Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA

Motivation

Protecting this alternate protobuf MIME type via CORB will ensure that it cannot be attacked via speculative execution attacks.

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature


Enabled by default in:

  • Chrome for desktop release 90
  • Chrome for Android release 90

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Positive
  • No signal
  • No signal
  • No signals

Owner

Last updated on 2021-04-15