// Copyright 2019 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef THIRD_PARTY_BLINK_RENDERER_PLATFORM_BLOB_BLOB_URL_NULL_ORIGIN_MAP_H_ #define THIRD_PARTY_BLINK_RENDERER_PLATFORM_BLOB_BLOB_URL_NULL_ORIGIN_MAP_H_ #include "base/synchronization/lock.h" #include "base/thread_annotations.h" #include "base/unguessable_token.h" #include "third_party/blink/renderer/platform/platform_export.h" #include "third_party/blink/renderer/platform/wtf/hash_map.h" #include "third_party/blink/renderer/platform/wtf/text/string_hash.h" #include "third_party/blink/renderer/platform/wtf/thread_specific.h" namespace blink { class KURL; class SecurityOrigin; // BlobURLNullOriginMap contains pairs of blob URL and security origin that is // serialized into "null". An instance of this class is per-thread, and created // when GetInstace() is called for the first time. // // When a blob URL is created in an opaque origin or something whose // SecurityOrigin::SerializesAsNull() returns true, the origin is serialized // into the URL as "null". Since that makes it impossible to parse the origin // back out and compare it against a context's origin (to check if a context is // allowed to dereference the URL), this class stores a map of blob URL to such // an origin. class PLATFORM_EXPORT BlobURLNullOriginMap { … }; // BlobURLOpaqueOriginNonceMap contains pairs of blob URL and opaque security // origin's nonce. This is used for comparing opaque origins in a thread-safe // way. An instance of this class is singleton, and can safely be accessed from // any threads. // // BlobURLNullOriginMap above does not work for the case where the blob URL is // registered in an opaque origin, and then a network request is sent to the URL // from a different thread because the map contains non-thread-safe // SecurityOrigin. For example, this happens on dedicated worker construction // that loads a top-level worker script on a worker thread. // // To handle the case, BlobURLOpaqueOriginNonceMap keeps SecurityOrigin::Nonce // instead of SecurityOrigin. The nonce is uniquely assigned to SecurityOrigin // when it is constructed as an opaque origin, and SecurityOrigin instances // (isolated-)copied from the same opaque origin share the same nonce. The nonce // is thread-safe, so it is feasible to compare opaque origins over threads. // // TODO(nhiroki): Unify BlobURLNullOriginMap and BlobURLOpaqueOriginNonceMap. // Making BlobURLNullOriginMap thread-safe could be possible solution, but // actually it should be quite hard and not practical. This is because // SecurityOrigin is not thread-safe, and widely used with an assumption that it // is not shared among threads. Instead, we could stop using // BlobURLNullOriginMap, and use BlobURLNullOriginMap in any case. class PLATFORM_EXPORT BlobURLOpaqueOriginNonceMap { … }; } // namespace blink #endif // THIRD_PARTY_BLINK_RENDERER_PLATFORM_BLOB_BLOB_URL_NULL_ORIGIN_MAP_H_