Bug 56063 - Inline worker powered by blob URL does not work with files URL even if allowFileAccessFromFileURLs is enabled.
Summary: Inline worker powered by blob URL does not work with files URL even if allowF...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P2 Normal
Assignee: Jian Li
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-09 17:32 PST by Jian Li
Modified: 2011-03-29 13:38 PDT (History)
3 users (show)

See Also:

Attachments
Proposed Patch (7.35 KB, patch)
2011-03-09 17:46 PST, Jian Li 		jianli: commit-queue-
Details | Formatted Diff | Diff
Proposed Patch (7.35 KB, patch)
2011-03-09 17:47 PST, Jian Li 		abarth: review+
jianli: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jian Li 2011-03-09 17:32:10 PST 
Inline worker powered by blob URL does not work with files URL even if allowFileAccessFromFileURLs is enabled.

Test script:

function runTest()
{
    var blobBuilder = new BlobBuilder();
    blobBuilder.append([
        "onmessage = function(e) {",
        "    postMessage('Hello from worker');",
        "};"
    ].join('\n'));
    var blobURL = webkitURL.createObjectURL(blobBuilder.getBlob());
    var worker = new Worker(blobURL);
    worker.onmessage = function(event) {
        alert(event.data);
     };
    worker.postMessage();
}
Comment 1 Jian Li 2011-03-09 17:46:33 PST 
Created attachment 85267 [details]
Proposed Patch
Comment 2 Jian Li 2011-03-09 17:47:58 PST 
Created attachment 85268 [details]
Proposed Patch
Comment 3 David Levin 2011-03-09 17:50:05 PST 
I haven't looked in depth much, but this looks like a security related change to SecurityOrigin, so I bet Mr. Barth would like to at least glance at it.
Comment 4 Dmitry Titov 2011-03-09 18:11:21 PST 
Interesting. I have couple of clarifying questions:

What if a shared worker is created like this, and then another page wants to connect to the same worker - should we find the worker by the blob url match? But then since blob can have more then one url which are all pointing to the same content (as a result of postMessage(blob) for example) - do all those urls match?

Also, what is the origin of the Worker as a result? what resources can it load by XHR or importScripts?
Comment 5 Dmitry Titov 2011-03-10 12:02:40 PST 
Jian answered my questions offline, since Blobs inherit origin from the page that calls createObjectURL(), the origin questions are clear.

By the same token, I think we can add data: url support for Workers, by assigning the origin of the creating page to the worker created from the data: url - but this is outside of the scope of this bug.

We still need Adam to take a look :-)
Comment 6 Adam Barth 2011-03-28 17:00:53 PDT 
Comment on attachment 85268 [details]
Proposed Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=85268&action=review

This patch is amazing.  I love it!

> Source/WebCore/page/SecurityOrigin.cpp:83
> +    bool isBlobOrFileSystemProtocol = (m_protocol == BlobURL::blobProtocol()) || (m_protocol == "filesystem");

Will this build if ENABLE(BLOB) is false?  We might need some fancier ifdefing.
Comment 7 Adam Barth 2011-03-28 17:02:47 PDT 
> By the same token, I think we can add data: url support for Workers, by assigning the origin of the creating page to the worker created from the data: url - but this is outside of the scope of this bug.

Solving the data URL problem is harder because they don't carry around their origin inside of themselves.  We'll need to track the origin separately.  That's probably easier to solve for the worker case than in the general case.
Comment 8 Jian Li 2011-03-29 13:38:55 PDT 
Committed as https://trac.webkit.org/changeset/82311.