Cross-Origin Read Blocking (CORB)

Cross-Origin Read Blocking (CORB) is an algorithm that can identify and block dubious cross-origin resource loads in web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks like Spectre.

Comments

Many of the effects of CORB are not observable since the responses it blocks tend to be opaque to web pages in the first place. However, there are 4 observable changes to the web platform to make CORB possible, as outlined in the Blink Intent here: https://groups.google.com/a/chromium.org/d/msg/blink-dev/hnAWBzq1qys/XwLxNT9oCQAJ Web developers can learn more about how CORB affects their sites at https://www.chromium.org/Home/chromium-security/corb-for-developers.

Demo

• https://anforowicz.github.io/xsdb-demo/index.html

Documentation

• https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
• https://www.chromium.org/Home/chromium-security/corb-for-developers
• https://github.com/whatwg/fetch/issues/681

Specification

Working draft or equivalent

Status in Chromium

Blink components: Blink>SecurityFeature

Enabled by default (tracking bug) in:

• Chrome for desktop release 67
• Chrome for Android release 68
• Android WebView release 68
• Opera release 54
• Opera for Android release 54

Consensus & Standardization

• Firefox: Public support
• Edge: No public signals
• Safari: Public support
• Web Developers: No signals

Owners

• creis@chromium.org
• nick@chromium.org
• lukasza@chromium.org

Last updated on 2018-06-01