Bug 185331

Summary:

Cross-Origin Read Blocking (CORB)

Product:

WebKit

Reporter:

Łukasz Anforowicz <lukasza>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

NEW

Severity:

Normal

CC:

bfulgham, dbates, eljawara79, rbuis, webkit-bug-importer, wilander

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Attachments:

Łukasz Anforowicz

Reported 2018-05-04 15:51:25 PDT

Cross-origin read blocking, better known as CORB, is an algorithm by which dubious cross-origin resource fetches are identified and blocked before they reach a web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks. More info: - Explainer: https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md - WhatWG issue: https://github.com/whatwg/fetch/issues/681 - PR for Fetch spec changes: https://github.com/whatwg/fetch/pull/686 - Initial public support that CORB is a good idea: https://github.com/whatwg/fetch/issues/687

Attachments
Patch (61.43 KB, patch) 2019-12-15 07:56 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (62.15 KB, patch) 2019-12-16 01:49 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (60.92 KB, patch) 2020-02-25 23:54 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (66.25 KB, patch) 2020-02-26 03:04 PST, Rob Buis	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.