[webkit-dev] Request for Position: Cross-Origin-Resource-Blocking (CORB)

Patrick Griffis pgriffis at igalia.com
Tue Mar 29 08:46:35 PDT 2022


On 2022-03-24 08:04, Anne van Kesteren wrote:
> On Wed, Mar 23, 2022 at 6:19 PM Patrick Griffis via webkit-dev
> <webkit-dev at lists.webkit.org> wrote:
>> I'd like a position on CORB and intend to implement it in the future.
>> This is already part of the Fetch Standard[0] and should be relatively
>> straightforward.
>>
>> It effectively blocks cross-origin requests for resources they don't
>> make sense in their context. For example an `img` element should never
>> get a response that contains HTML and in that case will not return the
>> HTML data. This can prevent unintentional data leaks.
>>
>> This is implemented by Chromium for years now and I don't believe will
>> be invasive.
>>
>> [0] https://fetch.spec.whatwg.org/#corb
> 
> I'd recommend against this, for these reasons:
> 
> 1. Both Chromium and Gecko are working on
> https://github.com/annevk/orb as initially discussed at
> https://github.com/whatwg/fetch/issues/721. When done this would
> replace CORB.
> 2. CORB as specified in Fetch is a subset of what Chromium implements.
> Various aspects, such as sniffing, are not specified.
> 3. What Chromium implements has also changed over time and Fetch
> hasn't been updated.

Thanks for the input. My intention was to implement the sniffing that
Chromium does which, while not part of the spec, is somewhat
documented[0].

I believe directly going to ORB and skipping CORB is not a bad idea and
something I could work on if that is the preferred spec.

[0]
https://chromium.googlesource.com/chromium/src/+/HEAD/services/network/cross_origin_read_blocking_explainer.md


More information about the webkit-dev mailing list