Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA
Motivation
Protecting this alternate protobuf MIME type via CORB will ensure that it cannot be attacked via speculative execution attacks.
Specification
Status in Chromium
Enabled by default in:
- Chrome for desktop release 90
- Chrome for Android release 90
Consensus & Standardization
After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.
- Positive
- No signal
- No signal
- No signals
Owner
Last updated on 2021-02-24