[webkit-dev] Request for Position: Cross-Origin-Resource-Blocking (CORB)

Anne van Kesteren annevk at annevk.nl
Thu Mar 24 06:04:05 PDT 2022

On Wed, Mar 23, 2022 at 6:19 PM Patrick Griffis via webkit-dev
<webkit-dev at lists.webkit.org> wrote:
> I'd like a position on CORB and intend to implement it in the future.
> This is already part of the Fetch Standard[0] and should be relatively
> straightforward.
> It effectively blocks cross-origin requests for resources they don't
> make sense in their context. For example an `img` element should never
> get a response that contains HTML and in that case will not return the
> HTML data. This can prevent unintentional data leaks.
> This is implemented by Chromium for years now and I don't believe will
> be invasive.
> [0] https://fetch.spec.whatwg.org/#corb

I'd recommend against this, for these reasons:

1. Both Chromium and Gecko are working on
https://github.com/annevk/orb as initially discussed at
https://github.com/whatwg/fetch/issues/721. When done this would
replace CORB.
2. CORB as specified in Fetch is a subset of what Chromium implements.
Various aspects, such as sniffing, are not specified.
3. What Chromium implements has also changed over time and Fetch
hasn't been updated.

More information about the webkit-dev mailing list