[FileAPI] Change BlobUrlRegistry to be per storage partition.
Different storage partitions should not be able to resolve blob URLs
created in other partitions. To ensure this, give each partition their
own blob url registry.
There is one exception though, a <webview> inside a chrome app should
be able to resolve blob URLs that were created by the chrome app. To
enable this, we add the concept of a "fallback url registry" to
BlobUrlRegistry, and pass the BlobUrlRegistry of the app in as fallback
when creating the storage partition for a <webview>.
Bug: 1106890
Change-Id: I809f24a2c0b4d8d21e53d46bb6d3e2027b21281b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2324110
Reviewed-by: Charlie Reis <[email protected]>
Reviewed-by: Aaron Colwell <[email protected]>
Commit-Queue: Marijn Kruisselbrink <[email protected]>
Cr-Commit-Position: refs/heads/master@{#804321}
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc
index 5735af8..40b0b21d 100644
--- a/content/browser/frame_host/navigation_controller_impl.cc
+++ b/content/browser/frame_host/navigation_controller_impl.cc
@@ -3127,8 +3127,11 @@
// the correct url loader factory to use here.
auto blob_url_loader_factory = params.blob_url_loader_factory;
if (!blob_url_loader_factory && params.url.SchemeIsBlob()) {
+ // Resolve the blob URL in the storage partition associated with the target
+ // frame. This is the storage partition the URL will be loaded in, and only
+ // URLs that can be resolved by it should be able to access its data.
blob_url_loader_factory = ChromeBlobStorageContext::URLLoaderFactoryForUrl(
- GetBrowserContext(), params.url);
+ node->current_frame_host()->GetStoragePartition(), params.url);
}
std::unique_ptr<NavigationEntryImpl> entry;
