Bug 185331 - Cross-Origin Read Blocking (CORB)
Summary: Cross-Origin Read Blocking (CORB)
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-05-04 15:51 PDT by Łukasz Anforowicz
Modified: 2020-10-22 23:46 PDT (History)
7 users (show)

See Also:


Attachments
Patch (61.43 KB, patch)
2019-12-15 07:56 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (62.15 KB, patch)
2019-12-16 01:49 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (60.92 KB, patch)
2020-02-25 23:54 PST, Rob Buis
no flags Details | Formatted Diff | Diff
Patch (66.25 KB, patch)
2020-02-26 03:04 PST, Rob Buis
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Łukasz Anforowicz 2018-05-04 15:51:25 PDT
Cross-origin read blocking, better known as CORB, is an algorithm by which dubious cross-origin resource fetches are identified and blocked before they reach a web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages.  In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.

More info:
- Explainer: https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
- WhatWG issue: https://github.com/whatwg/fetch/issues/681
- PR for Fetch spec changes: https://github.com/whatwg/fetch/pull/686
- Initial public support that CORB is a good idea: https://github.com/whatwg/fetch/issues/687
Comment 1 Radar WebKit Bug Importer 2018-05-04 15:51:37 PDT
<rdar://problem/39992149>
Comment 2 Brent Fulgham 2018-05-08 17:26:50 PDT
This is actually:

<rdar://problem/38878150>
Comment 3 Daniel Bates 2018-09-16 15:00:04 PDT
This is not a security-sensitive bug.
Comment 4 Rob Buis 2019-12-15 07:56:16 PST
Created attachment 385720 [details]
Patch
Comment 5 Rob Buis 2019-12-16 01:49:09 PST
Created attachment 385742 [details]
Patch
Comment 6 Rob Buis 2020-02-25 23:54:55 PST
Created attachment 391725 [details]
Patch
Comment 7 Rob Buis 2020-02-26 03:04:35 PST
Created attachment 391730 [details]
Patch
Comment 8 muzayin al ubad 2020-10-22 23:46:38 PDT
I will try to it