From 77b2086a2ffb613dadd5f76c2edd03822b1cd5cb Mon Sep 17 00:00:00 2001
From: Andrew Williams <awillia@google.com>
Date: Thu, 5 Dec 2024 01:43:42 +0900
Subject: [PATCH] Partition Blob URL revocation by Storage Key (#201)

Adds new "obtain a blob object" algorithm that does partition checks, and use that in the blob url revocation steps.
---
 index.bs | 50 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 9 deletions(-)

diff --git a/index.bs b/index.bs
index 8477cc4..0859469 100644
--- a/index.bs
+++ b/index.bs
@@ -1512,15 +1512,30 @@ A [=blob URL store=] is a [=map=]
 where [=map/keys=] are [=valid URL strings=]
 and [=map/values=] are [=blob URL Entries=].
 
-A <dfn export>blob URL entry</dfn> consists of
-an <dfn export for="blob URL entry">object</dfn> (of type {{Blob}} or {{MediaSource}}),
-and an <dfn export for="blob URL entry">environment</dfn> (an [=environment settings object=]).
+A <dfn export>blob URL entry</dfn> consists of an <dfn for="blob URL entry">object</dfn> (of type
+{{Blob}} or {{MediaSource}}), and an <dfn export for="blob URL entry">environment</dfn> (an
+[=environment settings object=]).
+
+Note: Specifications have to use the [=obtain a blob object=] algorithm to access a
+[=blob URL entry=]'s [=blob URL entry/object=].
 
 [=map/Keys=] in the [=blob URL store=] (also known as <dfn lt="blob URL|object URL" export>blob URLs</dfn>)
 are [=valid URL strings=] that when [=URL parser|parsed=]
 result in a [=/URL=] with a [=url/scheme=] equal to "`blob`",
 an [=empty host=], and a [=url/path=] consisting of one element itself also a [=valid URL string=].
 
+<div algorithm="obtainBlobObject">
+To <dfn export id=blob-url-obtain-object>obtain a blob object</dfn> given a [=blob URL entry=]
+|blobUrlEntry| and an [=environment settings object=] or the string "`navigation`" |environment|,
+perform the following steps. They return an [=blob URL entry/object=].
+
+1. Let |isAuthorized| be true.
+1. If |environment| is not the string "`navigation`", then set |isAuthorized| to the result of [=checking for same-partition blob URL usage=] with |blobUrlEntry| and |environment|.
+1. If |isAuthorized| is false, then return failure.
+1. Return |blobUrlEntry|'s [=blob URL entry/object=].
+
+</div>
+
 <div algorithm="createBlobURL">
 To <dfn id="unicodeBlobURL" lt="generate a new blob URL|generating a new blob URL">
 generate a new blob URL</dfn>, run the following steps:
@@ -1595,6 +1610,22 @@ as the serialization of the origin of the environment that created the blob URL,
 but for opaque origins the origin itself might be distinct. This difference isn't
 observable though, since a revoked blob URL can't be resolved/fetched anymore anyway.
 
+### Access restrictions on blob URLs ### {#partitioningOfBlobUrls}
+
+<a>Blob URLs</a> can only be fetched from environments where the [=storage key=] matches that of
+the environment where the <a>blob URL</a> was created. <a>Blob URL</a> navigations are not subject
+to this restriction.
+
+<div algorithm="checkForSamePartitionBlobUrlUsage">
+To <dfn>check for same-partition blob URL usage</dfn> given a [=blob URL entry=] |blobUrlEntry| and an [=environment settings object=] |environment|, perform the following steps. They return a boolean.
+
+1. Let |blobStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |blobUrlEntry|'s [=blob URL entry/environment=].
+1. Let |environmentStorageKey| be the result of [=obtaining a storage key for non-storage purposes=] with |environment|.
+1. If |blobStorageKey| is not [=storage key/equal=] to |environmentStorageKey|, then return false.
+1. Return true.
+
+</div>
+
 <h4 id="lifeTime" dfn for="blob url" lt="lifetime|lifetime stipulation" export>Lifetime of blob URLs</h4>
 
 This specification extends the [=unloading document cleanup steps=] with the following steps:
@@ -1630,14 +1661,15 @@ return the result of [=adding an entry to the blob URL store=] for |obj|.
 <div algorithm="revokeObjectURL">
 The <dfn method for=URL id="dfn-revokeObjectURL">revokeObjectURL(|url|)</dfn> static method must run these steps:
 
-1. Let |url record| be the result of [=URL parser|parsing=] |url|.
-1. If |url record|'s [=url/scheme=] is not "`blob`", return.
-1. Let |origin| be the [=url/origin=] of |url record|.
-1. Let |settings| be the [=current settings object=].
-1. If |origin| is not [=same origin=] with |settings|'s [=environment settings object/origin=], return.
+1. Let |urlRecord| be the result of [=URL parser|parsing=] |url|.
+1. If |urlRecord|'s [=url/scheme=] is not "`blob`", return.
+1. Let |entry| be |urlRecord|'s [=blob URL entry=].
+1. If |entry| is null, then return.
+1. Let |isAuthorized| be the result of [=checking for same-partition blob URL usage=] with |entry| and the [=current settings object=].
+1. If |isAuthorized| is false, then return.
 1. [=Remove an entry from the Blob URL Store=] for |url|.
 
-Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered will silently fail.
+Note: This means that rather than throwing some kind of error, attempting to revoke a URL that isn't registered or that was registered from an environment in a different storage partition will silently fail.
 User agents might display a message on the error console if this happens.
 
 Note: Attempts to dereference |url| after it has been revoked will result in a [=network error=].