New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 825296 link

Starred by 1 user
Status: Duplicate
Merged: issue 825111
Owner: ----
Closed: Mar 2018
Cc:
nick@chromium.org
rdevlin....@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Regression

Blocked on:
issue 821596


Sign in to add a comment

Cannot load blob:chrome-extension:-URL in content script

Project Member Reported by rob@robwu.nl, Mar 23 2018 
Chrome Beta (66) and Canary (67.0.3380.0) refuses to load blob:chrome-extension:-URLs from a content script.
This is a regression caused by d30633d9051ff97eed229cab019f75eaaa16144 ( bug 821596 ).

Extensions should be able to load blob:chrome-extension:-URLs. These URLs are not predictable, so allowing the renderer to load the URL (at least with fetch/XHR) if it knows about the URL is a reasonably safe operation.

If that is not feasible, then consider using structured cloning instead of JSON-serializing for the extension messaging API (bug 112163) (like Firefox). Otherwise extensions have no efficient means to send a huge Blob to the content script.

STR:
1. Download the attached files, save them to a directory.
2. Load the extension in Chrome, either with --load-extension=path/to/directory/from/step/one or via chrome://extensions (Developer Mode).
3. Visit example.com (any web page will do).
4. Click on the extension button:
   * The extension will create a blob:-URL in the background page.
   * The extension sends a blob:-URL to the content script.
   * The content script will use fetch and XMLHttpRequest to load the script, and print the results in an alert dialog and the JS console.

Expected result:
- Two alert dialogs:
  * "fetch succeeded with response: [Blob data from background page]"
  * "XMLHttpRequest succeeded with response: [Blob data from background page]"
- The JS console shows: "PASS: fetch" and "PASS: xhr"

Actual result:
- Two alert dialogs:
  * "fetch(blobUrl) failed with error: TypeError: Failed to fetch"
  * "XMLHttpRequest failed to read blobUrl"
- The JS console shows: "FAIL: fetch" and "FAIL: xhr"
manifest.json
367 bytes View Download
background.js
431 bytes View Download
contentscript.js
939 bytes View Download

Comment 1 by rdevlin....@chromium.org, Mar 23 2018

Cc: rdevlin....@chromium.org
Rob, this looks like the same underlying issue as 761341.  Is it safe to dupe into that one?

Comment 2 by rob@robwu.nl, Mar 23 2018 

This is different from bug 761341.
Bug 761341 is about the inability to navigate to a blob:chrome-extension-URL, a regression in Chrome 60.

The bug here is about the inability to load a blob:chrome-extension:-URL in a content script with fetch/XMLHttpRequest, a regression in Chrome 67 (Beta). Since this is not on stable yet, can it be fixed before it hits stable? Otherwise extensions that rely on this feature will break.

Here is an example of why one would want to be able to load blob:-URLs from a content script: https://stackoverflow.com/questions/23847708/pass-large-blob-or-file-from-chrome-extension

Comment 3 by rob@robwu.nl, Mar 25 2018

Mergedinto: 825111
Status: Duplicate (was: Untriaged)

Comment 4 by nick@chromium.org, Mar 26 2018 

I think the right thing to do here is to revert the CanRequestURL
enforcement until we have a better story for content scripts (there's not
much sense in carving out an exception for extensions, since the check had
been aimed at protecting extension origins).

The meaningful security boundary here ought to be around creating the blob
url.

Comment 5 by rdevlin....@chromium.org, Mar 26 2018 

SG.  Nick, do you want to handle the revert?

Sign in to add a comment