On 2022-03-24 08:04, Anne van Kesteren wrote:
On Wed, Mar 23, 2022 at 6:19 PM Patrick Griffis via webkit-dev <webkit-dev@lists.webkit.org> wrote:
I'd like a position on CORB and intend to implement it in the future. This is already part of the Fetch Standard[0] and should be relatively straightforward.
It effectively blocks cross-origin requests for resources they don't make sense in their context. For example an `img` element should never get a response that contains HTML and in that case will not return the HTML data. This can prevent unintentional data leaks.
This is implemented by Chromium for years now and I don't believe will be invasive.
I'd recommend against this, for these reasons:
1. Both Chromium and Gecko are working on https://github.com/annevk/orb as initially discussed at https://github.com/whatwg/fetch/issues/721. When done this would replace CORB. 2. CORB as specified in Fetch is a subset of what Chromium implements. Various aspects, such as sniffing, are not specified. 3. What Chromium implements has also changed over time and Fetch hasn't been updated.
Thanks for the input. My intention was to implement the sniffing that Chromium does which, while not part of the spec, is somewhat documented[0]. I believe directly going to ORB and skipping CORB is not a bad idea and something I could work on if that is the preferred spec. [0] https://chromium.googlesource.com/chromium/src/+/HEAD/services/network/cross...