Cross-Origin Read Blocking (CORB) is an algorithm that can identify and block dubious cross-origin resource loads in web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks like Spectre.

Demo

• https://anforowicz.github.io/xsdb-demo/index.html

Documentation

• https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
• https://www.chromium.org/Home/chromium-security/corb-for-developers
• https://github.com/whatwg/fetch/issues/681

Specification

Specification link

Status: Unknown standards status - check spec link for status

Status in Chromium

Blink components: Blink>SecurityFeature

Implementation status: Enabled by default (tracking bug)

Consensus & Standardization

• Firefox: Positive
• Edge: No signal
• Safari: Positive
• Web Developers: No signals

Owners

• creis@chromium.org
• nick@chromium.org
• lukasza@chromium.org

Comments

Web developers can learn more about how CORB affects their sites at https://www.chromium.org/Home/chromium-security/corb-for-developers. Chrome 83 CORS changes for cross-origin requests from chrome extension content scripts are described at https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

Search tags

Last updated on 2021-08-31