[webkit-dev] Request for Position: Cross-Origin-Resource-Blocking (CORB)

Patrick Griffis pgriffis at igalia.com
Wed Mar 23 10:18:27 PDT 2022


Hi everybody,

I'd like a position on CORB and intend to implement it in the future.
This is already part of the Fetch Standard[0] and should be relatively
straightforward.

It effectively blocks cross-origin requests for resources they don't
make sense in their context. For example an `img` element should never
get a response that contains HTML and in that case will not return the
HTML data. This can prevent unintentional data leaks.

This is implemented by Chromium for years now and I don't believe will
be invasive.

[0] https://fetch.spec.whatwg.org/#corb


More information about the webkit-dev mailing list