Protect `application/x-protobuffer` via Cross-Origin-Read-Blocking

Feature: Protect `application/x-protobuffer` via Cross-Origin-Read-Blocking

Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA

Motivation

Protecting this alternate protobuf MIME type via CORB will ensure that it cannot be attacked via speculative execution attacks.

Specification

Editor's draft

Status in Chromium

Blink components: Blink>SecurityFeature

Enabled by default in:

Chrome for desktop release 90
Chrome for Android release 90

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Edge: No signal
Safari: No signal
Web Developers: No signals

Owner

ddworken@google.com

Last updated on 2021-04-15