Cross-origin read blocking, better known as CORB, is an algorithm by which dubious cross-origin resource fetches are identified and blocked before they reach a web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
- Explainer: https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
- WhatWG issue: https://github.com/whatwg/fetch/issues/681
- PR for Fetch spec changes: https://github.com/whatwg/fetch/pull/686
- Initial public support that CORB is a good idea: https://github.com/whatwg/fetch/issues/687
This is actually:
This is not a security-sensitive bug.
Created attachment 385720 [details]
Created attachment 385742 [details]
Created attachment 391725 [details]
Created attachment 391730 [details]