM Mike West <mk...@chromium.org> wrote:
This is simply a bug in our implementation, counter to the spec (and good sense!). I'd be comfortable shipping it as a bug fix. So, at least LGTM1. :)

I agree with both Domenic that we really do need WPT for this, and with Mike that `.tentative` is a reasonable way of supporting `filesystem:` tests in WPT (possibly with an `assert_implements_optional("webkitRequestFileSystem" in window)` gate).


Minor aside on this - we're not attempting to push for adoption of "filesystem:" URLs beyond Chrome, so consider landing those tests in third_party/blink/web_tests/wpt_internal/ instead. Tests should be written and executed in exactly the same way and could easily be upstreamed if our stance ever changes.
 
-mike


On Mon, Feb 1, 2021 at 10:28 PM 'Mike Taylor' via blink-dev <blin...@chromium.org> wrote:
On 2/1/21 1:28 PM, Frédéric Wang wrote:
> The current CL (
> https://chromium-review.googlesource.com/c/chromium/src/+/2662116 ) does
> not have WPT tests, but yeah new one should probably be added. Note
> however that despite the fact that the filesystem: scheme is mentioned
> on the Secure Contexts spec, it's really a chrome-specific one and is
> not considered by the WHATWG's URL spec (
> https://url.spec.whatwg.org/#concept-url-origin ). So not sure we can
> really write a test for that one.

A ".tentative" test may be an option for the filesystem stuff:

<https://web-platform-tests.org/writing-tests/file-names.html>

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4dfdf5af-0fb7-bed8-b346-fabae6506a53%40google.com.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Frédéric Wang

unread,
Feb 11, 2021, 5:25:27 AMFeb 11
to blin...@chromium.org
Le 05/02/2021 à 02:01, Joshua Bell a écrit :

Minor aside on this - we're not attempting to push for adoption of "filesystem:" URLs beyond Chrome, so consider landing those tests in third_party/blink/web_tests/wpt_internal/ instead. Tests should be written and executed in exactly the same way and could easily be upstreamed if our stance ever changes.

Thank you everybody. I'll look into how I can write a WPT test. I think I prefer the option of putting filesystem in wpt_internal, though.

-- 
Frédéric Wang

Frédéric Wang

unread,
Feb 12, 2021, 6:18:49 AMFeb 12
to blin...@chromium.org

Hi,

I tried a WPT with a https page opening a (http or https) popup which in turns create a blob. Then using the fetch API or a <script src> to request the blob url gives the following errors:

CONSOLE ERROR: line 16: Fetch API cannot load blob:http://web-platform.test:8001/818acb4f-1c92-4188-896d-bde429ccd113. URL scheme must be "http" or "https" for CORS request.
CONSOLE ERROR: line 29: Not allowed to load local resource: blob:http://web-platform.test:8001/818acb4f-1c92-4188-896d-bde429ccd113

This seems to happen before the mixed content check, so it actually does not detect the behavior change of the CL. I'm not sure there is a way to play with the definitions of "potentially trustworthy origin" and "mixed content" to write a test that actually exhibits the behavior change ; or whether the change is just not web-exposed. In any case, my CL now has an internal test for blob/filesystem and this wpt test for blob. At the end, I believe I'll skip the internal wpt test for filesystem given previous feedback that we don't plan to standardize this scheme.

-- 
Frédéric Wang

Marijn Kruisselbrink

unread,
Feb 12, 2021, 12:14:50 PMFeb 12
to Frédéric Wang, blink-dev
It sounds like what you're running into is that in at least the chrome implementation blob URLs are not allowed to be fetched cross-origin. So for subresource requests the page loading the blob URL and the blob URL itself always have to be same origin, and most navigations can only be initiated by same-origin windows as well. Unfortunately not all browsers behave quite the same, and none of this is currently really specified (see https://github.com/whatwg/fetch/issues/666 for some details). But yes, I think you're right and there shouldn't be any way to get mixed origin content using blob URLs.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Reply all
Reply to author
Forward
0 new messages